Edit tour

Windows Analysis Report
RFQ862_791.exe

Overview

General Information

Sample name:	RFQ862_791.exe
Analysis ID:	1595176
MD5:	f204a99339695e8cf173579dbe2c2a88
SHA1:	91d88b49b0beb67c56531cffd926f8c4318a9114
SHA256:	125ec05200cbfcdfb774f734bcb6c32fbad9008f77feef9988fa9267e35e1ff4
Tags:	exeuser-abuse_ch
Infos:

Detection

FormBook, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

RFQ862_791.exe (PID: 7412 cmdline: "C:\Users\user\Desktop\RFQ862_791.exe" MD5: F204A99339695E8CF173579DBE2C2A88)

powershell.exe (PID: 7584 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ862_791.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7908 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

RFQ862_791.exe (PID: 7600 cmdline: "C:\Users\user\Desktop\RFQ862_791.exe" MD5: F204A99339695E8CF173579DBE2C2A88)

RFQ862_791.exe (PID: 7628 cmdline: "C:\Users\user\Desktop\RFQ862_791.exe" MD5: F204A99339695E8CF173579DBE2C2A88)

29fSUmF6ATRArN0.exe (PID: 5364 cmdline: "C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\ECEyswAc1d.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

sdchange.exe (PID: 8008 cmdline: "C:\Windows\SysWOW64\sdchange.exe" MD5: 8E93B557363D8400A8B9F2D70AEB222B)

29fSUmF6ATRArN0.exe (PID: 4432 cmdline: "C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\abSw07XaXwec.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 6192 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1337328382.0000000005180000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1326564775.00000000036B9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000000C.00000002.3747403564.0000000005210000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3738649389.0000000002E50000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.1476508314.0000000001B60000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3745403321.0000000004BA0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.1473869422.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3745592825.0000000004BF0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1323436744.0000000002847000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000009.00000002.3744955884.0000000002FB0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.1476794353.0000000002640000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: RFQ862_791.exe PID: 7412	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author
6.2.RFQ862_791.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.RFQ862_791.exe.5180000.6.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.RFQ862_791.exe.5180000.6.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
6.2.RFQ862_791.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.RFQ862_791.exe.36d62a8.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.RFQ862_791.exe.36d62a8.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.RFQ862_791.exe.2ac613c.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.RFQ862_791.exe.2ac613c.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.RFQ862_791.exe.28a4414.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ862_791.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ862_791.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ862_791.exe", ParentImage: C:\Users\user\Desktop\RFQ862_791.exe, ParentProcessId: 7412, ParentProcessName: RFQ862_791.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ862_791.exe", ProcessId: 7584, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ862_791.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ862_791.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ862_791.exe", ParentImage: C:\Users\user\Desktop\RFQ862_791.exe, ParentProcessId: 7412, ParentProcessName: RFQ862_791.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ862_791.exe", ProcessId: 7584, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-20T14:57:35.837329+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49843	172.67.189.219	80	TCP
2025-01-20T14:57:59.835515+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49977	45.41.206.57	80	TCP
2025-01-20T14:58:21.609586+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49981	162.0.236.169	80	TCP
2025-01-20T14:58:35.906314+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49985	67.225.218.50	80	TCP
2025-01-20T14:58:58.929598+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49989	47.83.1.90	80	TCP
2025-01-20T14:59:12.758282+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49993	104.21.112.1	80	TCP
2025-01-20T14:59:26.701789+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	49997	85.159.66.93	80	TCP
2025-01-20T14:59:40.487663+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	50001	194.58.112.174	80	TCP
2025-01-20T14:59:53.894778+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	50005	144.76.229.203	80	TCP
2025-01-20T15:00:16.098106+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	50009	199.59.243.228	80	TCP
2025-01-20T15:00:40.499469+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	50013	38.182.168.194	80	TCP
2025-01-20T15:00:54.641710+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	50017	104.21.27.127	80	TCP
2025-01-20T15:01:03.388377+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	50018	172.67.189.219	80	TCP
2025-01-20T15:01:17.609332+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.7	50022	45.41.206.57	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-20T14:57:54.657650+0100	2856318	1	A Network Trojan was detected	192.168.2.7	49956	45.41.206.57	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: RFQ862_791.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.goodmiddleitu.shop/t6ic/	Avira URL Cloud: Label: malware
Source: http://www.goodmiddleitu.shop/t6ic/?utlPy=D7dSiJaV7g6ehZYePJrJDyigsL01JBWLRf7ydyx05sajqf0zXHzzHNpYSZBpeRydtMgEjVu8l1hsj/FElB816mvPxJjETBr5GyGtW8yTw2HtuNy7TLLbTjaNzPN33F0+NvL0QqVQGSYX&wdtp=dfTtLdz8N4R4N22	Avira URL Cloud: Label: malware
Source: http://www.goodmiddleitu.shop	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: RFQ862_791.exe	Virustotal: Detection: 50%			Perma Link
Source: RFQ862_791.exe	ReversingLabs: Detection: 60%

Yara detected FormBook

Source: Yara match	File source: 6.2.RFQ862_791.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RFQ862_791.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3747403564.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3738649389.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1476508314.0000000001B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3745403321.0000000004BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1473869422.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3745592825.0000000004BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3744955884.0000000002FB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1476794353.0000000002640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: RFQ862_791.exe

Joe Sandbox ML: detected

Source: RFQ862_791.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: RFQ862_791.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: sdchange.pdbGCTL source: RFQ862_791.exe, 00000006.00000002.1474289178.0000000001268000.00000004.00000020.00020000.00000000.sdmp, 29fSUmF6ATRArN0.exe, 00000009.00000002.3744193416.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RFQ862_791.exe, 00000006.00000002.1474581254.00000000017C0000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 0000000A.00000003.1474184944.00000000049DF000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 0000000A.00000002.3745754027.0000000004EDE000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 0000000A.00000003.1476763303.0000000004B8B000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 0000000A.00000002.3745754027.0000000004D40000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RFQ862_791.exe, RFQ862_791.exe, 00000006.00000002.1474581254.00000000017C0000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, sdchange.exe, 0000000A.00000003.1474184944.00000000049DF000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 0000000A.00000002.3745754027.0000000004EDE000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 0000000A.00000003.1476763303.0000000004B8B000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 0000000A.00000002.3745754027.0000000004D40000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: sdchange.pdb source: RFQ862_791.exe, 00000006.00000002.1474289178.0000000001268000.00000004.00000020.00020000.00000000.sdmp, 29fSUmF6ATRArN0.exe, 00000009.00000002.3744193416.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 29fSUmF6ATRArN0.exe, 00000009.00000002.3743703565.000000000092F000.00000002.00000001.01000000.0000000D.sdmp, 29fSUmF6ATRArN0.exe, 0000000C.00000000.1557990693.000000000092F000.00000002.00000001.01000000.0000000D.sdmp

Source: C:\Windows\SysWOW64\sdchange.exe

Code function: 10_2_02E6C3C0 FindFirstFileW,FindNextFileW,FindClose,

10_2_02E6C3C0

Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 4x nop then xor eax, eax		10_2_02E59E20
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 4x nop then mov ebx, 00000004h		10_2_050904EE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49843 -> 172.67.189.219:80
Source: Network traffic	Suricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.7:49956 -> 45.41.206.57:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49981 -> 162.0.236.169:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49989 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49993 -> 104.21.112.1:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49997 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:50018 -> 172.67.189.219:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49985 -> 67.225.218.50:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:50009 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49977 -> 45.41.206.57:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:50013 -> 38.182.168.194:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:50017 -> 104.21.27.127:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:50001 -> 194.58.112.174:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:50005 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:50022 -> 45.41.206.57:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.letsbookcruise.xyz
Source:	DNS query: www.031233226.xyz

Source: Joe Sandbox View	IP Address: 67.225.218.50 67.225.218.50
Source: Joe Sandbox View	IP Address: 67.225.218.50 67.225.218.50
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1

Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: LIQUIDWEBUS LIQUIDWEBUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: WEB2OBJECTSUS WEB2OBJECTSUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xyk7/?wdtp=dfTtLdz8N4R4N22&utlPy=7w6h3yg5DzwdgNI5ni7zdgWE01LLILB0WwRkNseC06Sr52JwcWk0c6DqTwIm1K9fQyswYfQJG9wFl64D0T3JG36kQc2rQq1GD8BAskxDNYo+6VGAAFjeTB6gR86Ok6zSVoeIRXBxNyag HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.bgezakofe.shopConnection: closeUser-Agent: Opera/9.80 (J2ME/MIDP; Opera Mini/4.2.18975/37.6502; U; es) Presto/2.12.423 Version/12.16
Source: global traffic	HTTP traffic detected: GET /phws/?utlPy=ocd4ZrzPXg6l4sWeBkNQwyo+1ztO6Qlaoz23ovA+FAa05WbJK6tPDbHnnDy/N4II5dY3pVgUKOhDHtvifryE1/g7Uq/bQtaZTJ5YtHQDcnXwjIgt0WlmOuVYOYFm+d/MC5lWaaAR7IC0&wdtp=dfTtLdz8N4R4N22 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.techstarllc.cloudConnection: closeUser-Agent: Opera/9.80 (J2ME/MIDP; Opera Mini/4.2.18975/37.6502; U; es) Presto/2.12.423 Version/12.16
Source: global traffic	HTTP traffic detected: GET /8t9s/?utlPy=cQOSSB92WrTaqBxBGgm+1NVrQbG/HKx6t2v2QQp7ftKEyFsbpuIbzJ+m0CFldn0ugFGiUddTcSTZ3FmKLOS+fnMQcHuRcnnDYz3kto3SN5Cqzd78NP+MWJq+dAjaBLbTOgi4Amc5lGaP&wdtp=dfTtLdz8N4R4N22 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.primetream.liveConnection: closeUser-Agent: Opera/9.80 (J2ME/MIDP; Opera Mini/4.2.18975/37.6502; U; es) Presto/2.12.423 Version/12.16
Source: global traffic	HTTP traffic detected: GET /4emb/?wdtp=dfTtLdz8N4R4N22&utlPy=4UULdis/QLNauySDaukyCqv0J0/Az9QB9T06+64m5ppnN51KKUcjYDTfNmInUMaV4Nrjr2QNBcJEKgo4MRK393ve/3UMmuyDb2z9FCp82j0fq+7kzbAhaUuGp98ap/RtjA8g3RWMd0Al HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.sorket.techConnection: closeUser-Agent: Opera/9.80 (J2ME/MIDP; Opera Mini/4.2.18975/37.6502; U; es) Presto/2.12.423 Version/12.16
Source: global traffic	HTTP traffic detected: GET /lf6y/?wdtp=dfTtLdz8N4R4N22&utlPy=WhdxLvX8GJneo6U0pntjZvwCQv5ZLgT4gCKWMK8L+5irjEYccqFO+hPhPBcWoDythyZIL285KG4ZhivHPukP5/h1LhJLW+QoU7l/8E86uSZRtGj7EZZgbCB9/ejDcQZk4lQzKwg8Sr2a HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.cruycq.infoConnection: closeUser-Agent: Opera/9.80 (J2ME/MIDP; Opera Mini/4.2.18975/37.6502; U; es) Presto/2.12.423 Version/12.16
Source: global traffic	HTTP traffic detected: GET /pmpa/?utlPy=UeIvIKLKGFys4rt2H7Fh9CRv6QcQWh9gMoTtmR20aEJv9MnWadULdaABdMWFlesQuWhFQQZZidkqYdB7fb3555maBJ9SGgIrlR9le3a7Y3U6O4Oj88AQE+kcKWJ3qw2py3oEtYzpu2Ss&wdtp=dfTtLdz8N4R4N22 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.dejikenkyu.cyouConnection: closeUser-Agent: Opera/9.80 (J2ME/MIDP; Opera Mini/4.2.18975/37.6502; U; es) Presto/2.12.423 Version/12.16
Source: global traffic	HTTP traffic detected: GET /uwne/?utlPy=vL36CH4RwprLmNwqm2jcMP4mPuqnVTrQlAQSHXNI75nLvOBtYNcxpRKkkR/hR1fY7vPFiFbrOB3asJH5t0/H6/X32lnahT9d2sl8fD5uiTxZAAtsGklg8875VsA5Eb8ABqt5X6SThs3N&wdtp=dfTtLdz8N4R4N22 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.letsbookcruise.xyzConnection: closeUser-Agent: Opera/9.80 (J2ME/MIDP; Opera Mini/4.2.18975/37.6502; U; es) Presto/2.12.423 Version/12.16
Source: global traffic	HTTP traffic detected: GET /50cv/?utlPy=8/mZ5/kJAMd8ILZDLFSpiSiFIgKGLaH3tYZ/jrsPdl51O6OfPchFdRhxxUbk+HRtUu3KFPC7ZsASc7+RDbYff6Rq1DyG79bWW2e5ySwcQWrqNa0HtXWhsh4g80kL2kYwdepJul01O2MF&wdtp=dfTtLdz8N4R4N22 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.stoauto.proConnection: closeUser-Agent: Opera/9.80 (J2ME/MIDP; Opera Mini/4.2.18975/37.6502; U; es) Presto/2.12.423 Version/12.16
Source: global traffic	HTTP traffic detected: GET /rzgj/?utlPy=BMD/pLiiSbOZg2ovvKDERonW93e7uE0IGEybm1oyBfQjTQpHRMiz2npnK3xJeUvctE6MjAsipB84993FIUUurTwqQpN//uKYSe/cy4+LBM41O9fEFcHxhG/YNktnz+ctrdyFi33JYOWG&wdtp=dfTtLdz8N4R4N22 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.031233226.xyzConnection: closeUser-Agent: Opera/9.80 (J2ME/MIDP; Opera Mini/4.2.18975/37.6502; U; es) Presto/2.12.423 Version/12.16
Source: global traffic	HTTP traffic detected: GET /55ao/?wdtp=dfTtLdz8N4R4N22&utlPy=lvdJYt6FRQF2HMlqMZMunMVyU5GAcszxV2F2f76D6yHbPuROARplWOWbiwrEME75Z/ZviWGgeKYojr+XWcnausprGQBeVgQ6MZ3f4X/vZB0KI5Bdnlj2lIAhrANfoCvfQlfit31/70J1 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.activeusers.techConnection: closeUser-Agent: Opera/9.80 (J2ME/MIDP; Opera Mini/4.2.18975/37.6502; U; es) Presto/2.12.423 Version/12.16
Source: global traffic	HTTP traffic detected: GET /7mtv/?wdtp=dfTtLdz8N4R4N22&utlPy=oIQkM5UlWiq1rG65cEbN4VdF8lCYrTRrZ87AGYhUYATyR9uRPv9WiuExWkdsLcC7aDI+kLE9knAR2uACDAq2gMUOwpr5SxO9XqV7ayvRBUgZsnXW6whdbrUNViFFAsyMGqMshO+oltXn HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.tnr3t1eb.vipConnection: closeUser-Agent: Opera/9.80 (J2ME/MIDP; Opera Mini/4.2.18975/37.6502; U; es) Presto/2.12.423 Version/12.16
Source: global traffic	HTTP traffic detected: GET /t6ic/?utlPy=D7dSiJaV7g6ehZYePJrJDyigsL01JBWLRf7ydyx05sajqf0zXHzzHNpYSZBpeRydtMgEjVu8l1hsj/FElB816mvPxJjETBr5GyGtW8yTw2HtuNy7TLLbTjaNzPN33F0+NvL0QqVQGSYX&wdtp=dfTtLdz8N4R4N22 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.goodmiddleitu.shopConnection: closeUser-Agent: Opera/9.80 (J2ME/MIDP; Opera Mini/4.2.18975/37.6502; U; es) Presto/2.12.423 Version/12.16
Source: global traffic	HTTP traffic detected: GET /xyk7/?wdtp=dfTtLdz8N4R4N22&utlPy=7w6h3yg5DzwdgNI5ni7zdgWE01LLILB0WwRkNseC06Sr52JwcWk0c6DqTwIm1K9fQyswYfQJG9wFl64D0T3JG36kQc2rQq1GD8BAskxDNYo+6VGAAFjeTB6gR86Ok6zSVoeIRXBxNyag HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.bgezakofe.shopConnection: closeUser-Agent: Opera/9.80 (J2ME/MIDP; Opera Mini/4.2.18975/37.6502; U; es) Presto/2.12.423 Version/12.16
Source: global traffic	HTTP traffic detected: GET /phws/?utlPy=ocd4ZrzPXg6l4sWeBkNQwyo+1ztO6Qlaoz23ovA+FAa05WbJK6tPDbHnnDy/N4II5dY3pVgUKOhDHtvifryE1/g7Uq/bQtaZTJ5YtHQDcnXwjIgt0WlmOuVYOYFm+d/MC5lWaaAR7IC0&wdtp=dfTtLdz8N4R4N22 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.techstarllc.cloudConnection: closeUser-Agent: Opera/9.80 (J2ME/MIDP; Opera Mini/4.2.18975/37.6502; U; es) Presto/2.12.423 Version/12.16

