Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FRQ 101102-04-25-0948-015.exe

Overview

General Information

Sample name:FRQ 101102-04-25-0948-015.exe
Analysis ID:1624291
MD5:feac225fe44504504538ae1d4a057a05
SHA1:880b0d42152e7e7535ef15f6a1e58b1c989b0829
SHA256:e995625ce21ffd58435c425d4350f614f8126d4fc9e48459eef83b70cc58da53
Tags:exeuser-threatcat_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • FRQ 101102-04-25-0948-015.exe (PID: 7300 cmdline: "C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exe" MD5: FEAC225FE44504504538AE1D4A057A05)
    • FRQ 101102-04-25-0948-015.exe (PID: 7472 cmdline: "C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exe" MD5: FEAC225FE44504504538AE1D4A057A05)
      • qUbKt1u3h.exe (PID: 4812 cmdline: "C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\CqMf3sZbP.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • dxdiag.exe (PID: 7900 cmdline: "C:\Windows\SysWOW64\dxdiag.exe" MD5: 24D3F0DB6CCF0C341EA4F6B206DF2EDF)
          • qUbKt1u3h.exe (PID: 2300 cmdline: "C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 8088 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.4160341209.0000000000E10000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000008.00000002.4159091548.0000000000700000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.2157979065.0000000000E60000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000003.00000002.2157335781.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000008.00000002.4160603364.00000000046C0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.FRQ 101102-04-25-0948-015.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              3.2.FRQ 101102-04-25-0948-015.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-26T06:11:09.307153+010028554651A Network Trojan was detected192.168.2.44976413.248.169.4880TCP
                2025-02-26T06:11:32.486964+010028554651A Network Trojan was detected192.168.2.44991313.248.169.4880TCP
                2025-02-26T06:11:54.665181+010028554651A Network Trojan was detected192.168.2.44999913.248.169.4880TCP
                2025-02-26T06:12:07.840763+010028554651A Network Trojan was detected192.168.2.45002213.248.169.4880TCP
                2025-02-26T06:12:20.998126+010028554651A Network Trojan was detected192.168.2.45002613.248.169.4880TCP
                2025-02-26T06:12:34.365525+010028554651A Network Trojan was detected192.168.2.450030217.160.0.23680TCP
                2025-02-26T06:12:47.723456+010028554651A Network Trojan was detected192.168.2.450034209.74.77.23080TCP
                2025-02-26T06:13:00.931311+010028554651A Network Trojan was detected192.168.2.450038199.59.243.22880TCP
                2025-02-26T06:13:14.943761+010028554651A Network Trojan was detected192.168.2.450042107.148.6.14580TCP
                2025-02-26T06:13:28.160806+010028554651A Network Trojan was detected192.168.2.45004613.248.169.4880TCP
                2025-02-26T06:13:41.496556+010028554651A Network Trojan was detected192.168.2.450050188.114.96.380TCP
                2025-02-26T06:13:54.835584+010028554651A Network Trojan was detected192.168.2.45005413.248.169.4880TCP
                2025-02-26T06:14:07.994541+010028554651A Network Trojan was detected192.168.2.4500583.33.130.19080TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-26T06:11:24.849085+010028554641A Network Trojan was detected192.168.2.44986413.248.169.4880TCP
                2025-02-26T06:11:27.420272+010028554641A Network Trojan was detected192.168.2.44988113.248.169.4880TCP
                2025-02-26T06:11:29.928290+010028554641A Network Trojan was detected192.168.2.44989713.248.169.4880TCP
                2025-02-26T06:11:38.004506+010028554641A Network Trojan was detected192.168.2.44994813.248.169.4880TCP
                2025-02-26T06:11:40.584263+010028554641A Network Trojan was detected192.168.2.44996413.248.169.4880TCP
                2025-02-26T06:11:43.199360+010028554641A Network Trojan was detected192.168.2.44998313.248.169.4880TCP
                2025-02-26T06:12:01.255939+010028554641A Network Trojan was detected192.168.2.45001913.248.169.4880TCP
                2025-02-26T06:12:03.802795+010028554641A Network Trojan was detected192.168.2.45002013.248.169.4880TCP
                2025-02-26T06:12:05.293594+010028554641A Network Trojan was detected192.168.2.45002113.248.169.4880TCP
                2025-02-26T06:12:14.396466+010028554641A Network Trojan was detected192.168.2.45002313.248.169.4880TCP
