Loading ...

Play interactive tourEdit tour

Analysis Report RFQ_AP65425652_032421 isu-isu,pdf.exe

Overview

General Information

Sample Name:RFQ_AP65425652_032421 isu-isu,pdf.exe
Analysis ID:383968
MD5:98f9ea244308bb5969ea3c302c32efcd
SHA1:82a913894418af7834d23bc543eb286230d4edf4
SHA256:cd292d4cdb5ff8f2de087a09de2a152722d910f1df7ce7b65e6480be9ae77fdf
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • RFQ_AP65425652_032421 isu-isu,pdf.exe (PID: 6788 cmdline: 'C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe' MD5: 98F9EA244308BB5969EA3C302C32EFCD)
    • RFQ_AP65425652_032421 isu-isu,pdf.exe (PID: 6848 cmdline: 'C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe' MD5: 98F9EA244308BB5969EA3C302C32EFCD)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • control.exe (PID: 5128 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
          • cmd.exe (PID: 6316 cmdline: /c del 'C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.luegomusic.com/pe0r/"], "decoy": ["quickeasybites.com", "idilecup.com", "atelierdusalon.com", "tigerking-safe.com", "goinyourstrength.com", "ssfgasia.com", "halmanseger.com", "hpcovn.com", "thegodfatherricedealer.com", "hzmsbg.com", "trickswithwix.com", "rbvctiu.com", "spystoredevices.com", "monlexiem.com", "apt-forward.com", "medsez.cloud", "nanantz.com", "kf350.com", "ztvwgqjya.com", "countingeverything.com", "motion-mill-tv.com", "mex33.info", "desertfoxindustries.com", "welchmanlongbow.com", "beachnovotel.com", "basicchan.com", "boekhoudingwetteren.com", "pierresplayhouse.com", "xitiefilm.com", "betterskindays.com", "hdeamutfak.com", "sqjqw4.com", "coloradocouponclub.com", "leadershipcodes.com", "simplysouthdisinfecting.net", "lideresdeimmunocal.com", "tipsaglik.com", "greaterluxuryrehab.info", "tennesseewheelrepair.com", "5150shoshone.com", "slot-782.com", "cubitia.net", "fudweisj.icu", "forguyshere.com", "connect-alert-status.network", "hannahkaylewis.com", "soarcredits.com", "queensindustrial.com", "kudzuentertains.com", "maconhemorrhoidcenter.com", "1364kensington.com", "prestamosa.com", "lifeisgoingwells.com", "cloverunner.com", "4608capaydrive.com", "neomily.xyz", "blushingdevil.com", "essentials-trading.com", "theinfoinsider.com", "heftylefties.com", "zea-px16z.net", "thecapitalhut.com", "rootedwithlovejax.com", "nesreenibrahimmd.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.657014217.00000000028A0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.657014217.00000000028A0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158a9:$sqlite3step: 68 34 1C 7B E1
        • 0x159bc:$sqlite3step: 68 34 1C 7B E1
        • 0x158d8:$sqlite3text: 68 38 2A 90 C5
        • 0x159fd:$sqlite3text: 68 38 2A 90 C5
        • 0x158eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
        0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.luegomusic.com/pe0r/"], "decoy": ["quickeasybites.com", "idilecup.com", "atelierdusalon.com", "tigerking-safe.com", "goinyourstrength.com", "ssfgasia.com", "halmanseger.com", "hpcovn.com", "thegodfatherricedealer.com", "hzmsbg.com", "trickswithwix.com", "rbvctiu.com", "spystoredevices.com", "monlexiem.com", "apt-forward.com", "medsez.cloud", "nanantz.com", "kf350.com", "ztvwgqjya.com", "countingeverything.com", "motion-mill-tv.com", "mex33.info", "desertfoxindustries.com", "welchmanlongbow.com", "beachnovotel.com", "basicchan.com", "boekhoudingwetteren.com", "pierresplayhouse.com", "xitiefilm.com", "betterskindays.com", "hdeamutfak.com", "sqjqw4.com", "coloradocouponclub.com", "leadershipcodes.com", "simplysouthdisinfecting.net", "lideresdeimmunocal.com", "tipsaglik.com", "greaterluxuryrehab.info", "tennesseewheelrepair.com", "5150shoshone.com", "slot-782.com", "cubitia.net", "fudweisj.icu", "forguyshere.com", "connect-alert-status.network", "hannahkaylewis.com", "soarcredits.com", "queensindustrial.com", "kudzuentertains.com", "maconhemorrhoidcenter.com", "1364kensington.com", "prestamosa.com", "lifeisgoingwells.com", "cloverunner.com", "4608capaydrive.com", "neomily.xyz", "blushingdevil.com", "essentials-trading.com", "theinfoinsider.com", "heftylefties.com", "zea-px16z.net", "thecapitalhut.com", "rootedwithlovejax.com", "nesreenibrahimmd.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nsa82C7.tmp\fsfomt.dllReversingLabs: Detection: 22%
          Multi AV Scanner detection for submitted fileShow sources
          Source: RFQ_AP65425652_032421 isu-isu,pdf.exeVirustotal: Detection: 35%Perma Link
          Source: RFQ_AP65425652_032421 isu-isu,pdf.exeReversingLabs: Detection: 41%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.657014217.00000000028A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.692110723.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.909962529.0000000000BF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.692129319.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.909570480.0000000000700000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.652124136.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.910020309.0000000000E40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: RFQ_AP65425652_032421 isu-isu,pdf.exeJoe Sandbox ML: detected
          Source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.control.exe.4ca7960.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.control.exe.a0a460.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: RFQ_AP65425652_032421 isu-isu,pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.668908847.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: RFQ_AP65425652_032421 isu-isu,pdf.exe, 00000000.00000003.646395751.000000001EF20000.00000004.00000001.sdmp, RFQ_AP65425652_032421 isu-isu,pdf.exe, 00000002.00000002.691829468.0000000000ABF000.00000040.00000001.sdmp, control.exe, 00000007.00000002.910667906.000000000488F000.00000040.00000001.sdmp