Source: global traffic	DNS traffic detected: DNS query: www.bgezakofe.shop
Source: global traffic	DNS traffic detected: DNS query: www.techstarllc.cloud
Source: global traffic	DNS traffic detected: DNS query: www.hokasportshoes.shop
Source: global traffic	DNS traffic detected: DNS query: www.primetream.live
Source: global traffic	DNS traffic detected: DNS query: www.sorket.tech
Source: global traffic	DNS traffic detected: DNS query: www.1337street.shop
Source: global traffic	DNS traffic detected: DNS query: www.cruycq.info
Source: global traffic	DNS traffic detected: DNS query: www.dejikenkyu.cyou
Source: global traffic	DNS traffic detected: DNS query: www.letsbookcruise.xyz
Source: global traffic	DNS traffic detected: DNS query: www.stoauto.pro
Source: global traffic	DNS traffic detected: DNS query: www.031233226.xyz
Source: global traffic	DNS traffic detected: DNS query: www.somethingketo.net
Source: global traffic	DNS traffic detected: DNS query: www.activeusers.tech
Source: global traffic	DNS traffic detected: DNS query: www.elevatetextiles.net
Source: global traffic	DNS traffic detected: DNS query: www.tnr3t1eb.vip
Source: global traffic	DNS traffic detected: DNS query: www.goodmiddleitu.shop

Source: unknown

HTTP traffic detected: POST /phws/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Host: www.techstarllc.cloudOrigin: http://www.techstarllc.cloudReferer: http://www.techstarllc.cloud/phws/Connection: closeContent-Length: 218Content-Type: application/x-www-form-urlencodedCache-Control: max-age=0User-Agent: Opera/9.80 (J2ME/MIDP; Opera Mini/4.2.18975/37.6502; U; es) Presto/2.12.423 Version/12.16Data Raw: 75 74 6c 50 79 3d 6c 65 31 59 61 64 6d 78 62 43 79 4c 39 2b 76 34 55 45 64 47 31 43 38 6d 79 69 5a 6c 78 52 56 6d 75 6a 44 34 79 62 45 45 4e 78 4f 57 35 57 2b 6f 61 49 74 68 58 49 6a 39 33 67 57 32 50 49 38 6a 76 50 6b 57 68 31 4a 54 4b 65 59 35 46 4c 50 6a 65 36 48 6a 7a 4a 30 6a 57 62 7a 49 51 62 79 48 50 36 46 63 76 32 4d 52 45 46 7a 70 30 59 38 66 2b 6a 45 61 44 2b 4a 71 48 4c 78 64 30 66 6e 61 4b 59 52 4a 4a 61 73 6b 32 34 58 77 30 4a 51 36 47 2f 2b 4f 64 66 75 6a 6c 78 32 48 6b 35 73 61 77 61 4e 6e 6e 55 56 5a 69 58 2b 4b 6a 53 73 44 62 36 68 4d 45 69 52 34 54 39 4a 62 61 57 67 49 78 67 65 74 70 31 4a 43 4d 5a 6d 70 4d 31 79 4c 7a 41 3d 3d Data Ascii: utlPy=le1YadmxbCyL9+v4UEdG1C8myiZlxRVmujD4ybEENxOW5W+oaIthXIj93gW2PI8jvPkWh1JTKeY5FLPje6HjzJ0jWbzIQbyHP6Fcv2MREFzp0Y8f+jEaD+JqHLxd0fnaKYRJJask24Xw0JQ6G/+Odfujlx2Hk5sawaNnnUVZiX+KjSsDb6hMEiR4T9JbaWgIxgetp1JCMZmpM1yLzA==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Jan 2025 13:57:35 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cfJacN2qiT99p2oMjb6AM7aJr1seSInmx9wY01uQiJBSY3IaelAvwlv5F4ueaRkM%2Fhq%2Bz8y05dSDCMfP%2Fa4lBW0VKiiIdD6hRHXX%2BpkfV5%2B1gqkdWOtO%2FD9AeATyasyv8YnzQUI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 904f9311ee1054af-YYZalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=13706&min_rtt=13706&rtt_var=6853&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=445&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 30 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 32 0d 0a 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: a0<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Mon, 20 Jan 2025 13:57:52 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 196Connection: closeX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Mon, 20 Jan 2025 13:57:54 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 196Connection: closeX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Mon, 20 Jan 2025 13:57:57 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 196Connection: closeX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Mon, 20 Jan 2025 13:57:59 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 196Connection: closeX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Jan 2025 13:58:13 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Jan 2025 13:58:16 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Jan 2025 13:58:18 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Jan 2025 13:58:21 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 20 Jan 2025 13:58:50 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Mon, 20 Jan 2025 13:59:26 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2025-01-20T13:59:31.5972380Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Jan 2025 13:59:46 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Jan 2025 13:59:48 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Jan 2025 13:59:51 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Jan 2025 13:59:53 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Jan 2025 14:00:46 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DPFqOnckGvj4TuW3yIfifhTy1Tzl03V7LfUVRzz7rY6e%2FiqAFNgmc6BoQlKnlzD0UR2jZfD49Y9Q4Bz7UD9gELeSKaiPtN0WRupGF0DrFhV7QUljZRSJ3m94M42nyLdjjhVPqDJ4ENKk"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 904f97b77c6136d0-YYZContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=13949&min_rtt=13949&rtt_var=6974&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=717&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 6a c3 30 10 44 ef fa 8a 6d ee f1 3a 25 87 1c 16 41 1b 3b 34 e0 a4 a6 55 0e 3d aa d5 26 32 38 96 23 ad 6b fa f7 c5 0e 85 5e 67 de 0c 33 f4 50 bc 6e cd 47 5d c2 8b 39 54 50 9f 9e ab fd 16 16 4b c4 7d 69 76 88 85 29 ee ce 63 96 23 96 c7 85 56 e4 e5 da 6a f2 6c 9d 56 24 8d b4 ac d7 f9 1a 8e 41 60 17 86 ce 11 de 45 45 38 43 f4 19 dc cf 94 5b e9 7f 8c 5f 69 45 bd 36 9e 21 f2 6d e0 24 ec e0 f4 56 c1 68 13 74 41 e0 3c 71 10 3a 10 df 24 48 1c bf 39 66 84 fd d4 14 b5 22 eb 5c e4 94 f4 53 6f bf 3c c3 fb 0c 80 15 18 c7 31 bb 84 e0 ae 8d 73 2d 37 32 64 c9 87 1e ea 10 05 36 39 e1 5f 50 11 ce cb 08 e7 47 bf 00 00 00 ff ff e3 02 00 dc d9 af d1 0c 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e5Lj0Dm:%A;4U=&28#k^g3PnG]9TPK}iv)c#VjlV$A`EE8C[_iE6!m$VhtA<q:$H9f"\So<1s-72d69_PG0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Jan 2025 14:00:48 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Znfrd7UIFOt4Oc1ZZ%2FBST6KMDMNz3EArfQCS0QcPv8lE%2FZL6HkNA8mJVgI%2Bzw%2Fpo3vCck0tpaiuo%2FR6O6ytcZ3oRSl2ZhqkI%2FelAmv5gvRP2Q8DX7BZwgJvNK2hElswWf433LuOhmsRh"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 904f97c8482ac5a2-IADContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=7392&min_rtt=7392&rtt_var=3696&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=737&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 6a c3 30 10 44 ef fa 8a 6d ee f1 3a 25 87 1c 16 41 1b 3b 34 e0 a4 a6 55 0e 3d aa d5 26 32 38 96 23 ad 6b fa f7 c5 0e 85 5e 67 de 0c 33 f4 50 bc 6e cd 47 5d c2 8b 39 54 50 9f 9e ab fd 16 16 4b c4 7d 69 76 88 85 29 ee ce 63 96 23 96 c7 85 56 e4 e5 da 6a f2 6c 9d 56 24 8d b4 ac d7 f9 1a 8e 41 60 17 86 ce 11 de 45 45 38 43 f4 19 dc cf 94 5b e9 7f 8c 5f 69 45 bd 36 9e 21 f2 6d e0 24 ec e0 f4 56 c1 68 13 74 41 e0 3c 71 10 3a 10 df 24 48 1c bf 39 66 84 fd d4 14 b5 22 eb 5c e4 94 f4 53 6f bf 3c c3 fb 0c 80 15 18 c7 31 bb 84 e0 ae 8d 73 2d 37 32 64 c9 87 1e ea 10 05 36 39 e1 5f 50 11 ce cb 08 e7 47 bf 00 00 00 ff ff e3 02 00 dc d9 af d1 0c 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e5Lj0Dm:%A;4U=&28#k^g3PnG]9TPK}iv)c#VjlV$A`EE8C[_iE6!m$VhtA<q:$H9f"\So<1s-72d69_PG0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Jan 2025 14:00:51 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ni0PM68LVMkDPgmt9GFD4o3QAuy1t%2FZnOZbBCD6CAmNpLmUZMXmrc9Z9VnRPt45fUjjNDvubD5vhaT%2FOZUbE%2B7Wf1dUC6AV2l5e4P7%2F%2Fg%2FebC%2FPMrjpgDRaJODV7UdHT6c97zvianBSA"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 904f97da5c0736db-YYZContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=13774&min_rtt=13774&rtt_var=6887&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1750&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 6a c3 30 10 44 ef fa 8a 6d ee f1 3a 25 87 1c 16 41 1b 3b 34 e0 a4 a6 55 0e 3d aa d5 26 32 38 96 23 ad 6b fa f7 c5 0e 85 5e 67 de 0c 33 f4 50 bc 6e cd 47 5d c2 8b 39 54 50 9f 9e ab fd 16 16 4b c4 7d 69 76 88 85 29 ee ce 63 96 23 96 c7 85 56 e4 e5 da 6a f2 6c 9d 56 24 8d b4 ac d7 f9 1a 8e 41 60 17 86 ce 11 de 45 45 38 43 f4 19 dc cf 94 5b e9 7f 8c 5f 69 45 bd 36 9e 21 f2 6d e0 24 ec e0 f4 56 c1 68 13 74 41 e0 3c 71 10 3a 10 df 24 48 1c bf 39 66 84 fd d4 14 b5 22 eb 5c e4 94 f4 53 6f bf 3c c3 fb 0c 80 15 18 c7 31 bb 84 e0 ae 8d 73 2d 37 32 64 c9 87 1e ea 10 05 36 39 e1 5f 50 11 ce cb 08 e7 47 bf 00 00 00 ff ff e3 02 00 dc d9 af d1 0c 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e5Lj0Dm:%A;4U=&28#k^g3PnG]9TPK}iv)c#VjlV$A`EE8C[_iE6!m$VhtA<q:$H9f"\So<1s-72d69_PG0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Jan 2025 14:00:54 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=X9rb3NklZj887I6EZQSOm2X8%2FWrun410kyyonc5%2F%2FnkHMD4d2gBWT9nmELfMjpZCWXM3BvfxebyUHReYIOJobRDxnFIYHuBEyNUOiKMgod4bSArpLunBNW1FTmS0DmLmCnqOC3H1xAYF"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 904f97ec39c039c3-YYZalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=14058&min_rtt=14058&rtt_var=7029&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=449&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 30 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 6f 6f 64 6d 69 64 64 6c 65 69 74 75 2e 73 68 6f 70 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 10c<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.goodmiddleitu.shop Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Jan 2025 14:01:03 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HcRSzyDQX%2F%2FNj8H7iYfsXwdTMFiihIB8QVDmtuLT%2F4eyz9B1%2FW2SSdOzN%2FTRxgCXM3gtqbVwk3MAS%2Fh4P9OfFS2SG9ngnvxwqwFN3zrIPjUkdfSxrEl4sL2P2TylOHw6%2BXqr0Ew%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 904f98231c0d4cf5-BOSalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=7321&min_rtt=7321&rtt_var=3660&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=445&delivery_rate=0&cwnd=30&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: a2<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Mon, 20 Jan 2025 14:01:09 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 196Connection: closeX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Mon, 20 Jan 2025 14:01:12 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 196Connection: closeX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Mon, 20 Jan 2025 14:01:15 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 196Connection: closeX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Mon, 20 Jan 2025 14:01:17 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 196Connection: closeX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Source: RFQ862_791.exe, 00000000.00000002.1323436744.00000000026EB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: sdchange.exe, 0000000A.00000002.3746723682.0000000006616000.00000004.10000000.00040000.00000000.sdmp, 29fSUmF6ATRArN0.exe, 0000000C.00000002.3745353520.0000000003FE6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://stoauto.pro/50cv/?utlPy=8/mZ5/kJAMd8ILZDLFSpiSiFIgKGLaH3tYZ/jrsPdl51O6OfPchFdRhxxUbk
Source: 29fSUmF6ATRArN0.exe, 0000000C.00000002.3747403564.0000000005280000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.goodmiddleitu.shop
Source: 29fSUmF6ATRArN0.exe, 0000000C.00000002.3747403564.0000000005280000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.goodmiddleitu.shop/t6ic/
Source: sdchange.exe, 0000000A.00000003.1677885729.0000000007F08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: sdchange.exe, 0000000A.00000003.1677885729.0000000007F08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: sdchange.exe, 0000000A.00000003.1677885729.0000000007F08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: sdchange.exe, 0000000A.00000003.1677885729.0000000007F08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: sdchange.exe, 0000000A.00000003.1677885729.0000000007F08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: sdchange.exe, 0000000A.00000003.1677885729.0000000007F08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: sdchange.exe, 0000000A.00000003.1677885729.0000000007F08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: sdchange.exe, 0000000A.00000002.3742330311.0000000002FEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: sdchange.exe, 0000000A.00000002.3742330311.0000000002FEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: sdchange.exe, 0000000A.00000002.3742330311.0000000002FEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: sdchange.exe, 0000000A.00000002.3742330311.0000000002FC5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: sdchange.exe, 0000000A.00000002.3742330311.0000000002FEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: sdchange.exe, 0000000A.00000002.3742330311.0000000002FEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: sdchange.exe, 0000000A.00000003.1672401097.0000000007EE4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: sdchange.exe, 0000000A.00000002.3746723682.00000000062F2000.00000004.10000000.00040000.00000000.sdmp, 29fSUmF6ATRArN0.exe, 0000000C.00000002.3745353520.0000000003CC2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.dejikenkyu.cyou/pmpa/?utlPy=UeIvIKLKGFys4rt2H7Fh9CRv6QcQWh9gMoTtmR20aEJv9MnWadULdaABdMWF
Source: sdchange.exe, 0000000A.00000003.1677885729.0000000007F08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: sdchange.exe, 0000000A.00000002.3746723682.0000000006ACC000.00000004.10000000.00040000.00000000.sdmp, 29fSUmF6ATRArN0.exe, 0000000C.00000002.3745353520.000000000449C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: sdchange.exe, 0000000A.00000003.1677885729.0000000007F08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 6.2.RFQ862_791.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RFQ862_791.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3747403564.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3738649389.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1476508314.0000000001B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3745403321.0000000004BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1473869422.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3745592825.0000000004BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3744955884.0000000002FB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1476794353.0000000002640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: RFQ862_791.exe

Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0042C533 NtClose,	6_2_0042C533
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018335C0 NtCreateMutant,LdrInitializeThunk,	6_2_018335C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01832B60 NtClose,LdrInitializeThunk,	6_2_01832B60
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01832DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_01832DF0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01832C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_01832C70
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01833090 NtSetValueKey,	6_2_01833090
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01833010 NtOpenDirectoryObject,	6_2_01833010
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01834340 NtSetContextThread,	6_2_01834340
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01834650 NtSuspendThread,	6_2_01834650
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018339B0 NtGetContextThread,	6_2_018339B0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01832B80 NtQueryInformationFile,	6_2_01832B80
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01832BA0 NtEnumerateValueKey,	6_2_01832BA0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01832BE0 NtQueryValueKey,	6_2_01832BE0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01832BF0 NtAllocateVirtualMemory,	6_2_01832BF0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01832AB0 NtWaitForSingleObject,	6_2_01832AB0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01832AD0 NtReadFile,	6_2_01832AD0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01832AF0 NtWriteFile,	6_2_01832AF0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01832DB0 NtEnumerateKey,	6_2_01832DB0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01832DD0 NtDelayExecution,	6_2_01832DD0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01832D00 NtSetInformationFile,	6_2_01832D00
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01832D10 NtMapViewOfSection,	6_2_01832D10
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01833D10 NtOpenProcessToken,	6_2_01833D10
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01832D30 NtUnmapViewOfSection,	6_2_01832D30
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01833D70 NtOpenThread,	6_2_01833D70
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01832CA0 NtQueryInformationToken,	6_2_01832CA0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01832CC0 NtQueryVirtualMemory,	6_2_01832CC0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01832CF0 NtOpenProcess,	6_2_01832CF0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01832C00 NtQueryInformationProcess,	6_2_01832C00
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01832C60 NtCreateKey,	6_2_01832C60
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01832F90 NtProtectVirtualMemory,	6_2_01832F90
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01832FA0 NtQuerySection,	6_2_01832FA0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01832FB0 NtResumeThread,	6_2_01832FB0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01832FE0 NtCreateFile,	6_2_01832FE0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01832F30 NtCreateSection,	6_2_01832F30
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01832F60 NtCreateProcessEx,	6_2_01832F60
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01832E80 NtReadVirtualMemory,	6_2_01832E80
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01832EA0 NtAdjustPrivilegesToken,	6_2_01832EA0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01832EE0 NtQueueApcThread,	6_2_01832EE0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01832E30 NtWriteVirtualMemory,	6_2_01832E30
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB4650 NtSuspendThread,LdrInitializeThunk,	10_2_04DB4650
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB4340 NtSetContextThread,LdrInitializeThunk,	10_2_04DB4340
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB2CA0 NtQueryInformationToken,LdrInitializeThunk,	10_2_04DB2CA0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB2C70 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_04DB2C70
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB2C60 NtCreateKey,LdrInitializeThunk,	10_2_04DB2C60
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB2DD0 NtDelayExecution,LdrInitializeThunk,	10_2_04DB2DD0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB2DF0 NtQuerySystemInformation,LdrInitializeThunk,	10_2_04DB2DF0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB2D10 NtMapViewOfSection,LdrInitializeThunk,	10_2_04DB2D10
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB2D30 NtUnmapViewOfSection,LdrInitializeThunk,	10_2_04DB2D30
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB2EE0 NtQueueApcThread,LdrInitializeThunk,	10_2_04DB2EE0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB2E80 NtReadVirtualMemory,LdrInitializeThunk,	10_2_04DB2E80
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB2FE0 NtCreateFile,LdrInitializeThunk,	10_2_04DB2FE0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB2FB0 NtResumeThread,LdrInitializeThunk,	10_2_04DB2FB0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB2F30 NtCreateSection,LdrInitializeThunk,	10_2_04DB2F30
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB2AD0 NtReadFile,LdrInitializeThunk,	10_2_04DB2AD0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB2AF0 NtWriteFile,LdrInitializeThunk,	10_2_04DB2AF0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	10_2_04DB2BF0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB2BE0 NtQueryValueKey,LdrInitializeThunk,	10_2_04DB2BE0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB2BA0 NtEnumerateValueKey,LdrInitializeThunk,	10_2_04DB2BA0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB2B60 NtClose,LdrInitializeThunk,	10_2_04DB2B60
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB35C0 NtCreateMutant,LdrInitializeThunk,	10_2_04DB35C0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB39B0 NtGetContextThread,LdrInitializeThunk,	10_2_04DB39B0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB2CC0 NtQueryVirtualMemory,	10_2_04DB2CC0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB2CF0 NtOpenProcess,	10_2_04DB2CF0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB2C00 NtQueryInformationProcess,	10_2_04DB2C00
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB2DB0 NtEnumerateKey,	10_2_04DB2DB0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB2D00 NtSetInformationFile,	10_2_04DB2D00
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB2EA0 NtAdjustPrivilegesToken,	10_2_04DB2EA0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB2E30 NtWriteVirtualMemory,	10_2_04DB2E30
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB2F90 NtProtectVirtualMemory,	10_2_04DB2F90
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB2FA0 NtQuerySection,	10_2_04DB2FA0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB2F60 NtCreateProcessEx,	10_2_04DB2F60
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB2AB0 NtWaitForSingleObject,	10_2_04DB2AB0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB2B80 NtQueryInformationFile,	10_2_04DB2B80
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB3090 NtSetValueKey,	10_2_04DB3090
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB3010 NtOpenDirectoryObject,	10_2_04DB3010
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB3D70 NtOpenThread,	10_2_04DB3D70
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB3D10 NtOpenProcessToken,	10_2_04DB3D10
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_02E78F20 NtCreateFile,	10_2_02E78F20
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_02E79220 NtClose,	10_2_02E79220
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_02E79390 NtAllocateVirtualMemory,	10_2_02E79390
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_02E79090 NtReadFile,	10_2_02E79090
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_02E79180 NtDeleteFile,	10_2_02E79180

Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_02584204	0_2_02584204
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_025879D9	0_2_025879D9
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C97280	0_2_04C97280
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C91AEC	0_2_04C91AEC
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C90040	0_2_04C90040
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C909F0	0_2_04C909F0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C929B0	0_2_04C929B0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C90A00	0_2_04C90A00
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C97270	0_2_04C97270
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C91AE0	0_2_04C91AE0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_00418513	6_2_00418513
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0040E048	6_2_0040E048
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0040E053	6_2_0040E053
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_00403080	6_2_00403080
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_004028B0	6_2_004028B0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_00401200	6_2_00401200
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0042EB63	6_2_0042EB63
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_00402C32	6_2_00402C32
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0040FCEC	6_2_0040FCEC
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0040FCF3	6_2_0040FCF3
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0040251D	6_2_0040251D
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_00402520	6_2_00402520
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0040DEFA	6_2_0040DEFA
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0040DF03	6_2_0040DF03
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0040FF13	6_2_0040FF13
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_00416723	6_2_00416723
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EF172	6_2_017EF172
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018C01AA	6_2_018C01AA
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0180B1B0	6_2_0180B1B0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018B81CC	6_2_018B81CC
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F0100	6_2_017F0100
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0189A118	6_2_0189A118
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01888158	6_2_01888158
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018CB16B	6_2_018CB16B
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0183516C	6_2_0183516C
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018070C0	6_2_018070C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018AF0CC	6_2_018AF0CC
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018B70E9	6_2_018B70E9
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018BF0E0	6_2_018BF0E0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0184739A	6_2_0184739A
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017ED34C	6_2_017ED34C
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018C03E6	6_2_018C03E6
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0180E3F0	6_2_0180E3F0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018B132D	6_2_018B132D
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018BA352	6_2_018BA352
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018052A0	6_2_018052A0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181B2C0	6_2_0181B2C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018802C0	6_2_018802C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A12ED	6_2_018A12ED
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A0274	6_2_018A0274
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018C0591	6_2_018C0591
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0189D5B0	6_2_0189D5B0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01800535	6_2_01800535
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018B7571	6_2_018B7571
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F1460	6_2_017F1460
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018AE4F6	6_2_018AE4F6
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018BF43F	6_2_018BF43F
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018B2446	6_2_018B2446
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018BF7B0	6_2_018BF7B0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017FC7C0	6_2_017FC7C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01824750	6_2_01824750
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01800770	6_2_01800770
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018B16CC	6_2_018B16CC
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181C6E0	6_2_0181C6E0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018029A0	6_2_018029A0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018CA9A6	6_2_018CA9A6
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01809950	6_2_01809950
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181B950	6_2_0181B950
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01816962	6_2_01816962
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018038E0	6_2_018038E0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0182E8F0	6_2_0182E8F0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0186D800	6_2_0186D800
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01802840	6_2_01802840
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0180A840	6_2_0180A840
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017E68B8	6_2_017E68B8
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181FB80	6_2_0181FB80
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018B6BD7	6_2_018B6BD7
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01875BF0	6_2_01875BF0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0183DBF9	6_2_0183DBF9
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018BAB40	6_2_018BAB40
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018BFB76	6_2_018BFB76
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01845AA0	6_2_01845AA0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0189DAAC	6_2_0189DAAC
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018ADAC6	6_2_018ADAC6
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018BFA49	6_2_018BFA49
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018B7A46	6_2_018B7A46
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01873A6C	6_2_01873A6C
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017FEA80	6_2_017FEA80
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01818DBF	6_2_01818DBF
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181FDC0	6_2_0181FDC0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0180AD00	6_2_0180AD00
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017FADE0	6_2_017FADE0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01803D40	6_2_01803D40
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018B1D5A	6_2_018B1D5A
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018B7D73	6_2_018B7D73
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A0CB5	6_2_018A0CB5
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018BFCF2	6_2_018BFCF2
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01800C00	6_2_01800C00
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F0CF2	6_2_017F0CF2
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01879C32	6_2_01879C32
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01801F92	6_2_01801F92
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0187EFA0	6_2_0187EFA0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018BFFB1	6_2_018BFFB1
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0180CFE0	6_2_0180CFE0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018BFF09	6_2_018BFF09
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01842F28	6_2_01842F28
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01820F30	6_2_01820F30
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F2FC8	6_2_017F2FC8
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01874F40	6_2_01874F40
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01812E90	6_2_01812E90
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018BCE93	6_2_018BCE93
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01809EB0	6_2_01809EB0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018BEEDB	6_2_018BEEDB
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018BEE26	6_2_018BEE26
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01800E59	6_2_01800E59
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E2E4F6	10_2_04E2E4F6
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E32446	10_2_04E32446
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E24420	10_2_04E24420
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E40591	10_2_04E40591
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D80535	10_2_04D80535
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D9C6E0	10_2_04D9C6E0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D7C7C0	10_2_04D7C7C0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DA4750	10_2_04DA4750
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D80770	10_2_04D80770
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E12000	10_2_04E12000
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E381CC	10_2_04E381CC
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E341A2	10_2_04E341A2
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E401AA	10_2_04E401AA
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E08158	10_2_04E08158
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D70100	10_2_04D70100
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E1A118	10_2_04E1A118
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E002C0	10_2_04E002C0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E20274	10_2_04E20274
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E403E6	10_2_04E403E6
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D8E3F0	10_2_04D8E3F0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E3A352	10_2_04E3A352
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D70CF2	10_2_04D70CF2
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E20CB5	10_2_04E20CB5
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D80C00	10_2_04D80C00
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D7ADE0	10_2_04D7ADE0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D98DBF	10_2_04D98DBF
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D8AD00	10_2_04D8AD00
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E1CD1F	10_2_04E1CD1F
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E3EEDB	10_2_04E3EEDB
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D92E90	10_2_04D92E90
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E3CE93	10_2_04E3CE93
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D80E59	10_2_04D80E59
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E3EE26	10_2_04E3EE26
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D72FC8	10_2_04D72FC8
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D8CFE0	10_2_04D8CFE0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DFEFA0	10_2_04DFEFA0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DF4F40	10_2_04DF4F40
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E22F30	10_2_04E22F30
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DA0F30	10_2_04DA0F30
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DC2F28	10_2_04DC2F28
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DAE8F0	10_2_04DAE8F0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D668B8	10_2_04D668B8
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D8A840	10_2_04D8A840
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D82840	10_2_04D82840
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E4A9A6	10_2_04E4A9A6
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D829A0	10_2_04D829A0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D96962	10_2_04D96962
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D7EA80	10_2_04D7EA80
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E36BD7	10_2_04E36BD7
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E3AB40	10_2_04E3AB40
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D71460	10_2_04D71460
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E3F43F	10_2_04E3F43F
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E495C3	10_2_04E495C3
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E1D5B0	10_2_04E1D5B0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E37571	10_2_04E37571
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E316CC	10_2_04E316CC
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DC5630	10_2_04DC5630
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E3F7B0	10_2_04E3F7B0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E3F0E0	10_2_04E3F0E0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E370E9	10_2_04E370E9
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D870C0	10_2_04D870C0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E2F0CC	10_2_04E2F0CC
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D8B1B0	10_2_04D8B1B0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E4B16B	10_2_04E4B16B
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D6F172	10_2_04D6F172
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DB516C	10_2_04DB516C
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E212ED	10_2_04E212ED
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D9B2C0	10_2_04D9B2C0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D852A0	10_2_04D852A0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DC739A	10_2_04DC739A
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D6D34C	10_2_04D6D34C
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E3132D	10_2_04E3132D
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E3FCF2	10_2_04E3FCF2
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DF9C32	10_2_04DF9C32
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D9FDC0	10_2_04D9FDC0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E37D73	10_2_04E37D73
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D83D40	10_2_04D83D40
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E31D5A	10_2_04E31D5A
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D89EB0	10_2_04D89EB0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D43FD5	10_2_04D43FD5
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D43FD2	10_2_04D43FD2
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D81F92	10_2_04D81F92
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E3FFB1	10_2_04E3FFB1
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E3FF09	10_2_04E3FF09
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D838E0	10_2_04D838E0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DED800	10_2_04DED800
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D89950	10_2_04D89950
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D9B950	10_2_04D9B950
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E15910	10_2_04E15910
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E2DAC6	10_2_04E2DAC6
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E21AA3	10_2_04E21AA3
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E1DAAC	10_2_04E1DAAC
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DC5AA0	10_2_04DC5AA0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E37A46	10_2_04E37A46
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E3FA49	10_2_04E3FA49
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DF3A6C	10_2_04DF3A6C
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DBDBF9	10_2_04DBDBF9
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04DF5BF0	10_2_04DF5BF0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04D9FB80	10_2_04D9FB80
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_04E3FB76	10_2_04E3FB76
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_02E61B50	10_2_02E61B50
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_02E5ABE7	10_2_02E5ABE7
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_02E5ABF0	10_2_02E5ABF0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_02E5C9E0	10_2_02E5C9E0
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_02E5C9D9	10_2_02E5C9D9
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_02E5CC00	10_2_02E5CC00
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_02E5AD40	10_2_02E5AD40
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_02E5AD35	10_2_02E5AD35
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_02E65200	10_2_02E65200
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_02E63410	10_2_02E63410
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_02E7B850	10_2_02E7B850
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_0509D758	10_2_0509D758
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_0509E68E	10_2_0509E68E
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: 10_2_0509E2F7	10_2_0509E2F7

Source: C:\Windows\SysWOW64\sdchange.exe	Code function: String function: 04DEEA12 appears 86 times
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: String function: 04DFF290 appears 105 times
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: String function: 04DB5130 appears 58 times
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: String function: 04DC7E54 appears 111 times
Source: C:\Windows\SysWOW64\sdchange.exe	Code function: String function: 04D6B970 appears 277 times
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: String function: 0186EA12 appears 86 times
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: String function: 017EB970 appears 265 times
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: String function: 01835130 appears 36 times
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: String function: 0187F290 appears 105 times
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: String function: 01847E54 appears 96 times

Source: RFQ862_791.exe, 00000000.00000002.1337328382.0000000005180000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs RFQ862_791.exe
Source: RFQ862_791.exe, 00000000.00000002.1302108329.00000000008AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs RFQ862_791.exe
Source: RFQ862_791.exe, 00000000.00000002.1326564775.00000000036B9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs RFQ862_791.exe
Source: RFQ862_791.exe, 00000000.00000002.1323436744.0000000002847000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs RFQ862_791.exe
Source: RFQ862_791.exe, 00000000.00000000.1286108373.0000000000366000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameasSa.exep( vs RFQ862_791.exe
Source: RFQ862_791.exe, 00000000.00000002.1355111255.0000000006C80000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs RFQ862_791.exe
Source: RFQ862_791.exe, 00000006.00000002.1474289178.0000000001268000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesdchange.exej% vs RFQ862_791.exe
Source: RFQ862_791.exe, 00000006.00000002.1474581254.00000000018ED000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs RFQ862_791.exe
Source: RFQ862_791.exe	Binary or memory string: OriginalFilenameasSa.exep( vs RFQ862_791.exe

Source: RFQ862_791.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: RFQ862_791.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.RFQ862_791.exe.5180000.6.raw.unpack, omAEgsLmk0rNSsw9KS.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.RFQ862_791.exe.36d62a8.4.raw.unpack, omAEgsLmk0rNSsw9KS.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.RFQ862_791.exe.2ac613c.0.raw.unpack, omAEgsLmk0rNSsw9KS.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.RFQ862_791.exe.378ade0.2.raw.unpack, FVAKOO4mqDZrn9Qluu.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.RFQ862_791.exe.378ade0.2.raw.unpack, FVAKOO4mqDZrn9Qluu.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ862_791.exe.378ade0.2.raw.unpack, FVAKOO4mqDZrn9Qluu.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.RFQ862_791.exe.378ade0.2.raw.unpack, BydxbIny3DavoODedB.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.RFQ862_791.exe.378ade0.2.raw.unpack, BydxbIny3DavoODedB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ862_791.exe.6c80000.7.raw.unpack, BydxbIny3DavoODedB.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.RFQ862_791.exe.6c80000.7.raw.unpack, BydxbIny3DavoODedB.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ862_791.exe.6c80000.7.raw.unpack, FVAKOO4mqDZrn9Qluu.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.RFQ862_791.exe.6c80000.7.raw.unpack, FVAKOO4mqDZrn9Qluu.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.RFQ862_791.exe.6c80000.7.raw.unpack, FVAKOO4mqDZrn9Qluu.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@13/7@20/12

Source: C:\Users\user\Desktop\RFQ862_791.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ862_791.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7592:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1gaittxg.bq4.ps1

Jump to behavior

Source: RFQ862_791.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: RFQ862_791.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\RFQ862_791.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RFQ862_791.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: sdchange.exe, 0000000A.00000003.1676395606.0000000003033000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 0000000A.00000002.3742330311.000000000302A000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 0000000A.00000003.1674176621.000000000302A000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 0000000A.00000002.3742330311.0000000003056000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: RFQ862_791.exe	Virustotal: Detection: 50%
Source: RFQ862_791.exe	ReversingLabs: Detection: 60%