                2025-02-26T06:12:15.891749+010028554641A Network Trojan was detected192.168.2.45002413.248.169.4880TCP
                2025-02-26T06:12:19.505879+010028554641A Network Trojan was detected192.168.2.45002513.248.169.4880TCP
                2025-02-26T06:12:26.732086+010028554641A Network Trojan was detected192.168.2.450027217.160.0.23680TCP
                2025-02-26T06:12:29.295123+010028554641A Network Trojan was detected192.168.2.450028217.160.0.23680TCP
                2025-02-26T06:12:31.826948+010028554641A Network Trojan was detected192.168.2.450029217.160.0.23680TCP
                2025-02-26T06:12:40.006644+010028554641A Network Trojan was detected192.168.2.450031209.74.77.23080TCP
                2025-02-26T06:12:42.623176+010028554641A Network Trojan was detected192.168.2.450032209.74.77.23080TCP
                2025-02-26T06:12:45.190110+010028554641A Network Trojan was detected192.168.2.450033209.74.77.23080TCP
                2025-02-26T06:12:53.335692+010028554641A Network Trojan was detected192.168.2.450035199.59.243.22880TCP
                2025-02-26T06:12:55.845816+010028554641A Network Trojan was detected192.168.2.450036199.59.243.22880TCP
                2025-02-26T06:12:58.392306+010028554641A Network Trojan was detected192.168.2.450037199.59.243.22880TCP
                2025-02-26T06:13:07.223279+010028554641A Network Trojan was detected192.168.2.450039107.148.6.14580TCP
                2025-02-26T06:13:09.800492+010028554641A Network Trojan was detected192.168.2.450040107.148.6.14580TCP
                2025-02-26T06:13:12.308981+010028554641A Network Trojan was detected192.168.2.450041107.148.6.14580TCP
                2025-02-26T06:13:20.453827+010028554641A Network Trojan was detected192.168.2.45004313.248.169.4880TCP
                2025-02-26T06:13:23.012078+010028554641A Network Trojan was detected192.168.2.45004413.248.169.4880TCP
                2025-02-26T06:13:25.596312+010028554641A Network Trojan was detected192.168.2.45004513.248.169.4880TCP
                2025-02-26T06:13:34.740482+010028554641A Network Trojan was detected192.168.2.450047188.114.96.380TCP
                2025-02-26T06:13:37.287537+010028554641A Network Trojan was detected192.168.2.450048188.114.96.380TCP
                2025-02-26T06:13:39.834220+010028554641A Network Trojan was detected192.168.2.450049188.114.96.380TCP
                2025-02-26T06:13:47.004445+010028554641A Network Trojan was detected192.168.2.45005113.248.169.4880TCP
                2025-02-26T06:13:49.551381+010028554641A Network Trojan was detected192.168.2.45005213.248.169.4880TCP
                2025-02-26T06:13:52.151052+010028554641A Network Trojan was detected192.168.2.45005313.248.169.4880TCP
                2025-02-26T06:14:00.340411+010028554641A Network Trojan was detected192.168.2.4500553.33.130.19080TCP
                2025-02-26T06:14:02.897149+010028554641A Network Trojan was detected192.168.2.4500563.33.130.19080TCP
                2025-02-26T06:14:05.460584+010028554641A Network Trojan was detected192.168.2.4500573.33.130.19080TCP
                2025-02-26T06:14:13.526313+010028554641A Network Trojan was detected192.168.2.45005913.248.169.4880TCP
                2025-02-26T06:14:16.082899+010028554641A Network Trojan was detected192.168.2.45006013.248.169.4880TCP
                2025-02-26T06:14:19.016611+010028554641A Network Trojan was detected192.168.2.45006113.248.169.4880TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.blockchaintourism.xyz/t3sb/Avira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: FRQ 101102-04-25-0948-015.exeVirustotal: Detection: 43%Perma Link
                Source: FRQ 101102-04-25-0948-015.exeReversingLabs: Detection: 42%
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.FRQ 101102-04-25-0948-015.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.FRQ 101102-04-25-0948-015.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.4160341209.0000000000E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4159091548.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2157979065.0000000000E60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2157335781.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4160603364.00000000046C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4160671939.0000000004710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4160551388.00000000030E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2163605937.00000000013C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: FRQ 101102-04-25-0948-015.