          Source: Binary string: control.pdb source: RFQ_AP65425652_032421 isu-isu,pdf.exe, 00000002.00000002.692305154.0000000002620000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RFQ_AP65425652_032421 isu-isu,pdf.exe, control.exe
          Source: Binary string: control.pdbUGP source: RFQ_AP65425652_032421 isu-isu,pdf.exe, 00000002.00000002.692305154.0000000002620000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.668908847.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,0_2_00405301
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,0_2_00405C94
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 0_2_004026BC FindFirstFileA,0_2_004026BC

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 162.241.244.61:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 162.241.244.61:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 162.241.244.61:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49770 -> 107.178.142.156:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49770 -> 107.178.142.156:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49770 -> 107.178.142.156:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49772 -> 35.246.6.109:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49772 -> 35.246.6.109:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49772 -> 35.246.6.109:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49774 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49774 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49774 -> 34.102.136.180:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.luegomusic.com/pe0r/
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=0Af10zgbdIViNGwjb+Oc1SkLmd7m2ZIFRN/3MUqpHhZEI8ml+kTCEnXA5UxsPaJdSh4V&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.1364kensington.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=DC2ddi2Ahi6YucIUNrYQstcO22XqbhtBVWVPx2koYqqK6B4m9xBdRgLT1ADwKwfYgKFO&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.luegomusic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=EMcf7Z3h8uf0azWCSj7jkXkAyIPNvPvgl8GMAOH4p84rD0pfCkD41qqmtAVLjT1e92o/&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.kf350.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=gvANDtPFS4AFIzDAH1LQr3uVNv4G+On6xarGfoEbOyx7OA32EqtB1F0pQLcAKQ6/fBeV&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.pierresplayhouse.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=Vv4dR0U6ZhUzqX7Ytdkdbkwy06eZp55JqV7JXJhskJ3M1IOX6fIf5GSNO8ms0pPBZaWn&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.thecapitalhut.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=edFFfaJfWRXJQQLXD8x02lpY2DcNAoQTA5Xlo1ZOoFa5RERkTfJxxWby4PUnbOfP3siZ&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.ssfgasia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=z013FEPTRo1x+Iqvqy0nQ5Mm93icoZ0Dm/8PgHcP3O5T8Pkz5lNKJ8Gozvwfum0Zfhau&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.desertfoxindustries.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=k6IhwNTsJPfJwlNAMD3cJduEXu+3VJeDR1xGn86Kxw1vpoAhQbb58cNQY6a9WWBFRY7O&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.tennesseewheelrepair.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=RrzzznHzvm1EAZS+513FKVr8vjbHVsjAfprUxrbk/aZWUqXE85HdCV+tXjNxRxdlhlWL&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.rootedwithlovejax.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 199.59.242.153 199.59.242.153
          Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
          Source: Joe Sandbox ViewASN Name: BIZLAND-SDUS BIZLAND-SDUS
          Source: Joe Sandbox ViewASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=0Af10zgbdIViNGwjb+Oc1SkLmd7m2ZIFRN/3MUqpHhZEI8ml+kTCEnXA5UxsPaJdSh4V&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.1364kensington.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=DC2ddi2Ahi6YucIUNrYQstcO22XqbhtBVWVPx2koYqqK6B4m9xBdRgLT1ADwKwfYgKFO&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.luegomusic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=EMcf7Z3h8uf0azWCSj7jkXkAyIPNvPvgl8GMAOH4p84rD0pfCkD41qqmtAVLjT1e92o/&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.kf350.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=gvANDtPFS4AFIzDAH1LQr3uVNv4G+On6xarGfoEbOyx7OA32EqtB1F0pQLcAKQ6/fBeV&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.pierresplayhouse.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=Vv4dR0U6ZhUzqX7Ytdkdbkwy06eZp55JqV7JXJhskJ3M1IOX6fIf5GSNO8ms0pPBZaWn&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.thecapitalhut.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=edFFfaJfWRXJQQLXD8x02lpY2DcNAoQTA5Xlo1ZOoFa5RERkTfJxxWby4PUnbOfP3siZ&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.ssfgasia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=z013FEPTRo1x+Iqvqy0nQ5Mm93icoZ0Dm/8PgHcP3O5T8Pkz5lNKJ8Gozvwfum0Zfhau&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.desertfoxindustries.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=k6IhwNTsJPfJwlNAMD3cJduEXu+3VJeDR1xGn86Kxw1vpoAhQbb58cNQY6a9WWBFRY7O&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.tennesseewheelrepair.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=RrzzznHzvm1EAZS+513FKVr8vjbHVsjAfprUxrbk/aZWUqXE85HdCV+tXjNxRxdlhlWL&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.rootedwithlovejax.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.1364kensington.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 11:22:07 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: Apache/2Last-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ hei
          Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmpString found in binary or memory: http://business.google.com/
          Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmpString found in binary or memory: http://business.google.com/website/rooted-with-love/pe0r/
          Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmpString found in binary or memory: http://business.google.com/website/rooted-with-love/pe0r/&quot;
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000005.00000000.660312730.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmpString found in binary or memory: https://ads.google.com/localservices
          Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmpString found in binary or memory: https://business.google.com
          Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmpString found in binary or memory: https://lh5.googleusercontent.com/tnT1qBMzmyLgRDNYg3gq78quEpuZVERk849E090SPkl3uZ90NtOdF0DdK28eDthwrR
          Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmpString found in binary or memory: https://rootedwithlovejax.com
          Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmpString found in binary or memory: https://schema.org/LocalBusiness
          Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmpString found in binary or memory: https://workspace.google.com
          Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/maps/dir//Rooted
          Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/_/mss/boq-geo/_/js/k=boq-geo.GeoMerchantPrestoSiteUi.en_US.H3HiHVucosI.es5.O
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404EA0

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.657014217.00000000028A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.692110723.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.909962529.0000000000BF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.692129319.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.909570480.0000000000700000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.652124136.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.910020309.0000000000E40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.657014217.00000000028A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.657014217.00000000028A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.692110723.0000000000CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.692110723.0000000000CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.909962529.0000000000BF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.909962529.0000000000BF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.692129319.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.692129319.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.909570480.0000000000700000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.909570480.0000000000700000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.652124136.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.652124136.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.910020309.0000000000E40000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.910020309.0000000000E40000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_004181B0 NtCreateFile,2_2_004181B0
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00418260 NtReadFile,2_2_00418260
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_004182E0 NtClose,2_2_004182E0
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00418390 NtAllocateVirtualMemory,2_2_00418390
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_004182DC NtClose,2_2_004182DC
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A098F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_00A098F0
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09860 NtQuerySystemInformation,LdrInitializeThunk,2_2_00A09860
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09840 NtDelayExecution,LdrInitializeThunk,2_2_00A09840
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A099A0 NtCreateSection,LdrInitializeThunk,2_2_00A099A0
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_00A09910
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09A20 NtResumeThread,LdrInitializeThunk,2_2_00A09A20
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_00A09A00
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09A50 NtCreateFile,LdrInitializeThunk,2_2_00A09A50
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A095D0 NtClose,LdrInitializeThunk,2_2_00A095D0
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09540 NtReadFile,LdrInitializeThunk,2_2_00A09540
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A096E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_00A096E0
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_00A09660
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A097A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_00A097A0
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09780 NtMapViewOfSection,LdrInitializeThunk,2_2_00A09780
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09FE0 NtCreateMutant,LdrInitializeThunk,2_2_00A09FE0
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09710 NtQueryInformationToken,LdrInitializeThunk,2_2_00A09710
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A098A0 NtWriteVirtualMemory,2_2_00A098A0
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09820 NtEnumerateKey,2_2_00A09820
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A0B040 NtSuspendThread,2_2_00A0B040
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A099D0 NtCreateProcessEx,2_2_00A099D0
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09950 NtQueueApcThread,2_2_00A09950
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09A80 NtOpenDirectoryObject,2_2_00A09A80
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09A10 NtQuerySection,2_2_00A09A10
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A0A3B0 NtGetContextThread,2_2_00A0A3B0
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09B00 NtSetValueKey,2_2_00A09B00
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A095F0 NtQueryInformationFile,2_2_00A095F0