Source: unknown	Process created: C:\Users\user\Desktop\RFQ862_791.exe "C:\Users\user\Desktop\RFQ862_791.exe"
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ862_791.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process created: C:\Users\user\Desktop\RFQ862_791.exe "C:\Users\user\Desktop\RFQ862_791.exe"
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process created: C:\Users\user\Desktop\RFQ862_791.exe "C:\Users\user\Desktop\RFQ862_791.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	Process created: C:\Windows\SysWOW64\sdchange.exe "C:\Windows\SysWOW64\sdchange.exe"
Source: C:\Windows\SysWOW64\sdchange.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ862_791.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process created: C:\Users\user\Desktop\RFQ862_791.exe "C:\Users\user\Desktop\RFQ862_791.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process created: C:\Users\user\Desktop\RFQ862_791.exe "C:\Users\user\Desktop\RFQ862_791.exe"	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	Process created: C:\Windows\SysWOW64\sdchange.exe "C:\Windows\SysWOW64\sdchange.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\RFQ862_791.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\RFQ862_791.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\sdchange.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: RFQ862_791.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RFQ862_791.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: sdchange.pdbGCTL source: RFQ862_791.exe, 00000006.00000002.1474289178.0000000001268000.00000004.00000020.00020000.00000000.sdmp, 29fSUmF6ATRArN0.exe, 00000009.00000002.3744193416.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RFQ862_791.exe, 00000006.00000002.1474581254.00000000017C0000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 0000000A.00000003.1474184944.00000000049DF000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 0000000A.00000002.3745754027.0000000004EDE000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 0000000A.00000003.1476763303.0000000004B8B000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 0000000A.00000002.3745754027.0000000004D40000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RFQ862_791.exe, RFQ862_791.exe, 00000006.00000002.1474581254.00000000017C0000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, sdchange.exe, 0000000A.00000003.1474184944.00000000049DF000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 0000000A.00000002.3745754027.0000000004EDE000.00000040.00001000.00020000.00000000.sdmp, sdchange.exe, 0000000A.00000003.1476763303.0000000004B8B000.00000004.00000020.00020000.00000000.sdmp, sdchange.exe, 0000000A.00000002.3745754027.0000000004D40000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: sdchange.pdb source: RFQ862_791.exe, 00000006.00000002.1474289178.0000000001268000.00000004.00000020.00020000.00000000.sdmp, 29fSUmF6ATRArN0.exe, 00000009.00000002.3744193416.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 29fSUmF6ATRArN0.exe, 00000009.00000002.3743703565.000000000092F000.00000002.00000001.01000000.0000000D.sdmp, 29fSUmF6ATRArN0.exe, 0000000C.00000000.1557990693.000000000092F000.00000002.00000001.01000000.0000000D.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.RFQ862_791.exe.5180000.6.raw.unpack, omAEgsLmk0rNSsw9KS.cs	.Net Code: xoWTvaNywMkV2EMeLln(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{xoWTvaNywMkV2EMeLln(typeof(IntPtr).TypeHandle),xoWTvaNywMkV2EMeLln(typeof(Type).TypeHandle)})
Source: 0.2.RFQ862_791.exe.36d62a8.4.raw.unpack, omAEgsLmk0rNSsw9KS.cs	.Net Code: xoWTvaNywMkV2EMeLln(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{xoWTvaNywMkV2EMeLln(typeof(IntPtr).TypeHandle),xoWTvaNywMkV2EMeLln(typeof(Type).TypeHandle)})
Source: 0.2.RFQ862_791.exe.2ac613c.0.raw.unpack, omAEgsLmk0rNSsw9KS.cs	.Net Code: xoWTvaNywMkV2EMeLln(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{xoWTvaNywMkV2EMeLln(typeof(IntPtr).TypeHandle),xoWTvaNywMkV2EMeLln(typeof(Type).TypeHandle)})

.NET source code contains potential unpacker

Source: RFQ862_791.exe, StartUp.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.RFQ862_791.exe.5180000.6.raw.unpack, MainForm.cs	.Net Code: uhnzfuOu0 System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ862_791.exe.378ade0.2.raw.unpack, FVAKOO4mqDZrn9Qluu.cs	.Net Code: qdQXqiy7Qg System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ862_791.exe.36d62a8.4.raw.unpack, MainForm.cs	.Net Code: uhnzfuOu0 System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ862_791.exe.2ac613c.0.raw.unpack, MainForm.cs	.Net Code: uhnzfuOu0 System.Reflection.Assembly.Load(byte[])
Source: 0.2.RFQ862_791.exe.6c80000.7.raw.unpack, FVAKOO4mqDZrn9Qluu.cs	.Net Code: qdQXqiy7Qg System.Reflection.Assembly.Load(byte[])
Source: 10.2.sdchange.exe.540cd14.2.raw.unpack, StartUp.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 12.0.29fSUmF6ATRArN0.exe.2ddcd14.1.raw.unpack, StartUp.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 12.2.29fSUmF6ATRArN0.exe.2ddcd14.1.raw.unpack, StartUp.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 14.2.firefox.exe.b2dcd14.0.raw.unpack, StartUp.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])

Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9A9F7 push 039CB86Eh; retf	0_2_04C9AA23
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9AACC push 0648B86Eh; retf	0_2_04C9AAD7
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9AAC0 push 061CB86Eh; retf	0_2_04C9AACB
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9AAD8 push 0674B86Eh; retf	0_2_04C9AAE3
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9AAE4 push 06A0B86Eh; retf	0_2_04C9AAEF
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9AAFC push 06F8B86Eh; retf	0_2_04C9AB07
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9AAF0 push 06CCB86Eh; retf	0_2_04C9AAFB
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9AA84 push 0540B86Eh; retf	0_2_04C9AA8F
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9AA9C push 0598B86Eh; retf	0_2_04C9AAA7
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9AA90 push 056CB86Eh; retf	0_2_04C9AA9B
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9AAA8 push 05C4B86Eh; retf	0_2_04C9AAB3
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9AAB4 push 05F0B86Eh; retf	0_2_04C9AABF
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9AA48 push 0458B86Eh; retf	0_2_04C9AA53
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9AA54 push 0490B86Eh; retf	0_2_04C9AA5F
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9AA6C push 04E8B86Eh; retf	0_2_04C9AA77
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9AA60 push 04BCB86Eh; retf	0_2_04C9AA6B
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9AA78 push 0514B86Eh; retf	0_2_04C9AA83
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9AA24 push 03D4B86Eh; retf	0_2_04C9AA2F
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9AA3C push 042CB86Eh; retf	0_2_04C9AA47
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9AA30 push 0400B86Eh; retf	0_2_04C9AA3B
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9ABC8 push 0B28B86Eh; retf	0_2_04C9ABD3
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9ABD4 push 0B60B86Eh; retf	0_2_04C9ABDF
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9ABEC push 0BC4B86Eh; retf	0_2_04C9ABF7
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9ABE0 push 0B98B86Eh; retf	0_2_04C9ABEB
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9AB8C push 0A1CB86Eh; retf	0_2_04C9AB97
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9AB80 push 09E4B86Eh; retf	0_2_04C9AB8B
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9AB98 push 0A48B86Eh; retf	0_2_04C9ABA3
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9ABA4 push 0A80B86Eh; retf	0_2_04C9ABAF
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9ABBC push 0AF0B86Eh; retf	0_2_04C9ABC7
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9ABB0 push 0AB8B86Eh; retf	0_2_04C9ABBB
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 0_2_04C9AB44 push 08FCB86Eh; retf	0_2_04C9AB4F