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: FRQ 101102-04-25-0948-015.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: dxdiag.pdbGCTL source: qUbKt1u3h.exe, 00000007.00000002.4159815797.00000000013EE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: FRQ 101102-04-25-0948-015.exe, 00000003.00000002.2158100543.0000000000EB0000.00000040.00001000.00020000.00000000.sdmp, dxdiag.exe, 00000008.00000002.4160883675.0000000004950000.00000040.00001000.00020000.00000000.sdmp, dxdiag.exe, 00000008.00000002.4160883675.0000000004AEE000.00000040.00001000.00020000.00000000.sdmp, dxdiag.exe, 00000008.00000003.2157574932.00000000045F0000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000008.00000003.2164234539.00000000047A3000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: dxdiag.pdb source: qUbKt1u3h.exe, 00000007.00000002.4159815797.00000000013EE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: FRQ 101102-04-25-0948-015.exe, FRQ 101102-04-25-0948-015.exe, 00000003.00000002.2158100543.0000000000EB0000.00000040.00001000.00020000.00000000.sdmp, dxdiag.exe, dxdiag.exe, 00000008.00000002.4160883675.0000000004950000.00000040.00001000.00020000.00000000.sdmp, dxdiag.exe, 00000008.00000002.4160883675.0000000004AEE000.00000040.00001000.00020000.00000000.sdmp, dxdiag.exe, 00000008.00000003.2157574932.00000000045F0000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000008.00000003.2164234539.00000000047A3000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: qUbKt1u3h.exe, 00000007.00000000.2078529782.0000000000DEF000.00000002.00000001.01000000.0000000C.sdmp, qUbKt1u3h.exe, 00000009.00000000.2228666359.0000000000DEF000.00000002.00000001.01000000.0000000C.sdmp
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0071C9E0 FindFirstFileW,FindNextFileW,FindClose,8_2_0071C9E0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 4x nop then xor esi, esi3_2_00418AEA
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 4x nop then xor eax, eax8_2_00709F10
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 4x nop then mov ebx, 00000004h8_2_048104DF

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49764 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49864 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49897 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49913 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49881 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49948 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49983 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50021 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49964 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50019 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50026 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50030 -> 217.160.0.236:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49999 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50040 -> 107.148.6.145:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50051 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50023 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50020 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50025 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50031 -> 209.74.77.230:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50043 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50027 -> 217.160.0.236:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50038 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50022 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50054 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50039 -> 107.148.6.145:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50032 -> 209.74.77.230:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50037 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50036 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50046 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50052 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50057 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50061 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50041 -> 107.148.6.145:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50029 -> 217.160.0.236:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50044 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50028 -> 217.160.0.236:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50024 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50060 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50047 