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09520 NtWaitForSingleObject,2_2_00A09520
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A0AD30 NtSetContextThread,2_2_00A0AD30
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09560 NtWriteFile,2_2_00A09560
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A096D0 NtCreateKey,2_2_00A096D0
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09610 NtEnumerateValueKey,2_2_00A09610
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09670 NtQueryInformationProcess,2_2_00A09670
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09650 NtQueryValueKey,2_2_00A09650
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09730 NtQueryVirtualMemory,2_2_00A09730
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A0A710 NtOpenProcessToken,2_2_00A0A710
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09760 NtOpenProcess,2_2_00A09760
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09770 NtSetInformationFile,2_2_00A09770
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A0A770 NtOpenThread,2_2_00A0A770
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9540 NtReadFile,LdrInitializeThunk,7_2_047D9540
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D95D0 NtClose,LdrInitializeThunk,7_2_047D95D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_047D9660
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9650 NtQueryValueKey,LdrInitializeThunk,7_2_047D9650
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D96E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_047D96E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D96D0 NtCreateKey,LdrInitializeThunk,7_2_047D96D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9710 NtQueryInformationToken,LdrInitializeThunk,7_2_047D9710
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9FE0 NtCreateMutant,LdrInitializeThunk,7_2_047D9FE0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9780 NtMapViewOfSection,LdrInitializeThunk,7_2_047D9780
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9860 NtQuerySystemInformation,LdrInitializeThunk,7_2_047D9860
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9840 NtDelayExecution,LdrInitializeThunk,7_2_047D9840
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_047D9910
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D99A0 NtCreateSection,LdrInitializeThunk,7_2_047D99A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9A50 NtCreateFile,LdrInitializeThunk,7_2_047D9A50
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9560 NtWriteFile,7_2_047D9560
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047DAD30 NtSetContextThread,7_2_047DAD30
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9520 NtWaitForSingleObject,7_2_047D9520
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D95F0 NtQueryInformationFile,7_2_047D95F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9670 NtQueryInformationProcess,7_2_047D9670
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9610 NtEnumerateValueKey,7_2_047D9610
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047DA770 NtOpenThread,7_2_047DA770
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9770 NtSetInformationFile,7_2_047D9770
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9760 NtOpenProcess,7_2_047D9760
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9730 NtQueryVirtualMemory,7_2_047D9730
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047DA710 NtOpenProcessToken,7_2_047DA710
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D97A0 NtUnmapViewOfSection,7_2_047D97A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047DB040 NtSuspendThread,7_2_047DB040
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9820 NtEnumerateKey,7_2_047D9820
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D98F0 NtReadVirtualMemory,7_2_047D98F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D98A0 NtWriteVirtualMemory,7_2_047D98A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9950 NtQueueApcThread,7_2_047D9950
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D99D0 NtCreateProcessEx,7_2_047D99D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9A20 NtResumeThread,7_2_047D9A20
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9A10 NtQuerySection,7_2_047D9A10
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9A00 NtProtectVirtualMemory,7_2_047D9A00
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9A80 NtOpenDirectoryObject,7_2_047D9A80
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9B00 NtSetValueKey,7_2_047D9B00
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047DA3B0 NtGetContextThread,7_2_047DA3B0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_007181B0 NtCreateFile,7_2_007181B0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00718260 NtReadFile,7_2_00718260
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_007182E0 NtClose,7_2_007182E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00718390 NtAllocateVirtualMemory,7_2_00718390
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_007182DC NtClose,7_2_007182DC
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040314A
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 0_2_004046A70_2_004046A7
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00408C4B2_2_00408C4B
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00408C502_2_00408C50
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00402D872_2_00402D87
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_0041BD8E2_2_0041BD8E
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_0041C5A12_2_0041C5A1
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_0041B5A12_2_0041B5A1
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A920A82_2_00A920A8
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009DB0902_2_009DB090