Source: RFQ862_791.exe

Static PE information: section name: .text entropy: 7.706602842794316

Source: 0.2.RFQ862_791.exe.5180000.6.raw.unpack, RSlOXPu0D84Uacoq9o.cs	High entropy of concatenated method names: 'dSEPrbjjw5Nfd', 'hetARSe6TOuXdWcNUwV', 'JW3ScdeuSw97XLUTwrK', 'rep2YXegZiT671J0sfi', 'Qm9kV7eWbsvAdJWkG4U', 'huE5g9eKYOF5IIBOPCm', 'nF8jIQeoHcjqCrCHYrC', 'q42kwTecbHcQpRPs53F'
Source: 0.2.RFQ862_791.exe.5180000.6.raw.unpack, b38guUNPeF6SV3DKHu.cs	High entropy of concatenated method names: 'o6SZV3DKH', 'qsnjwlNbE', 'hD8L4Uaco', 'C4k0oYICp', 'e4ZINr0jY', 'rgsqmk0rN', 'Dispose', 'b38NguUPe', 'mgChFQw0HJ8T8kWH5s', 'zwP7kBiLv58RkfgIpM'
Source: 0.2.RFQ862_791.exe.5180000.6.raw.unpack, omAEgsLmk0rNSsw9KS.cs	High entropy of concatenated method names: 'O9QlEUNf2SwRKuXfyy6', 'eoIIfINTGrJKbQv4Ffh', 'nKwuG1ZxdD', 'H8aGLFNbFPyr9ndHw5C', 'Iu44hyNgRelDkZMt6YT', 'ixhgOCNWu2Nj52jSE07', 'QrSq6XN6hM3TKZKB0Yk', 'JD1LZZNuuRDZTNyYZyS', 'VTplgvNKqGOOL8pTyiG', 'K1x7jbNo9hgN71DYLJ3'
Source: 0.2.RFQ862_791.exe.5180000.6.raw.unpack, Form1.cs	High entropy of concatenated method names: 'Dispose', 'WMwCh5Nlp', 'hGKdsRuQ1oxXc30xD7', 'kgkBroKW2VM2ogcDnj', 'hpcXb7Wwbb5kkeMyns', 'VSBnN06cTVemF8pxH1', 'QaqyMpoBwnf08yVTBf', 'LCNLCacEV976Blv0hu', 'Cbm0Fp2bNOXqbpEP2u', 'clQDvFUTcAXT070JZ5'
Source: 0.2.RFQ862_791.exe.5180000.6.raw.unpack, MainForm.cs	High entropy of concatenated method names: 'W1gUM3Dmg', 'MR66KHgKe', 'A003FUDMy', 'Huif9sPTl', 'B1SnrjuYo', 'mOC8YZ6Ms', 'pqN4i1b4H', 'o4TYyenZy', 'KsrhuUiXl', 'JpsklUG6Z'
Source: 0.2.RFQ862_791.exe.378ade0.2.raw.unpack, HPWBn427FohoKY4mSk.cs	High entropy of concatenated method names: 'egPqta7YR', 'LZY7MP02V', 'tIpGr01Sr', 'roqYV94no', 'Lyubyk09P', 'v07TRdc1a', 'Hytk5583PuPIlBI0ni', 'WtdcCmZWxO6Am1bg7u', 'gw6Za9krg', 'IxEscgydx'
Source: 0.2.RFQ862_791.exe.378ade0.2.raw.unpack, dILoqQzKQBks8vlaGD.cs	High entropy of concatenated method names: 'EGksGNl0RN', 'W82snEf1xK', 'XUOsbmwLqe', 'Plgs5dpUmp', 'XvAs3JnFgY', 'lKvsBSAdP7', 'NNdsUGQuMt', 'lVUsAbZ5il', 'CMKs9p8vxi', 'JTRsk7ftgX'
Source: 0.2.RFQ862_791.exe.378ade0.2.raw.unpack, qfvxjodShgJmDb5Cer.cs	High entropy of concatenated method names: 'EEw6nW20J9', 'Rdq6b6X2Sa', 'hNj65yagpB', 'ARt63vmA0t', 'qVj6B59USV', 'lU56UYe145', 'TGt6HgSYPj', 'tns6mrxwcT', 'lIY6NOOsLG', 'EUv6V7PQP0'
Source: 0.2.RFQ862_791.exe.378ade0.2.raw.unpack, uf66LuP1xO7xn1oUXi.cs	High entropy of concatenated method names: 'Dispose', 'Un5IFHPjJN', 'Gg123KCYMm', 'WnL4knYp1d', 'ay8I1Y4hSX', 'PZqIzlCiPJ', 'ProcessDialogKey', 'fKu2OixBlR', 'JAn2IfJn6j', 'p2K22SaqyU'
Source: 0.2.RFQ862_791.exe.378ade0.2.raw.unpack, BydxbIny3DavoODedB.cs	High entropy of concatenated method names: 'YhvPJ4GKhh', 'iSkPMMBHLB', 'KtxPekXpiH', 'NBgPlUK4Wr', 'wSWPRXo0dX', 'omNPiTEsjH', 'jVjPpbNZ1H', 'm3QPLUyRnr', 'C2oPFEcXyi', 'SGHP1pmNpP'
Source: 0.2.RFQ862_791.exe.378ade0.2.raw.unpack, fixBlRFUAnfJn6jE2K.cs	High entropy of concatenated method names: 'iZ6a5aNRtV', 'sGla3tbM44', 'd0qa0s6G51', 'PwBaBhufP3', 'ROOaUZjYSd', 'uuiar1YTAA', 'DDcaHdYYD8', 'k29am9gvFK', 'PEWafoDMwO', 'wd5aNmgIxj'
Source: 0.2.RFQ862_791.exe.378ade0.2.raw.unpack, vaqyUW1jpP3S0JmEDj.cs	High entropy of concatenated method names: 'yOcsQg0Fs4', 'SwxsCDFd90', 'HpyswMQwhS', 'Pp9sjcAAyY', 'a9nsaGcBgs', 'Qh4s4uhdN1', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.RFQ862_791.exe.378ade0.2.raw.unpack, BxUnD9e28RqKuGlr3B.cs	High entropy of concatenated method names: 'ToString', 'QgAEVR2Dyp', 'Nx4E32dFdk', 'DbpE0i0dBE', 'cGwEBhOXF0', 'vjxEUaKoKm', 'tGFErmVlMf', 'bQgEHPTKVM', 'qauEma70Z7', 'vLjEfblPKA'
Source: 0.2.RFQ862_791.exe.378ade0.2.raw.unpack, SONM6FHcyUSfix4FUg.cs	High entropy of concatenated method names: 'k4ijug7tx1', 'V1JjQcs1hP', 'PmEjwfy8PU', 'rpiw1mXVRo', 'LOxwzgDGAb', 'LKOjOhDZRX', 'fw3jIxjpKR', 'AnBj2iQR0a', 'n3rjy5wF44', 'kedjXlIN2V'
Source: 0.2.RFQ862_791.exe.378ade0.2.raw.unpack, rtWlaJf8ThurTY76A6.cs	High entropy of concatenated method names: 'abPj9hGV0H', 'b9djk2PjdJ', 'IL9jqp6mhJ', 'xbNj703PJT', 'n36jDJSKqq', 'ANQjGOVA9N', 'FwfjYeJLXy', 'bbijnrllEL', 'ltSjb9CDAs', 'BRtjTQAvxo'
Source: 0.2.RFQ862_791.exe.378ade0.2.raw.unpack, gn4xZY5mNTHGCqj2Cf.cs	High entropy of concatenated method names: 'KIIwcjNDCU', 'j3gwPnRogK', 'clmwC81Zaf', 'UAXwjMOCDG', 'qGlw4aaMlR', 'H1DCRvr2c1', 'SewCifxU3y', 'bnXCp8ocp0', 'qwxCL8aEvq', 'fiWCFLsTTV'
Source: 0.2.RFQ862_791.exe.378ade0.2.raw.unpack, onKZxJiu6IuEqOAqRV.cs	High entropy of concatenated method names: 'x1tgLNImDV', 'SoIg15RHpn', 'hM5ZOb4J8X', 'B7jZICBhyT', 'KcdgVQ0dae', 'TEKgxt9S4g', 'x9Mgdc3sfU', 'pfagJ1YwPA', 'zP4gMebxJp', 'XBBge8ypnK'
Source: 0.2.RFQ862_791.exe.378ade0.2.raw.unpack, P3AIYtIIXAfGNBWEr6U.cs	High entropy of concatenated method names: 'ie9s1nRjEY', 'dXnszAJe19', 'QIBtOBsf7Q', 'c2PtIVGXVT', 'gZvt2lfwIW', 'RwSty09IyG', 'fZutXRDKea', 'D6ftcpAco2', 'Dbotug6K8y', 'SEhtPXCBx6'
Source: 0.2.RFQ862_791.exe.378ade0.2.raw.unpack, nUDqHBIXkdi7W54wE5e.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yWx8aFmDtg', 'FIT8sNX2Ph', 'Xb08tpa7J3', 'fR588WcxHU', 'Arc8SbR001', 'Wps8WosIDW', 'tPi8AnBqQd'
Source: 0.2.RFQ862_791.exe.378ade0.2.raw.unpack, FVAKOO4mqDZrn9Qluu.cs	High entropy of concatenated method names: 'xXoycxm9bN', 'pR5yulSsro', 'EbmyP21PVa', 'lD5yQCJrgu', 'f0UyClXKhN', 'nKXywkCvoI', 'LMeyjGgSa3', 'HAsy4llGyI', 'I6pyhmUK4B', 'G0TyvuvJXX'
Source: 0.2.RFQ862_791.exe.378ade0.2.raw.unpack, hHBq7eTgFdv9naqMvl.cs	High entropy of concatenated method names: 'BcDCD6764t', 'vl1CYndJIr', 'i3oQ0qoIQU', 'bxcQBRVcYF', 'luhQUeKAK8', 'QnKQrX3lTj', 'nsyQHr1nZu', 'zpeQmtDNs9', 'w8vQfLTnRK', 'h9mQNpbmaB'
Source: 0.2.RFQ862_791.exe.378ade0.2.raw.unpack, gjIsY8J8LGck64mOqg.cs	High entropy of concatenated method names: 'gISKNOqssk', 'p02Kxqb9yf', 'DhRKJoZwQ4', 'prnKM8NIiB', 'mWxK3dM48Z', 'jhdK0QDAHD', 'tpkKBNum4g', 'rXoKUuD3hw', 'OKfKrs6J8v', 'jCBKHstNOg'
Source: 0.2.RFQ862_791.exe.378ade0.2.raw.unpack, icB5Y6IOEAk2xAdO9XP.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WassVjiND2', 'yccsxI3C2P', 'bEosdjw3EM', 'xXasJmkDLn', 'Q8CsMriHjU', 'DY5sexwZma', 'G7tslo6NIC'
Source: 0.2.RFQ862_791.exe.378ade0.2.raw.unpack, mIpEt8XeKHQqGmIhg4.cs	High entropy of concatenated method names: 'utDIjydxbI', 'd3DI4avoOD', 'yBoIvGo5Ji', 'F8sIo5QHBq', 'rqMIKvlPn4', 'PZYIEmNTHG', 'OMRGP5SrQiGaxgS4hO', 'Be58IWvXmkTZx3OrlV', 'RlvII2ZDQX', 'cQPIy2AxtM'
Source: 0.2.RFQ862_791.exe.378ade0.2.raw.unpack, mQSuFkbBoGo5JiT8s5.cs	High entropy of concatenated method names: 'e79Q7O7fu9', 'i3SQGbYigG', 'JwAQnLG5qm', 'HEZQbi5STD', 'WTnQKkET41', 'i8CQE33q00', 'DLhQgxjf0a', 'JjsQZaPguy', 'XhIQaN7Ix1', 'cV6QsPSlCQ'
Source: 0.2.RFQ862_791.exe.378ade0.2.raw.unpack, PDkghKp2CRn5HPjJNO.cs	High entropy of concatenated method names: 'h8CaK6ZyZt', 'iB0ag1kVZ0', 'VcJaamZ3HB', 'Ymfatcvd4c', 'TiAaS490aA', 'LOBaAbgvy4', 'Dispose', 'AvRZuxvNFx', 'yTbZPxqsNH', 'o15ZQ8aICx'
Source: 0.2.RFQ862_791.exe.378ade0.2.raw.unpack, Wqi2hCrddjdLHLCGKl.cs	High entropy of concatenated method names: 'Iyiwer3Gbu', 'eZUwltesrl', 'DMdwRMAqLe', 'ToString', 'cxqwifjQaE', 'RydwpjTM56', 'qOUubq4PyEARQxvyLQX', 'v3UFVa4BJm5V1K8k2kN'
Source: 0.2.RFQ862_791.exe.36d62a8.4.raw.unpack, RSlOXPu0D84Uacoq9o.cs	High entropy of concatenated method names: 'dSEPrbjjw5Nfd', 'hetARSe6TOuXdWcNUwV', 'JW3ScdeuSw97XLUTwrK', 'rep2YXegZiT671J0sfi', 'Qm9kV7eWbsvAdJWkG4U', 'huE5g9eKYOF5IIBOPCm', 'nF8jIQeoHcjqCrCHYrC', 'q42kwTecbHcQpRPs53F'
Source: 0.2.RFQ862_791.exe.36d62a8.4.raw.unpack, b38guUNPeF6SV3DKHu.cs	High entropy of concatenated method names: 'o6SZV3DKH', 'qsnjwlNbE', 'hD8L4Uaco', 'C4k0oYICp', 'e4ZINr0jY', 'rgsqmk0rN', 'Dispose', 'b38NguUPe', 'mgChFQw0HJ8T8kWH5s', 'zwP7kBiLv58RkfgIpM'
Source: 0.2.RFQ862_791.exe.36d62a8.4.raw.unpack, omAEgsLmk0rNSsw9KS.cs	High entropy of concatenated method names: 'O9QlEUNf2SwRKuXfyy6', 'eoIIfINTGrJKbQv4Ffh', 'nKwuG1ZxdD', 'H8aGLFNbFPyr9ndHw5C', 'Iu44hyNgRelDkZMt6YT', 'ixhgOCNWu2Nj52jSE07', 'QrSq6XN6hM3TKZKB0Yk', 'JD1LZZNuuRDZTNyYZyS', 'VTplgvNKqGOOL8pTyiG', 'K1x7jbNo9hgN71DYLJ3'
Source: 0.2.RFQ862_791.exe.36d62a8.4.raw.unpack, Form1.cs	High entropy of concatenated method names: 'Dispose', 'WMwCh5Nlp', 'hGKdsRuQ1oxXc30xD7', 'kgkBroKW2VM2ogcDnj', 'hpcXb7Wwbb5kkeMyns', 'VSBnN06cTVemF8pxH1', 'QaqyMpoBwnf08yVTBf', 'LCNLCacEV976Blv0hu', 'Cbm0Fp2bNOXqbpEP2u', 'clQDvFUTcAXT070JZ5'
Source: 0.2.RFQ862_791.exe.36d62a8.4.raw.unpack, MainForm.cs	High entropy of concatenated method names: 'W1gUM3Dmg', 'MR66KHgKe', 'A003FUDMy', 'Huif9sPTl', 'B1SnrjuYo', 'mOC8YZ6Ms', 'pqN4i1b4H', 'o4TYyenZy', 'KsrhuUiXl', 'JpsklUG6Z'
Source: 0.2.RFQ862_791.exe.2ac613c.0.raw.unpack, RSlOXPu0D84Uacoq9o.cs	High entropy of concatenated method names: 'dSEPrbjjw5Nfd', 'hetARSe6TOuXdWcNUwV', 'JW3ScdeuSw97XLUTwrK', 'rep2YXegZiT671J0sfi', 'Qm9kV7eWbsvAdJWkG4U', 'huE5g9eKYOF5IIBOPCm', 'nF8jIQeoHcjqCrCHYrC', 'q42kwTecbHcQpRPs53F'
Source: 0.2.RFQ862_791.exe.2ac613c.0.raw.unpack, b38guUNPeF6SV3DKHu.cs	High entropy of concatenated method names: 'o6SZV3DKH', 'qsnjwlNbE', 'hD8L4Uaco', 'C4k0oYICp', 'e4ZINr0jY', 'rgsqmk0rN', 'Dispose', 'b38NguUPe', 'mgChFQw0HJ8T8kWH5s', 'zwP7kBiLv58RkfgIpM'
Source: 0.2.RFQ862_791.exe.2ac613c.0.raw.unpack, omAEgsLmk0rNSsw9KS.cs	High entropy of concatenated method names: 'O9QlEUNf2SwRKuXfyy6', 'eoIIfINTGrJKbQv4Ffh', 'nKwuG1ZxdD', 'H8aGLFNbFPyr9ndHw5C', 'Iu44hyNgRelDkZMt6YT', 'ixhgOCNWu2Nj52jSE07', 'QrSq6XN6hM3TKZKB0Yk', 'JD1LZZNuuRDZTNyYZyS', 'VTplgvNKqGOOL8pTyiG', 'K1x7jbNo9hgN71DYLJ3'
Source: 0.2.RFQ862_791.exe.2ac613c.0.raw.unpack, Form1.cs	High entropy of concatenated method names: 'Dispose', 'WMwCh5Nlp', 'hGKdsRuQ1oxXc30xD7', 'kgkBroKW2VM2ogcDnj', 'hpcXb7Wwbb5kkeMyns', 'VSBnN06cTVemF8pxH1', 'QaqyMpoBwnf08yVTBf', 'LCNLCacEV976Blv0hu', 'Cbm0Fp2bNOXqbpEP2u', 'clQDvFUTcAXT070JZ5'
Source: 0.2.RFQ862_791.exe.2ac613c.0.raw.unpack, MainForm.cs	High entropy of concatenated method names: 'W1gUM3Dmg', 'MR66KHgKe', 'A003FUDMy', 'Huif9sPTl', 'B1SnrjuYo', 'mOC8YZ6Ms', 'pqN4i1b4H', 'o4TYyenZy', 'KsrhuUiXl', 'JpsklUG6Z'
Source: 0.2.RFQ862_791.exe.6c80000.7.raw.unpack, HPWBn427FohoKY4mSk.cs	High entropy of concatenated method names: 'egPqta7YR', 'LZY7MP02V', 'tIpGr01Sr', 'roqYV94no', 'Lyubyk09P', 'v07TRdc1a', 'Hytk5583PuPIlBI0ni', 'WtdcCmZWxO6Am1bg7u', 'gw6Za9krg', 'IxEscgydx'
Source: 0.2.RFQ862_791.exe.6c80000.7.raw.unpack, dILoqQzKQBks8vlaGD.cs	High entropy of concatenated method names: 'EGksGNl0RN', 'W82snEf1xK', 'XUOsbmwLqe', 'Plgs5dpUmp', 'XvAs3JnFgY', 'lKvsBSAdP7', 'NNdsUGQuMt', 'lVUsAbZ5il', 'CMKs9p8vxi', 'JTRsk7ftgX'
Source: 0.2.RFQ862_791.exe.6c80000.7.raw.unpack, qfvxjodShgJmDb5Cer.cs	High entropy of concatenated method names: 'EEw6nW20J9', 'Rdq6b6X2Sa', 'hNj65yagpB', 'ARt63vmA0t', 'qVj6B59USV', 'lU56UYe145', 'TGt6HgSYPj', 'tns6mrxwcT', 'lIY6NOOsLG', 'EUv6V7PQP0'
Source: 0.2.RFQ862_791.exe.6c80000.7.raw.unpack, uf66LuP1xO7xn1oUXi.cs	High entropy of concatenated method names: 'Dispose', 'Un5IFHPjJN', 'Gg123KCYMm', 'WnL4knYp1d', 'ay8I1Y4hSX', 'PZqIzlCiPJ', 'ProcessDialogKey', 'fKu2OixBlR', 'JAn2IfJn6j', 'p2K22SaqyU'
Source: 0.2.RFQ862_791.exe.6c80000.7.raw.unpack, BydxbIny3DavoODedB.cs	High entropy of concatenated method names: 'YhvPJ4GKhh', 'iSkPMMBHLB', 'KtxPekXpiH', 'NBgPlUK4Wr', 'wSWPRXo0dX', 'omNPiTEsjH', 'jVjPpbNZ1H', 'm3QPLUyRnr', 'C2oPFEcXyi', 'SGHP1pmNpP'
Source: 0.2.RFQ862_791.exe.6c80000.7.raw.unpack, fixBlRFUAnfJn6jE2K.cs	High entropy of concatenated method names: 'iZ6a5aNRtV', 'sGla3tbM44', 'd0qa0s6G51', 'PwBaBhufP3', 'ROOaUZjYSd', 'uuiar1YTAA', 'DDcaHdYYD8', 'k29am9gvFK', 'PEWafoDMwO', 'wd5aNmgIxj'
Source: 0.2.RFQ862_791.exe.6c80000.7.raw.unpack, vaqyUW1jpP3S0JmEDj.cs	High entropy of concatenated method names: 'yOcsQg0Fs4', 'SwxsCDFd90', 'HpyswMQwhS', 'Pp9sjcAAyY', 'a9nsaGcBgs', 'Qh4s4uhdN1', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.RFQ862_791.exe.6c80000.7.raw.unpack, BxUnD9e28RqKuGlr3B.cs	High entropy of concatenated method names: 'ToString', 'QgAEVR2Dyp', 'Nx4E32dFdk', 'DbpE0i0dBE', 'cGwEBhOXF0', 'vjxEUaKoKm', 'tGFErmVlMf', 'bQgEHPTKVM', 'qauEma70Z7', 'vLjEfblPKA'
Source: 0.2.RFQ862_791.exe.6c80000.7.raw.unpack, SONM6FHcyUSfix4FUg.cs	High entropy of concatenated method names: 'k4ijug7tx1', 'V1JjQcs1hP', 'PmEjwfy8PU', 'rpiw1mXVRo', 'LOxwzgDGAb', 'LKOjOhDZRX', 'fw3jIxjpKR', 'AnBj2iQR0a', 'n3rjy5wF44', 'kedjXlIN2V'
Source: 0.2.RFQ862_791.exe.6c80000.7.raw.unpack, rtWlaJf8ThurTY76A6.cs	High entropy of concatenated method names: 'abPj9hGV0H', 'b9djk2PjdJ', 'IL9jqp6mhJ', 'xbNj703PJT', 'n36jDJSKqq', 'ANQjGOVA9N', 'FwfjYeJLXy', 'bbijnrllEL', 'ltSjb9CDAs', 'BRtjTQAvxo'
Source: 0.2.RFQ862_791.exe.6c80000.7.raw.unpack, gn4xZY5mNTHGCqj2Cf.cs	High entropy of concatenated method names: 'KIIwcjNDCU', 'j3gwPnRogK', 'clmwC81Zaf', 'UAXwjMOCDG', 'qGlw4aaMlR', 'H1DCRvr2c1', 'SewCifxU3y', 'bnXCp8ocp0', 'qwxCL8aEvq', 'fiWCFLsTTV'
Source: 0.2.RFQ862_791.exe.6c80000.7.raw.unpack, onKZxJiu6IuEqOAqRV.cs	High entropy of concatenated method names: 'x1tgLNImDV', 'SoIg15RHpn', 'hM5ZOb4J8X', 'B7jZICBhyT', 'KcdgVQ0dae', 'TEKgxt9S4g', 'x9Mgdc3sfU', 'pfagJ1YwPA', 'zP4gMebxJp', 'XBBge8ypnK'
Source: 0.2.RFQ862_791.exe.6c80000.7.raw.unpack, P3AIYtIIXAfGNBWEr6U.cs	High entropy of concatenated method names: 'ie9s1nRjEY', 'dXnszAJe19', 'QIBtOBsf7Q', 'c2PtIVGXVT', 'gZvt2lfwIW', 'RwSty09IyG', 'fZutXRDKea', 'D6ftcpAco2', 'Dbotug6K8y', 'SEhtPXCBx6'
Source: 0.2.RFQ862_791.exe.6c80000.7.raw.unpack, nUDqHBIXkdi7W54wE5e.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'yWx8aFmDtg', 'FIT8sNX2Ph', 'Xb08tpa7J3', 'fR588WcxHU', 'Arc8SbR001', 'Wps8WosIDW', 'tPi8AnBqQd'
Source: 0.2.RFQ862_791.exe.6c80000.7.raw.unpack, FVAKOO4mqDZrn9Qluu.cs	High entropy of concatenated method names: 'xXoycxm9bN', 'pR5yulSsro', 'EbmyP21PVa', 'lD5yQCJrgu', 'f0UyClXKhN', 'nKXywkCvoI', 'LMeyjGgSa3', 'HAsy4llGyI', 'I6pyhmUK4B', 'G0TyvuvJXX'
Source: 0.2.RFQ862_791.exe.6c80000.7.raw.unpack, hHBq7eTgFdv9naqMvl.cs	High entropy of concatenated method names: 'BcDCD6764t', 'vl1CYndJIr', 'i3oQ0qoIQU', 'bxcQBRVcYF', 'luhQUeKAK8', 'QnKQrX3lTj', 'nsyQHr1nZu', 'zpeQmtDNs9', 'w8vQfLTnRK', 'h9mQNpbmaB'
Source: 0.2.RFQ862_791.exe.6c80000.7.raw.unpack, gjIsY8J8LGck64mOqg.cs	High entropy of concatenated method names: 'gISKNOqssk', 'p02Kxqb9yf', 'DhRKJoZwQ4', 'prnKM8NIiB', 'mWxK3dM48Z', 'jhdK0QDAHD', 'tpkKBNum4g', 'rXoKUuD3hw', 'OKfKrs6J8v', 'jCBKHstNOg'
Source: 0.2.RFQ862_791.exe.6c80000.7.raw.unpack, icB5Y6IOEAk2xAdO9XP.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WassVjiND2', 'yccsxI3C2P', 'bEosdjw3EM', 'xXasJmkDLn', 'Q8CsMriHjU', 'DY5sexwZma', 'G7tslo6NIC'
Source: 0.2.RFQ862_791.exe.6c80000.7.raw.unpack, mIpEt8XeKHQqGmIhg4.cs	High entropy of concatenated method names: 'utDIjydxbI', 'd3DI4avoOD', 'yBoIvGo5Ji', 'F8sIo5QHBq', 'rqMIKvlPn4', 'PZYIEmNTHG', 'OMRGP5SrQiGaxgS4hO', 'Be58IWvXmkTZx3OrlV', 'RlvII2ZDQX', 'cQPIy2AxtM'
Source: 0.2.RFQ862_791.exe.6c80000.7.raw.unpack, mQSuFkbBoGo5JiT8s5.cs	High entropy of concatenated method names: 'e79Q7O7fu9', 'i3SQGbYigG', 'JwAQnLG5qm', 'HEZQbi5STD', 'WTnQKkET41', 'i8CQE33q00', 'DLhQgxjf0a', 'JjsQZaPguy', 'XhIQaN7Ix1', 'cV6QsPSlCQ'
Source: 0.2.RFQ862_791.exe.6c80000.7.raw.unpack, PDkghKp2CRn5HPjJNO.cs	High entropy of concatenated method names: 'h8CaK6ZyZt', 'iB0ag1kVZ0', 'VcJaamZ3HB', 'Ymfatcvd4c', 'TiAaS490aA', 'LOBaAbgvy4', 'Dispose', 'AvRZuxvNFx', 'yTbZPxqsNH', 'o15ZQ8aICx'
Source: 0.2.RFQ862_791.exe.6c80000.7.raw.unpack, Wqi2hCrddjdLHLCGKl.cs	High entropy of concatenated method names: 'Iyiwer3Gbu', 'eZUwltesrl', 'DMdwRMAqLe', 'ToString', 'cxqwifjQaE', 'RydwpjTM56', 'qOUubq4PyEARQxvyLQX', 'v3UFVa4BJm5V1K8k2kN'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RFQ862_791.exe PID: 7412, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\sdchange.exe	API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\sdchange.exe	API/Special instruction interceptor: Address: 7FFB2CECD7E4
Source: C:\Windows\SysWOW64\sdchange.exe	API/Special instruction interceptor: Address: 7FFB2CECD944
Source: C:\Windows\SysWOW64\sdchange.exe	API/Special instruction interceptor: Address: 7FFB2CECD504
Source: C:\Windows\SysWOW64\sdchange.exe	API/Special instruction interceptor: Address: 7FFB2CECD544
Source: C:\Windows\SysWOW64\sdchange.exe	API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\sdchange.exe	API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\sdchange.exe	API/Special instruction interceptor: Address: 7FFB2CECDA44

Source: C:\Users\user\Desktop\RFQ862_791.exe	Memory allocated: 2490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Memory allocated: 26B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Memory allocated: 24E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Memory allocated: 83A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Memory allocated: 93A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Memory allocated: 9590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Memory allocated: A590000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\RFQ862_791.exe

Code function: 6_2_0186D1C0 rdtsc

6_2_0186D1C0

Source: C:\Users\user\Desktop\RFQ862_791.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5589	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2410	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Window / User API: threadDelayed 3283	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Window / User API: threadDelayed 6690	Jump to behavior

Source: C:\Users\user\Desktop\RFQ862_791.exe	API coverage: 0.8 %
Source: C:\Windows\SysWOW64\sdchange.exe	API coverage: 2.7 %

Source: C:\Users\user\Desktop\RFQ862_791.exe TID: 7432	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7796	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7784	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe TID: 8140	Thread sleep count: 3283 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe TID: 8140	Thread sleep time: -6566000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe TID: 8140	Thread sleep count: 6690 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe TID: 8140	Thread sleep time: -13380000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe TID: 8164	Thread sleep time: -95000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe TID: 8164	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe TID: 8164	Thread sleep time: -48000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe TID: 8164	Thread sleep count: 46 > 30	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe TID: 8164	Thread sleep time: -46000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\sdchange.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\sdchange.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\sdchange.exe

Code function: 10_2_02E6C3C0 FindFirstFileW,FindNextFileW,FindClose,

10_2_02E6C3C0

Source: C:\Users\user\Desktop\RFQ862_791.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: sdchange.exe, 0000000A.00000002.3748922245.0000000007F74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231
Source: u235K44.10.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: u235K44.10.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: u235K44.10.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: u235K44.10.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: u235K44.10.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: u235K44.10.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: u235K44.10.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: u235K44.10.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: u235K44.10.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: u235K44.10.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: sdchange.exe, 0000000A.00000002.3748922245.0000000007F74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rokers - EU WestVMware20,11696492231n
Source: u235K44.10.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: u235K44.10.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: u235K44.10.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: u235K44.10.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: sdchange.exe, 0000000A.00000002.3748922245.0000000007F74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .co.inVMware20,11696492231d
Source: u235K44.10.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: u235K44.10.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: 29fSUmF6ATRArN0.exe, 0000000C.00000002.3744324531.0000000000E49000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000002.1784924212.000001E34B2DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: u235K44.10.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: sdchange.exe, 0000000A.00000002.3748922245.0000000007F74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: smartscreen_malvertising_blocks_counterINTEGERrokers - EU WestVMware20,11696492231n
Source: u235K44.10.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: u235K44.10.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: u235K44.10.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: u235K44.10.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: u235K44.10.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: sdchange.exe, 0000000A.00000002.3742330311.0000000002FB6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllu(]
Source: u235K44.10.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: u235K44.10.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: u235K44.10.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: u235K44.10.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: u235K44.10.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: u235K44.10.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: u235K44.10.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: u235K44.10.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: u235K44.10.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Users\user\Desktop\RFQ862_791.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\RFQ862_791.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\RFQ862_791.exe