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F20A02_2_009F20A0
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A928EC2_2_00A928EC
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A9E8242_2_00A9E824
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A810022_2_00A81002
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009CF9002_2_009CF900
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009E41202_2_009E4120
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A922AE2_2_00A922AE
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A7FA2B2_2_00A7FA2B
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009FEBB02_2_009FEBB0
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A803DA2_2_00A803DA
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A8DBD22_2_00A8DBD2
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A92B282_2_00A92B28
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009EAB402_2_009EAB40
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009D841F2_2_009D841F
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A8D4662_2_00A8D466
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F25812_2_009F2581
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A925DD2_2_00A925DD
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009DD5E02_2_009DD5E0
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A92D072_2_00A92D07
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009C0D202_2_009C0D20
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A91D552_2_00A91D55
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A92EF72_2_00A92EF7
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009E6E302_2_009E6E30
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A8D6162_2_00A8D616
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A91FF12_2_00A91FF1
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A9DFCE2_2_00A9DFCE
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047A841F7_2_047A841F
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0485D4667_2_0485D466
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04790D207_2_04790D20
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048625DD7_2_048625DD
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04862D077_2_04862D07
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047AD5E07_2_047AD5E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04861D557_2_04861D55
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C25817_2_047C2581
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047B6E307_2_047B6E30
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04862EF77_2_04862EF7
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0485D6167_2_0485D616
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0486DFCE7_2_0486DFCE
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04861FF17_2_04861FF1
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048620A87_2_048620A8
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048628EC7_2_048628EC
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048510027_2_04851002
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0486E8247_2_0486E824
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C20A07_2_047C20A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047AB0907_2_047AB090
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047B41207_2_047B4120
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0479F9007_2_0479F900
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048622AE7_2_048622AE
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0485DBD27_2_0485DBD2
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048503DA7_2_048503DA
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04862B287_2_04862B28
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047CEBB07_2_047CEBB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00708C507_2_00708C50
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00708C4B7_2_00708C4B
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0071C5A17_2_0071C5A1
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00702D907_2_00702D90
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00702D877_2_00702D87
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00702FB07_2_00702FB0
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: String function: 009CB150 appears 45 times
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 0479B150 appears 39 times
          Source: RFQ_AP65425652_032421 isu-isu,pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: RFQ_AP65425652_032421 isu-isu,pdf.exe, 00000000.00000003.647856936.000000001F036000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RFQ_AP65425652_032421 isu-isu,pdf.exe
          Source: RFQ_AP65425652_032421 isu-isu,pdf.exe, 00000002.00000002.692313752.0000000002625000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs RFQ_AP65425652_032421 isu-isu,pdf.exe
          Source: RFQ_AP65425652_032421 isu-isu,pdf.exe, 00000002.00000002.692024635.0000000000C4F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RFQ_AP65425652_032421 isu-isu,pdf.exe
          Source: RFQ_AP65425652_032421 isu-isu,pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.657014217.00000000028A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.657014217.00000000028A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.692110723.0000000000CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.692110723.0000000000CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.909962529.0000000000BF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.909962529.0000000000BF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.692129319.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.692129319.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.909570480.0000000000700000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yar