Code function: 6_2_0186D1C0 rdtsc

6_2_0186D1C0

Source: C:\Users\user\Desktop\RFQ862_791.exe

Code function: 6_2_004176B3 LdrLoadDll,

6_2_004176B3

Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018AC188 mov eax, dword ptr fs:[00000030h]	6_2_018AC188
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018AC188 mov eax, dword ptr fs:[00000030h]	6_2_018AC188
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01830185 mov eax, dword ptr fs:[00000030h]	6_2_01830185
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EF172 mov eax, dword ptr fs:[00000030h]	6_2_017EF172
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EF172 mov eax, dword ptr fs:[00000030h]	6_2_017EF172
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EF172 mov eax, dword ptr fs:[00000030h]	6_2_017EF172
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EF172 mov eax, dword ptr fs:[00000030h]	6_2_017EF172
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EF172 mov eax, dword ptr fs:[00000030h]	6_2_017EF172
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EF172 mov eax, dword ptr fs:[00000030h]	6_2_017EF172
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EF172 mov eax, dword ptr fs:[00000030h]	6_2_017EF172
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EF172 mov eax, dword ptr fs:[00000030h]	6_2_017EF172
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EF172 mov eax, dword ptr fs:[00000030h]	6_2_017EF172
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EF172 mov eax, dword ptr fs:[00000030h]	6_2_017EF172
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EF172 mov eax, dword ptr fs:[00000030h]	6_2_017EF172
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EF172 mov eax, dword ptr fs:[00000030h]	6_2_017EF172
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EF172 mov eax, dword ptr fs:[00000030h]	6_2_017EF172
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EF172 mov eax, dword ptr fs:[00000030h]	6_2_017EF172
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EF172 mov eax, dword ptr fs:[00000030h]	6_2_017EF172
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EF172 mov eax, dword ptr fs:[00000030h]	6_2_017EF172
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EF172 mov eax, dword ptr fs:[00000030h]	6_2_017EF172
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EF172 mov eax, dword ptr fs:[00000030h]	6_2_017EF172
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EF172 mov eax, dword ptr fs:[00000030h]	6_2_017EF172
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EF172 mov eax, dword ptr fs:[00000030h]	6_2_017EF172
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EF172 mov eax, dword ptr fs:[00000030h]	6_2_017EF172
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01847190 mov eax, dword ptr fs:[00000030h]	6_2_01847190
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0187019F mov eax, dword ptr fs:[00000030h]	6_2_0187019F
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0187019F mov eax, dword ptr fs:[00000030h]	6_2_0187019F
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0187019F mov eax, dword ptr fs:[00000030h]	6_2_0187019F
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0187019F mov eax, dword ptr fs:[00000030h]	6_2_0187019F
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EC156 mov eax, dword ptr fs:[00000030h]	6_2_017EC156
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F6154 mov eax, dword ptr fs:[00000030h]	6_2_017F6154
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F6154 mov eax, dword ptr fs:[00000030h]	6_2_017F6154
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F7152 mov eax, dword ptr fs:[00000030h]	6_2_017F7152
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A11A4 mov eax, dword ptr fs:[00000030h]	6_2_018A11A4
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A11A4 mov eax, dword ptr fs:[00000030h]	6_2_018A11A4
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A11A4 mov eax, dword ptr fs:[00000030h]	6_2_018A11A4
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A11A4 mov eax, dword ptr fs:[00000030h]	6_2_018A11A4
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0180B1B0 mov eax, dword ptr fs:[00000030h]	6_2_0180B1B0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017E9148 mov eax, dword ptr fs:[00000030h]	6_2_017E9148
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017E9148 mov eax, dword ptr fs:[00000030h]	6_2_017E9148
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017E9148 mov eax, dword ptr fs:[00000030h]	6_2_017E9148
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017E9148 mov eax, dword ptr fs:[00000030h]	6_2_017E9148
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018C51CB mov eax, dword ptr fs:[00000030h]	6_2_018C51CB
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018B61C3 mov eax, dword ptr fs:[00000030h]	6_2_018B61C3
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018B61C3 mov eax, dword ptr fs:[00000030h]	6_2_018B61C3
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EB136 mov eax, dword ptr fs:[00000030h]	6_2_017EB136
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EB136 mov eax, dword ptr fs:[00000030h]	6_2_017EB136
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EB136 mov eax, dword ptr fs:[00000030h]	6_2_017EB136
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EB136 mov eax, dword ptr fs:[00000030h]	6_2_017EB136
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F1131 mov eax, dword ptr fs:[00000030h]	6_2_017F1131
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F1131 mov eax, dword ptr fs:[00000030h]	6_2_017F1131
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0182D1D0 mov eax, dword ptr fs:[00000030h]	6_2_0182D1D0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0182D1D0 mov ecx, dword ptr fs:[00000030h]	6_2_0182D1D0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0186E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0186E1D0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0186E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0186E1D0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0186E1D0 mov ecx, dword ptr fs:[00000030h]	6_2_0186E1D0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0186E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0186E1D0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0186E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0186E1D0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018C61E5 mov eax, dword ptr fs:[00000030h]	6_2_018C61E5
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018151EF mov eax, dword ptr fs:[00000030h]	6_2_018151EF
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018151EF mov eax, dword ptr fs:[00000030h]	6_2_018151EF
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018151EF mov eax, dword ptr fs:[00000030h]	6_2_018151EF
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018151EF mov eax, dword ptr fs:[00000030h]	6_2_018151EF
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018151EF mov eax, dword ptr fs:[00000030h]	6_2_018151EF
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018151EF mov eax, dword ptr fs:[00000030h]	6_2_018151EF
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018151EF mov eax, dword ptr fs:[00000030h]	6_2_018151EF
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018151EF mov eax, dword ptr fs:[00000030h]	6_2_018151EF
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018151EF mov eax, dword ptr fs:[00000030h]	6_2_018151EF
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018151EF mov eax, dword ptr fs:[00000030h]	6_2_018151EF
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018151EF mov eax, dword ptr fs:[00000030h]	6_2_018151EF
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018151EF mov eax, dword ptr fs:[00000030h]	6_2_018151EF
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018151EF mov eax, dword ptr fs:[00000030h]	6_2_018151EF
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018971F9 mov esi, dword ptr fs:[00000030h]	6_2_018971F9
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018201F8 mov eax, dword ptr fs:[00000030h]	6_2_018201F8
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0189A118 mov ecx, dword ptr fs:[00000030h]	6_2_0189A118
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0189A118 mov eax, dword ptr fs:[00000030h]	6_2_0189A118
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0189A118 mov eax, dword ptr fs:[00000030h]	6_2_0189A118
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0189A118 mov eax, dword ptr fs:[00000030h]	6_2_0189A118
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F51ED mov eax, dword ptr fs:[00000030h]	6_2_017F51ED
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018B0115 mov eax, dword ptr fs:[00000030h]	6_2_018B0115
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01820124 mov eax, dword ptr fs:[00000030h]	6_2_01820124
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01883140 mov eax, dword ptr fs:[00000030h]	6_2_01883140
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01883140 mov eax, dword ptr fs:[00000030h]	6_2_01883140
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01883140 mov eax, dword ptr fs:[00000030h]	6_2_01883140
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01884144 mov eax, dword ptr fs:[00000030h]	6_2_01884144
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01884144 mov eax, dword ptr fs:[00000030h]	6_2_01884144
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01884144 mov ecx, dword ptr fs:[00000030h]	6_2_01884144
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01884144 mov eax, dword ptr fs:[00000030h]	6_2_01884144
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01884144 mov eax, dword ptr fs:[00000030h]	6_2_01884144
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01888158 mov eax, dword ptr fs:[00000030h]	6_2_01888158
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018C5152 mov eax, dword ptr fs:[00000030h]	6_2_018C5152
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EA197 mov eax, dword ptr fs:[00000030h]	6_2_017EA197
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EA197 mov eax, dword ptr fs:[00000030h]	6_2_017EA197
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EA197 mov eax, dword ptr fs:[00000030h]	6_2_017EA197
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01889179 mov eax, dword ptr fs:[00000030h]	6_2_01889179
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0187D080 mov eax, dword ptr fs:[00000030h]	6_2_0187D080
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0187D080 mov eax, dword ptr fs:[00000030h]	6_2_0187D080
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181D090 mov eax, dword ptr fs:[00000030h]	6_2_0181D090
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181D090 mov eax, dword ptr fs:[00000030h]	6_2_0181D090
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0182909C mov eax, dword ptr fs:[00000030h]	6_2_0182909C
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018880A8 mov eax, dword ptr fs:[00000030h]	6_2_018880A8
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F2050 mov eax, dword ptr fs:[00000030h]	6_2_017F2050
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018B60B8 mov eax, dword ptr fs:[00000030h]	6_2_018B60B8
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018B60B8 mov ecx, dword ptr fs:[00000030h]	6_2_018B60B8
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018070C0 mov eax, dword ptr fs:[00000030h]	6_2_018070C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018070C0 mov ecx, dword ptr fs:[00000030h]	6_2_018070C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018070C0 mov ecx, dword ptr fs:[00000030h]	6_2_018070C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018070C0 mov eax, dword ptr fs:[00000030h]	6_2_018070C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018070C0 mov ecx, dword ptr fs:[00000030h]	6_2_018070C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018070C0 mov ecx, dword ptr fs:[00000030h]	6_2_018070C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018070C0 mov eax, dword ptr fs:[00000030h]	6_2_018070C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018070C0 mov eax, dword ptr fs:[00000030h]	6_2_018070C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018070C0 mov eax, dword ptr fs:[00000030h]	6_2_018070C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018070C0 mov eax, dword ptr fs:[00000030h]	6_2_018070C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018070C0 mov eax, dword ptr fs:[00000030h]	6_2_018070C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018070C0 mov eax, dword ptr fs:[00000030h]	6_2_018070C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018070C0 mov eax, dword ptr fs:[00000030h]	6_2_018070C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018070C0 mov eax, dword ptr fs:[00000030h]	6_2_018070C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018070C0 mov eax, dword ptr fs:[00000030h]	6_2_018070C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018070C0 mov eax, dword ptr fs:[00000030h]	6_2_018070C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018070C0 mov eax, dword ptr fs:[00000030h]	6_2_018070C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018070C0 mov eax, dword ptr fs:[00000030h]	6_2_018070C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0186D0C0 mov eax, dword ptr fs:[00000030h]	6_2_0186D0C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0186D0C0 mov eax, dword ptr fs:[00000030h]	6_2_0186D0C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018C50D9 mov eax, dword ptr fs:[00000030h]	6_2_018C50D9
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018720DE mov eax, dword ptr fs:[00000030h]	6_2_018720DE
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018190DB mov eax, dword ptr fs:[00000030h]	6_2_018190DB
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EA020 mov eax, dword ptr fs:[00000030h]	6_2_017EA020
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EC020 mov eax, dword ptr fs:[00000030h]	6_2_017EC020
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018150E4 mov eax, dword ptr fs:[00000030h]	6_2_018150E4
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018150E4 mov ecx, dword ptr fs:[00000030h]	6_2_018150E4
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018760E0 mov eax, dword ptr fs:[00000030h]	6_2_018760E0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018320F0 mov ecx, dword ptr fs:[00000030h]	6_2_018320F0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01874000 mov ecx, dword ptr fs:[00000030h]	6_2_01874000
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EC0F0 mov eax, dword ptr fs:[00000030h]	6_2_017EC0F0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0180E016 mov eax, dword ptr fs:[00000030h]	6_2_0180E016
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0180E016 mov eax, dword ptr fs:[00000030h]	6_2_0180E016
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0180E016 mov eax, dword ptr fs:[00000030h]	6_2_0180E016
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0180E016 mov eax, dword ptr fs:[00000030h]	6_2_0180E016
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F80E9 mov eax, dword ptr fs:[00000030h]	6_2_017F80E9
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EA0E3 mov ecx, dword ptr fs:[00000030h]	6_2_017EA0E3
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018B903E mov eax, dword ptr fs:[00000030h]	6_2_018B903E
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018B903E mov eax, dword ptr fs:[00000030h]	6_2_018B903E
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018B903E mov eax, dword ptr fs:[00000030h]	6_2_018B903E
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018B903E mov eax, dword ptr fs:[00000030h]	6_2_018B903E
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181B052 mov eax, dword ptr fs:[00000030h]	6_2_0181B052
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0189705E mov ebx, dword ptr fs:[00000030h]	6_2_0189705E
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0189705E mov eax, dword ptr fs:[00000030h]	6_2_0189705E
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01876050 mov eax, dword ptr fs:[00000030h]	6_2_01876050
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F5096 mov eax, dword ptr fs:[00000030h]	6_2_017F5096
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0187106E mov eax, dword ptr fs:[00000030h]	6_2_0187106E
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018C5060 mov eax, dword ptr fs:[00000030h]	6_2_018C5060
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01801070 mov eax, dword ptr fs:[00000030h]	6_2_01801070
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01801070 mov ecx, dword ptr fs:[00000030h]	6_2_01801070
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01801070 mov eax, dword ptr fs:[00000030h]	6_2_01801070
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01801070 mov eax, dword ptr fs:[00000030h]	6_2_01801070
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01801070 mov eax, dword ptr fs:[00000030h]	6_2_01801070
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01801070 mov eax, dword ptr fs:[00000030h]	6_2_01801070
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01801070 mov eax, dword ptr fs:[00000030h]	6_2_01801070
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01801070 mov eax, dword ptr fs:[00000030h]	6_2_01801070
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01801070 mov eax, dword ptr fs:[00000030h]	6_2_01801070
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01801070 mov eax, dword ptr fs:[00000030h]	6_2_01801070
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01801070 mov eax, dword ptr fs:[00000030h]	6_2_01801070
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01801070 mov eax, dword ptr fs:[00000030h]	6_2_01801070
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01801070 mov eax, dword ptr fs:[00000030h]	6_2_01801070
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181C073 mov eax, dword ptr fs:[00000030h]	6_2_0181C073
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017ED08D mov eax, dword ptr fs:[00000030h]	6_2_017ED08D
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F208A mov eax, dword ptr fs:[00000030h]	6_2_017F208A
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0186D070 mov ecx, dword ptr fs:[00000030h]	6_2_0186D070
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181438F mov eax, dword ptr fs:[00000030h]	6_2_0181438F
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181438F mov eax, dword ptr fs:[00000030h]	6_2_0181438F
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F7370 mov eax, dword ptr fs:[00000030h]	6_2_017F7370
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F7370 mov eax, dword ptr fs:[00000030h]	6_2_017F7370
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F7370 mov eax, dword ptr fs:[00000030h]	6_2_017F7370
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018C539D mov eax, dword ptr fs:[00000030h]	6_2_018C539D
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0184739A mov eax, dword ptr fs:[00000030h]	6_2_0184739A
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0184739A mov eax, dword ptr fs:[00000030h]	6_2_0184739A
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018233A0 mov eax, dword ptr fs:[00000030h]	6_2_018233A0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018233A0 mov eax, dword ptr fs:[00000030h]	6_2_018233A0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018133A5 mov eax, dword ptr fs:[00000030h]	6_2_018133A5
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017E9353 mov eax, dword ptr fs:[00000030h]	6_2_017E9353
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017E9353 mov eax, dword ptr fs:[00000030h]	6_2_017E9353
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017ED34C mov eax, dword ptr fs:[00000030h]	6_2_017ED34C
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017ED34C mov eax, dword ptr fs:[00000030h]	6_2_017ED34C
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018AC3CD mov eax, dword ptr fs:[00000030h]	6_2_018AC3CD
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018763C0 mov eax, dword ptr fs:[00000030h]	6_2_018763C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017E7330 mov eax, dword ptr fs:[00000030h]	6_2_017E7330
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018AB3D0 mov ecx, dword ptr fs:[00000030h]	6_2_018AB3D0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018003E9 mov eax, dword ptr fs:[00000030h]	6_2_018003E9
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018003E9 mov eax, dword ptr fs:[00000030h]	6_2_018003E9
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018003E9 mov eax, dword ptr fs:[00000030h]	6_2_018003E9
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018003E9 mov eax, dword ptr fs:[00000030h]	6_2_018003E9
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018003E9 mov eax, dword ptr fs:[00000030h]	6_2_018003E9
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018003E9 mov eax, dword ptr fs:[00000030h]	6_2_018003E9
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018003E9 mov eax, dword ptr fs:[00000030h]	6_2_018003E9
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018003E9 mov eax, dword ptr fs:[00000030h]	6_2_018003E9
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018AF3E6 mov eax, dword ptr fs:[00000030h]	6_2_018AF3E6
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EC310 mov ecx, dword ptr fs:[00000030h]	6_2_017EC310
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018C53FC mov eax, dword ptr fs:[00000030h]	6_2_018C53FC
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0180E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0180E3F0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0180E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0180E3F0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0180E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0180E3F0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018263FF mov eax, dword ptr fs:[00000030h]	6_2_018263FF
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0182A30B mov eax, dword ptr fs:[00000030h]	6_2_0182A30B
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0182A30B mov eax, dword ptr fs:[00000030h]	6_2_0182A30B
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0182A30B mov eax, dword ptr fs:[00000030h]	6_2_0182A30B
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0187930B mov eax, dword ptr fs:[00000030h]	6_2_0187930B
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0187930B mov eax, dword ptr fs:[00000030h]	6_2_0187930B
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0187930B mov eax, dword ptr fs:[00000030h]	6_2_0187930B
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01810310 mov ecx, dword ptr fs:[00000030h]	6_2_01810310
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018B132D mov eax, dword ptr fs:[00000030h]	6_2_018B132D
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018B132D mov eax, dword ptr fs:[00000030h]	6_2_018B132D
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181F32A mov eax, dword ptr fs:[00000030h]	6_2_0181F32A
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017FA3C0 mov eax, dword ptr fs:[00000030h]	6_2_017FA3C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017FA3C0 mov eax, dword ptr fs:[00000030h]	6_2_017FA3C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017FA3C0 mov eax, dword ptr fs:[00000030h]	6_2_017FA3C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017FA3C0 mov eax, dword ptr fs:[00000030h]	6_2_017FA3C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017FA3C0 mov eax, dword ptr fs:[00000030h]	6_2_017FA3C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017FA3C0 mov eax, dword ptr fs:[00000030h]	6_2_017FA3C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F83C0 mov eax, dword ptr fs:[00000030h]	6_2_017F83C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F83C0 mov eax, dword ptr fs:[00000030h]	6_2_017F83C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F83C0 mov eax, dword ptr fs:[00000030h]	6_2_017F83C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F83C0 mov eax, dword ptr fs:[00000030h]	6_2_017F83C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018C5341 mov eax, dword ptr fs:[00000030h]	6_2_018C5341
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01872349 mov eax, dword ptr fs:[00000030h]	6_2_01872349
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01872349 mov eax, dword ptr fs:[00000030h]	6_2_01872349
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01872349 mov eax, dword ptr fs:[00000030h]	6_2_01872349
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01872349 mov eax, dword ptr fs:[00000030h]	6_2_01872349
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01872349 mov eax, dword ptr fs:[00000030h]	6_2_01872349
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01872349 mov eax, dword ptr fs:[00000030h]	6_2_01872349
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01872349 mov eax, dword ptr fs:[00000030h]	6_2_01872349
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01872349 mov eax, dword ptr fs:[00000030h]	6_2_01872349
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01872349 mov eax, dword ptr fs:[00000030h]	6_2_01872349
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01872349 mov eax, dword ptr fs:[00000030h]	6_2_01872349
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01872349 mov eax, dword ptr fs:[00000030h]	6_2_01872349
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01872349 mov eax, dword ptr fs:[00000030h]	6_2_01872349
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01872349 mov eax, dword ptr fs:[00000030h]	6_2_01872349
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01872349 mov eax, dword ptr fs:[00000030h]	6_2_01872349
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01872349 mov eax, dword ptr fs:[00000030h]	6_2_01872349
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018BA352 mov eax, dword ptr fs:[00000030h]	6_2_018BA352
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0187035C mov eax, dword ptr fs:[00000030h]	6_2_0187035C
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0187035C mov eax, dword ptr fs:[00000030h]	6_2_0187035C
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0187035C mov eax, dword ptr fs:[00000030h]	6_2_0187035C
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0187035C mov ecx, dword ptr fs:[00000030h]	6_2_0187035C
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0187035C mov eax, dword ptr fs:[00000030h]	6_2_0187035C
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0187035C mov eax, dword ptr fs:[00000030h]	6_2_0187035C
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017E8397 mov eax, dword ptr fs:[00000030h]	6_2_017E8397
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017E8397 mov eax, dword ptr fs:[00000030h]	6_2_017E8397
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017E8397 mov eax, dword ptr fs:[00000030h]	6_2_017E8397
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018AF367 mov eax, dword ptr fs:[00000030h]	6_2_018AF367
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0189437C mov eax, dword ptr fs:[00000030h]	6_2_0189437C
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EE388 mov eax, dword ptr fs:[00000030h]	6_2_017EE388
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EE388 mov eax, dword ptr fs:[00000030h]	6_2_017EE388
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EE388 mov eax, dword ptr fs:[00000030h]	6_2_017EE388
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01870283 mov eax, dword ptr fs:[00000030h]	6_2_01870283
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01870283 mov eax, dword ptr fs:[00000030h]	6_2_01870283
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01870283 mov eax, dword ptr fs:[00000030h]	6_2_01870283
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0182E284 mov eax, dword ptr fs:[00000030h]	6_2_0182E284
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0182E284 mov eax, dword ptr fs:[00000030h]	6_2_0182E284
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018C5283 mov eax, dword ptr fs:[00000030h]	6_2_018C5283
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017E826B mov eax, dword ptr fs:[00000030h]	6_2_017E826B
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0182329E mov eax, dword ptr fs:[00000030h]	6_2_0182329E
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0182329E mov eax, dword ptr fs:[00000030h]	6_2_0182329E
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F4260 mov eax, dword ptr fs:[00000030h]	6_2_017F4260
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F4260 mov eax, dword ptr fs:[00000030h]	6_2_017F4260
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F4260 mov eax, dword ptr fs:[00000030h]	6_2_017F4260
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018002A0 mov eax, dword ptr fs:[00000030h]	6_2_018002A0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018002A0 mov eax, dword ptr fs:[00000030h]	6_2_018002A0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018052A0 mov eax, dword ptr fs:[00000030h]	6_2_018052A0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018052A0 mov eax, dword ptr fs:[00000030h]	6_2_018052A0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018052A0 mov eax, dword ptr fs:[00000030h]	6_2_018052A0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018052A0 mov eax, dword ptr fs:[00000030h]	6_2_018052A0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F6259 mov eax, dword ptr fs:[00000030h]	6_2_017F6259
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018872A0 mov eax, dword ptr fs:[00000030h]	6_2_018872A0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018872A0 mov eax, dword ptr fs:[00000030h]	6_2_018872A0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018862A0 mov eax, dword ptr fs:[00000030h]	6_2_018862A0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018862A0 mov ecx, dword ptr fs:[00000030h]	6_2_018862A0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018862A0 mov eax, dword ptr fs:[00000030h]	6_2_018862A0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018862A0 mov eax, dword ptr fs:[00000030h]	6_2_018862A0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018862A0 mov eax, dword ptr fs:[00000030h]	6_2_018862A0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018862A0 mov eax, dword ptr fs:[00000030h]	6_2_018862A0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018B92A6 mov eax, dword ptr fs:[00000030h]	6_2_018B92A6
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018B92A6 mov eax, dword ptr fs:[00000030h]	6_2_018B92A6
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018B92A6 mov eax, dword ptr fs:[00000030h]	6_2_018B92A6
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018B92A6 mov eax, dword ptr fs:[00000030h]	6_2_018B92A6
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EA250 mov eax, dword ptr fs:[00000030h]	6_2_017EA250
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018792BC mov eax, dword ptr fs:[00000030h]	6_2_018792BC
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018792BC mov eax, dword ptr fs:[00000030h]	6_2_018792BC
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018792BC mov ecx, dword ptr fs:[00000030h]	6_2_018792BC
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018792BC mov ecx, dword ptr fs:[00000030h]	6_2_018792BC
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017E9240 mov eax, dword ptr fs:[00000030h]	6_2_017E9240
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017E9240 mov eax, dword ptr fs:[00000030h]	6_2_017E9240
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181B2C0 mov eax, dword ptr fs:[00000030h]	6_2_0181B2C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181B2C0 mov eax, dword ptr fs:[00000030h]	6_2_0181B2C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181B2C0 mov eax, dword ptr fs:[00000030h]	6_2_0181B2C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181B2C0 mov eax, dword ptr fs:[00000030h]	6_2_0181B2C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181B2C0 mov eax, dword ptr fs:[00000030h]	6_2_0181B2C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181B2C0 mov eax, dword ptr fs:[00000030h]	6_2_0181B2C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181B2C0 mov eax, dword ptr fs:[00000030h]	6_2_0181B2C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017E823B mov eax, dword ptr fs:[00000030h]	6_2_017E823B
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181F2D0 mov eax, dword ptr fs:[00000030h]	6_2_0181F2D0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181F2D0 mov eax, dword ptr fs:[00000030h]	6_2_0181F2D0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018002E1 mov eax, dword ptr fs:[00000030h]	6_2_018002E1
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018002E1 mov eax, dword ptr fs:[00000030h]	6_2_018002E1
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018002E1 mov eax, dword ptr fs:[00000030h]	6_2_018002E1
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A12ED mov eax, dword ptr fs:[00000030h]	6_2_018A12ED
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A12ED mov eax, dword ptr fs:[00000030h]	6_2_018A12ED
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A12ED mov eax, dword ptr fs:[00000030h]	6_2_018A12ED
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A12ED mov eax, dword ptr fs:[00000030h]	6_2_018A12ED
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A12ED mov eax, dword ptr fs:[00000030h]	6_2_018A12ED
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A12ED mov eax, dword ptr fs:[00000030h]	6_2_018A12ED
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A12ED mov eax, dword ptr fs:[00000030h]	6_2_018A12ED
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A12ED mov eax, dword ptr fs:[00000030h]	6_2_018A12ED
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A12ED mov eax, dword ptr fs:[00000030h]	6_2_018A12ED
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A12ED mov eax, dword ptr fs:[00000030h]	6_2_018A12ED
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A12ED mov eax, dword ptr fs:[00000030h]	6_2_018A12ED
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A12ED mov eax, dword ptr fs:[00000030h]	6_2_018A12ED
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A12ED mov eax, dword ptr fs:[00000030h]	6_2_018A12ED
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A12ED mov eax, dword ptr fs:[00000030h]	6_2_018A12ED
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018C52E2 mov eax, dword ptr fs:[00000030h]	6_2_018C52E2
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018AF2F8 mov eax, dword ptr fs:[00000030h]	6_2_018AF2F8
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017E92FF mov eax, dword ptr fs:[00000030h]	6_2_017E92FF
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01827208 mov eax, dword ptr fs:[00000030h]	6_2_01827208
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01827208 mov eax, dword ptr fs:[00000030h]	6_2_01827208
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018C5227 mov eax, dword ptr fs:[00000030h]	6_2_018C5227
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EB2D3 mov eax, dword ptr fs:[00000030h]	6_2_017EB2D3
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EB2D3 mov eax, dword ptr fs:[00000030h]	6_2_017EB2D3
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EB2D3 mov eax, dword ptr fs:[00000030h]	6_2_017EB2D3
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F92C5 mov eax, dword ptr fs:[00000030h]	6_2_017F92C5
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F92C5 mov eax, dword ptr fs:[00000030h]	6_2_017F92C5
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017FA2C3 mov eax, dword ptr fs:[00000030h]	6_2_017FA2C3
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017FA2C3 mov eax, dword ptr fs:[00000030h]	6_2_017FA2C3
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017FA2C3 mov eax, dword ptr fs:[00000030h]	6_2_017FA2C3
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017FA2C3 mov eax, dword ptr fs:[00000030h]	6_2_017FA2C3
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017FA2C3 mov eax, dword ptr fs:[00000030h]	6_2_017FA2C3
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01878243 mov eax, dword ptr fs:[00000030h]	6_2_01878243
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01878243 mov ecx, dword ptr fs:[00000030h]	6_2_01878243
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0182724D mov eax, dword ptr fs:[00000030h]	6_2_0182724D
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0187D250 mov ecx, dword ptr fs:[00000030h]	6_2_0187D250
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018AB256 mov eax, dword ptr fs:[00000030h]	6_2_018AB256
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018AB256 mov eax, dword ptr fs:[00000030h]	6_2_018AB256
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018BD26B mov eax, dword ptr fs:[00000030h]	6_2_018BD26B
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018BD26B mov eax, dword ptr fs:[00000030h]	6_2_018BD26B
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01831270 mov eax, dword ptr fs:[00000030h]	6_2_01831270
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01831270 mov eax, dword ptr fs:[00000030h]	6_2_01831270
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01819274 mov eax, dword ptr fs:[00000030h]	6_2_01819274
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A0274 mov eax, dword ptr fs:[00000030h]	6_2_018A0274
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A0274 mov eax, dword ptr fs:[00000030h]	6_2_018A0274
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A0274 mov eax, dword ptr fs:[00000030h]	6_2_018A0274
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A0274 mov eax, dword ptr fs:[00000030h]	6_2_018A0274
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A0274 mov eax, dword ptr fs:[00000030h]	6_2_018A0274
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A0274 mov eax, dword ptr fs:[00000030h]	6_2_018A0274
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A0274 mov eax, dword ptr fs:[00000030h]	6_2_018A0274
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A0274 mov eax, dword ptr fs:[00000030h]	6_2_018A0274
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A0274 mov eax, dword ptr fs:[00000030h]	6_2_018A0274
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A0274 mov eax, dword ptr fs:[00000030h]	6_2_018A0274
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A0274 mov eax, dword ptr fs:[00000030h]	6_2_018A0274
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018A0274 mov eax, dword ptr fs:[00000030h]	6_2_018A0274
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01824588 mov eax, dword ptr fs:[00000030h]	6_2_01824588
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0187B594 mov eax, dword ptr fs:[00000030h]	6_2_0187B594
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0187B594 mov eax, dword ptr fs:[00000030h]	6_2_0187B594
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EB562 mov eax, dword ptr fs:[00000030h]	6_2_017EB562
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0182E59C mov eax, dword ptr fs:[00000030h]	6_2_0182E59C
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018705A7 mov eax, dword ptr fs:[00000030h]	6_2_018705A7
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018705A7 mov eax, dword ptr fs:[00000030h]	6_2_018705A7
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018705A7 mov eax, dword ptr fs:[00000030h]	6_2_018705A7
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018115A9 mov eax, dword ptr fs:[00000030h]	6_2_018115A9
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018115A9 mov eax, dword ptr fs:[00000030h]	6_2_018115A9
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018115A9 mov eax, dword ptr fs:[00000030h]	6_2_018115A9
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018115A9 mov eax, dword ptr fs:[00000030h]	6_2_018115A9
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018115A9 mov eax, dword ptr fs:[00000030h]	6_2_018115A9
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F8550 mov eax, dword ptr fs:[00000030h]	6_2_017F8550
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F8550 mov eax, dword ptr fs:[00000030h]	6_2_017F8550
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018145B1 mov eax, dword ptr fs:[00000030h]	6_2_018145B1
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018145B1 mov eax, dword ptr fs:[00000030h]	6_2_018145B1
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0181F5B0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0181F5B0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0181F5B0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0181F5B0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0181F5B0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0181F5B0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0181F5B0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0181F5B0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181F5B0 mov eax, dword ptr fs:[00000030h]	6_2_0181F5B0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018835BA mov eax, dword ptr fs:[00000030h]	6_2_018835BA
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018835BA mov eax, dword ptr fs:[00000030h]	6_2_018835BA
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018835BA mov eax, dword ptr fs:[00000030h]	6_2_018835BA
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018835BA mov eax, dword ptr fs:[00000030h]	6_2_018835BA
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018AF5BE mov eax, dword ptr fs:[00000030h]	6_2_018AF5BE
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018255C0 mov eax, dword ptr fs:[00000030h]	6_2_018255C0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018C55C9 mov eax, dword ptr fs:[00000030h]	6_2_018C55C9
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017FD534 mov eax, dword ptr fs:[00000030h]	6_2_017FD534
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017FD534 mov eax, dword ptr fs:[00000030h]	6_2_017FD534
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017FD534 mov eax, dword ptr fs:[00000030h]	6_2_017FD534
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017FD534 mov eax, dword ptr fs:[00000030h]	6_2_017FD534
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017FD534 mov eax, dword ptr fs:[00000030h]	6_2_017FD534
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017FD534 mov eax, dword ptr fs:[00000030h]	6_2_017FD534
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0182E5CF mov eax, dword ptr fs:[00000030h]	6_2_0182E5CF
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0182E5CF mov eax, dword ptr fs:[00000030h]	6_2_0182E5CF
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0182A5D0 mov eax, dword ptr fs:[00000030h]	6_2_0182A5D0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0182A5D0 mov eax, dword ptr fs:[00000030h]	6_2_0182A5D0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0186D5D0 mov eax, dword ptr fs:[00000030h]	6_2_0186D5D0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0186D5D0 mov ecx, dword ptr fs:[00000030h]	6_2_0186D5D0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018C35D7 mov eax, dword ptr fs:[00000030h]	6_2_018C35D7
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018C35D7 mov eax, dword ptr fs:[00000030h]	6_2_018C35D7
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018C35D7 mov eax, dword ptr fs:[00000030h]	6_2_018C35D7
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018195DA mov eax, dword ptr fs:[00000030h]	6_2_018195DA
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0181E5E7
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0181E5E7
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0181E5E7
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0181E5E7
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0181E5E7
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0181E5E7
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0181E5E7
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0181E5E7
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0182C5ED mov eax, dword ptr fs:[00000030h]	6_2_0182C5ED
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0182C5ED mov eax, dword ptr fs:[00000030h]	6_2_0182C5ED
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018115F4 mov eax, dword ptr fs:[00000030h]	6_2_018115F4
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018115F4 mov eax, dword ptr fs:[00000030h]	6_2_018115F4
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018115F4 mov eax, dword ptr fs:[00000030h]	6_2_018115F4
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018115F4 mov eax, dword ptr fs:[00000030h]	6_2_018115F4
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018115F4 mov eax, dword ptr fs:[00000030h]	6_2_018115F4
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018115F4 mov eax, dword ptr fs:[00000030h]	6_2_018115F4
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01827505 mov eax, dword ptr fs:[00000030h]	6_2_01827505
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01827505 mov ecx, dword ptr fs:[00000030h]	6_2_01827505
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018C4500 mov eax, dword ptr fs:[00000030h]	6_2_018C4500
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018C4500 mov eax, dword ptr fs:[00000030h]	6_2_018C4500
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018C4500 mov eax, dword ptr fs:[00000030h]	6_2_018C4500
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018C4500 mov eax, dword ptr fs:[00000030h]	6_2_018C4500
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018C4500 mov eax, dword ptr fs:[00000030h]	6_2_018C4500
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018C4500 mov eax, dword ptr fs:[00000030h]	6_2_018C4500
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018C4500 mov eax, dword ptr fs:[00000030h]	6_2_018C4500
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F25E0 mov eax, dword ptr fs:[00000030h]	6_2_017F25E0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018AB52F mov eax, dword ptr fs:[00000030h]	6_2_018AB52F
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0189F525 mov eax, dword ptr fs:[00000030h]	6_2_0189F525
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0189F525 mov eax, dword ptr fs:[00000030h]	6_2_0189F525
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0189F525 mov eax, dword ptr fs:[00000030h]	6_2_0189F525
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0189F525 mov eax, dword ptr fs:[00000030h]	6_2_0189F525
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0189F525 mov eax, dword ptr fs:[00000030h]	6_2_0189F525
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0189F525 mov eax, dword ptr fs:[00000030h]	6_2_0189F525
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0189F525 mov eax, dword ptr fs:[00000030h]	6_2_0189F525
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F65D0 mov eax, dword ptr fs:[00000030h]	6_2_017F65D0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0182D530 mov eax, dword ptr fs:[00000030h]	6_2_0182D530
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0182D530 mov eax, dword ptr fs:[00000030h]	6_2_0182D530
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01800535 mov eax, dword ptr fs:[00000030h]	6_2_01800535
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01800535 mov eax, dword ptr fs:[00000030h]	6_2_01800535
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01800535 mov eax, dword ptr fs:[00000030h]	6_2_01800535
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01800535 mov eax, dword ptr fs:[00000030h]	6_2_01800535
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01800535 mov eax, dword ptr fs:[00000030h]	6_2_01800535
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01800535 mov eax, dword ptr fs:[00000030h]	6_2_01800535
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018C5537 mov eax, dword ptr fs:[00000030h]	6_2_018C5537
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181E53E mov eax, dword ptr fs:[00000030h]	6_2_0181E53E
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181E53E mov eax, dword ptr fs:[00000030h]	6_2_0181E53E
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181E53E mov eax, dword ptr fs:[00000030h]	6_2_0181E53E
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181E53E mov eax, dword ptr fs:[00000030h]	6_2_0181E53E
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181E53E mov eax, dword ptr fs:[00000030h]	6_2_0181E53E
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0182656A mov eax, dword ptr fs:[00000030h]	6_2_0182656A
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0182656A mov eax, dword ptr fs:[00000030h]	6_2_0182656A
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0182656A mov eax, dword ptr fs:[00000030h]	6_2_0182656A
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017E758F mov eax, dword ptr fs:[00000030h]	6_2_017E758F
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017E758F mov eax, dword ptr fs:[00000030h]	6_2_017E758F
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017E758F mov eax, dword ptr fs:[00000030h]	6_2_017E758F
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0182B570 mov eax, dword ptr fs:[00000030h]	6_2_0182B570
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0182B570 mov eax, dword ptr fs:[00000030h]	6_2_0182B570
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F2582 mov eax, dword ptr fs:[00000030h]	6_2_017F2582
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F2582 mov ecx, dword ptr fs:[00000030h]	6_2_017F2582
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F1460 mov eax, dword ptr fs:[00000030h]	6_2_017F1460
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F1460 mov eax, dword ptr fs:[00000030h]	6_2_017F1460
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F1460 mov eax, dword ptr fs:[00000030h]	6_2_017F1460
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F1460 mov eax, dword ptr fs:[00000030h]	6_2_017F1460
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F1460 mov eax, dword ptr fs:[00000030h]	6_2_017F1460
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017E645D mov eax, dword ptr fs:[00000030h]	6_2_017E645D
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018234B0 mov eax, dword ptr fs:[00000030h]	6_2_018234B0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018244B0 mov ecx, dword ptr fs:[00000030h]	6_2_018244B0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0187A4B0 mov eax, dword ptr fs:[00000030h]	6_2_0187A4B0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017FB440 mov eax, dword ptr fs:[00000030h]	6_2_017FB440
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017FB440 mov eax, dword ptr fs:[00000030h]	6_2_017FB440
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017FB440 mov eax, dword ptr fs:[00000030h]	6_2_017FB440
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017FB440 mov eax, dword ptr fs:[00000030h]	6_2_017FB440
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017FB440 mov eax, dword ptr fs:[00000030h]	6_2_017FB440
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017FB440 mov eax, dword ptr fs:[00000030h]	6_2_017FB440
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018C54DB mov eax, dword ptr fs:[00000030h]	6_2_018C54DB
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EC427 mov eax, dword ptr fs:[00000030h]	6_2_017EC427
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EE420 mov eax, dword ptr fs:[00000030h]	6_2_017EE420
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EE420 mov eax, dword ptr fs:[00000030h]	6_2_017EE420
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017EE420 mov eax, dword ptr fs:[00000030h]	6_2_017EE420
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_018994E0 mov eax, dword ptr fs:[00000030h]	6_2_018994E0
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01828402 mov eax, dword ptr fs:[00000030h]	6_2_01828402
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01828402 mov eax, dword ptr fs:[00000030h]	6_2_01828402
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01828402 mov eax, dword ptr fs:[00000030h]	6_2_01828402
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_0181340D mov eax, dword ptr fs:[00000030h]	6_2_0181340D
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01877410 mov eax, dword ptr fs:[00000030h]	6_2_01877410
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_017F04E5 mov ecx, dword ptr fs:[00000030h]	6_2_017F04E5
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01876420 mov eax, dword ptr fs:[00000030h]	6_2_01876420
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01876420 mov eax, dword ptr fs:[00000030h]	6_2_01876420
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01876420 mov eax, dword ptr fs:[00000030h]	6_2_01876420
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01876420 mov eax, dword ptr fs:[00000030h]	6_2_01876420
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01876420 mov eax, dword ptr fs:[00000030h]	6_2_01876420
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01876420 mov eax, dword ptr fs:[00000030h]	6_2_01876420
Source: C:\Users\user\Desktop\RFQ862_791.exe	Code function: 6_2_01876420 mov eax, dword ptr fs:[00000030h]	6_2_01876420

Source: C:\Users\user\Desktop\RFQ862_791.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\RFQ862_791.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\RFQ862_791.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ862_791.exe"
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ862_791.exe"			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtWriteVirtualMemory: Direct from: 0x77762E3C	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtMapViewOfSection: Direct from: 0x77762D1C	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtNotifyChangeKey: Direct from: 0x77763C2C	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtCreateMutant: Direct from: 0x777635CC	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtResumeThread: Direct from: 0x777636AC	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtProtectVirtualMemory: Direct from: 0x77757B2E	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtQuerySystemInformation: Direct from: 0x77762DFC	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtAllocateVirtualMemory: Direct from: 0x77762BFC	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtReadFile: Direct from: 0x77762ADC	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtDelayExecution: Direct from: 0x77762DDC	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtWriteVirtualMemory: Direct from: 0x7776490C	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtQueryInformationProcess: Direct from: 0x77762C26	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtResumeThread: Direct from: 0x77762FBC	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtCreateUserProcess: Direct from: 0x7776371C	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtSetInformationThread: Direct from: 0x777563F9	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtAllocateVirtualMemory: Direct from: 0x77763C9C	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtSetInformationThread: Direct from: 0x77762B4C	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtQueryAttributesFile: Direct from: 0x77762E6C	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtClose: Direct from: 0x77762B6C
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtReadVirtualMemory: Direct from: 0x77762E8C	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtCreateKey: Direct from: 0x77762C6C	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtQuerySystemInformation: Direct from: 0x777648CC	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtAllocateVirtualMemory: Direct from: 0x777648EC	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtQueryVolumeInformationFile: Direct from: 0x77762F2C	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtOpenSection: Direct from: 0x77762E0C	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtDeviceIoControlFile: Direct from: 0x77762AEC	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtAllocateVirtualMemory: Direct from: 0x77762BEC	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtQueryInformationToken: Direct from: 0x77762CAC	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtTerminateThread: Direct from: 0x77762FCC	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtCreateFile: Direct from: 0x77762FEC	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtOpenFile: Direct from: 0x77762DCC	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtOpenKeyEx: Direct from: 0x77762B9C	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtSetInformationProcess: Direct from: 0x77762C5C	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	NtProtectVirtualMemory: Direct from: 0x77762F9C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: NULL target: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Section loaded: NULL target: C:\Windows\SysWOW64\sdchange.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: NULL target: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: NULL target: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\sdchange.exe

Thread register set: target process: 6192

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\sdchange.exe

Thread APC queued: target process: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe

Jump to behavior

Source: C:\Users\user\Desktop\RFQ862_791.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ862_791.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process created: C:\Users\user\Desktop\RFQ862_791.exe "C:\Users\user\Desktop\RFQ862_791.exe"	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Process created: C:\Users\user\Desktop\RFQ862_791.exe "C:\Users\user\Desktop\RFQ862_791.exe"	Jump to behavior
Source: C:\Program Files (x86)\TahsJDBPxBmorIbAXmYzhkxiyfAmDXHViblTLSBAWWohpIJPSuZlEs\29fSUmF6ATRArN0.exe	Process created: C:\Windows\SysWOW64\sdchange.exe "C:\Windows\SysWOW64\sdchange.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: 29fSUmF6ATRArN0.exe, 00000009.00000000.1395858138.0000000000F80000.00000002.00000001.00040000.00000000.sdmp, 29fSUmF6ATRArN0.exe, 00000009.00000002.3744477862.0000000000F80000.00000002.00000001.00040000.00000000.sdmp, 29fSUmF6ATRArN0.exe, 0000000C.00000002.3744757798.0000000001480000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: 29fSUmF6ATRArN0.exe, 00000009.00000000.1395858138.0000000000F80000.00000002.00000001.00040000.00000000.sdmp, 29fSUmF6ATRArN0.exe, 00000009.00000002.3744477862.0000000000F80000.00000002.00000001.00040000.00000000.sdmp, 29fSUmF6ATRArN0.exe, 0000000C.00000002.3744757798.0000000001480000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: 29fSUmF6ATRArN0.exe, 00000009.00000000.1395858138.0000000000F80000.00000002.00000001.00040000.00000000.sdmp, 29fSUmF6ATRArN0.exe, 00000009.00000002.3744477862.0000000000F80000.00000002.00000001.00040000.00000000.sdmp, 29fSUmF6ATRArN0.exe, 0000000C.00000002.3744757798.0000000001480000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: 29fSUmF6ATRArN0.exe, 00000009.00000000.1395858138.0000000000F80000.00000002.00000001.00040000.00000000.sdmp, 29fSUmF6ATRArN0.exe, 00000009.00000002.3744477862.0000000000F80000.00000002.00000001.00040000.00000000.sdmp, 29fSUmF6ATRArN0.exe, 0000000C.00000002.3744757798.0000000001480000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\RFQ862_791.exe	Queries volume information: C:\Users\user\Desktop\RFQ862_791.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RFQ862_791.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\RFQ862_791.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 6.2.RFQ862_791.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RFQ862_791.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3747403564.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3738649389.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1476508314.0000000001B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3745403321.0000000004BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1473869422.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3745592825.0000000004BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3744955884.0000000002FB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1476794353.0000000002640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.RFQ862_791.exe.5180000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ862_791.exe.5180000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ862_791.exe.36d62a8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ862_791.exe.36d62a8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ862_791.exe.2ac613c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ862_791.exe.2ac613c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ862_791.exe.28a4414.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1337328382.0000000005180000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1326564775.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1323436744.0000000002847000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\sdchange.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\sdchange.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\sdchange.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 6.2.RFQ862_791.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RFQ862_791.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.3747403564.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3738649389.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1476508314.0000000001B60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3745403321.0000000004BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1473869422.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3745592825.0000000004BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3744955884.0000000002FB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1476794353.0000000002640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.RFQ862_791.exe.5180000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ862_791.exe.5180000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ862_791.exe.36d62a8.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ862_791.exe.36d62a8.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ862_791.exe.2ac613c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ862_791.exe.2ac613c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ862_791.exe.28a4414.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1337328382.0000000005180000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1326564775.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1323436744.0000000002847000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	312 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	312 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	22 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RFQ862_791.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
RFQ862_791.exe