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50053 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50033 -> 209.74.77.230:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50055 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50045 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50048 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50042 -> 107.148.6.145:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50035 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50049 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50034 -> 209.74.77.230:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50058 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50050 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50056 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50059 -> 13.248.169.48:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.seekmeme.xyz
                Source: DNS query: www.myfort.xyz
                Source: DNS query: www.blockchaintourism.xyz
                Source: DNS query: www.persembunyian.xyz
                Source: DNS query: www.kantad.xyz
                Source: DNS query: www.tether1.xyz
                Source: DNS query: www.furacao.xyz
                Source: DNS query: www.drlara.xyz
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewIP Address: 217.160.0.236 217.160.0.236
                Source: Joe Sandbox ViewASN Name: PEGTECHINCUS PEGTECHINCUS
                Source: Joe Sandbox ViewASN Name: MULTIBAND-NEWHOPEUS MULTIBAND-NEWHOPEUS
                Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /jnjq/?-X_=JV_4jzbPv8F&xj_=fYRBpq79/vdLM/DQgUTaIu39HZeemTjl68e08EeOFQJvBUWO3am1R+W+phJmgy/s/r3iuW7pGCpbnyWZa3Gh/Jt9fH8FyswI9zU5bOdUB9eNR2ELpbTcr/c= HTTP/1.1Host: www.seekmeme.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDR; .NET4.0C; Tablet PC 2.0; BRI/2; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /regg/?xj_=PAmcXzTqSfUijjzYizmRdyyNroiEs381c3IHYjA8Krt584xkA/rjcOMKFKFzXd5oQDUyuOhJZTtnd+0gRL9ojEc34jVk4gBowQlz11ktJB7G5bPvd7iRGfg=&-X_=JV_4jzbPv8F HTTP/1.1Host: www.myfort.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDR; .NET4.0C; Tablet PC 2.0; BRI/2; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /t3sb/?-X_=JV_4jzbPv8F&xj_=HEteVdb0loX9TCJX12IXpRZWBzpB+8imQfLEmfsRQz8PUBwhHxoP95aVQBoW2e/8thx8RB/zzSUPBfvuAUDaW+g1j8/5EACJC1jNxddv4bZyLwyPUddzVEk= HTTP/1.1Host: www.blockchaintourism.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDR; .NET4.0C; Tablet PC 2.0; BRI/2; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /mrwa/?xj_=k95oYMBDrBPALRLU9Q2hSqoJC+VRYzxUX2yK/+Y8vx1zLlVzRoJMRzV5SPMQtvMPgHiUtaKaJpVJT1ZY948okmrk06eZjRjH/e6coz+RnpzSusQPlgXmesk=&-X_=JV_4jzbPv8F HTTP/1.1Host: www.persembunyian.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDR; .NET4.0C; Tablet PC 2.0; BRI/2; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /bi7u/?-X_=JV_4jzbPv8F&xj_=nHws1j0sm5LWhKJWs7f/0V/F2YNzIomF8923TJe5xzXsLv8edAM+FUf+gOM1c/pFatMF3UDmCvERFe3bt+SyiH5iHV2NfQl0G44LqKDqNx01qHGn/w051PY= HTTP/1.1Host: www.iooe.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDR; .NET4.0C; Tablet PC 2.0; BRI/2; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /n045/?xj_=Kg1/aFpGKMnhVBELvCPlibmeqf8M35bzleOSUoobpbOI+fIV4I892KjJed3c+mujHuz90NdIU5GCAy6IeTvEYGUGwB+ydcZK8QQg7SB1/eFctOOO4w9LWAk=&-X_=JV_4jzbPv8F HTTP/1.1Host: www.thisisnonft.studioAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDR; .NET4.0C; Tablet PC 2.0; BRI/2; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /zhv2/?xj_=dDSKm3gEoRYza6KN/VfMA9PgMjG6OnjXV+uzWu228M6JzN3Pvry6D8nAjFeivr8BLh4TFOP1Uj2+Tn25f8DVx85JanCr0HxXFD0uZiNXpGsO2yVtum6m4Ro=&-X_=JV_4jzbPv8F HTTP/1.1Host: www.thriay.websiteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDR; .NET4.0C; Tablet PC 2.0; BRI/2; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /x6ep/?xj_=T32mkHhYAlDJyMIvAtBcxVB63jRgJVB53CrBP/3sN9QNlPQDRbZAJkxC5z+ku75vBkQpYxnkW8kZgrxJCLfFq0nesq6LgqEnux/H9kGpA2hvdqALFMr2fSE=&-X_=JV_4jzbPv8F HTTP/1.1Host: www.gane4.latAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDR; .NET4.0C; Tablet PC 2.0; BRI/2; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /ij9y/?xj_=LIb/uEPn3lmrqfsoYgv3+Eg86u1UejI+02hK0TSGrwRYZJ3EF/TIBXPgi0s5v7w1XQ5TaOVn95AhXneeny4weeC0gQX1yueNkZr5uhf3QzUJsm72YWSzCgY=&-X_=JV_4jzbPv8F HTTP/1.1Host: www.10134.appAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDR; .NET4.0C; Tablet PC 2.0; BRI/2; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /2kmu/?xj_=JcbGVkyLHk7wbXdvsc4W2JzAGYwhQknpm41F3OM3CJfGfheODZEGFIK9J0d9CWKa2BXzqygSoakPLEpaLUVucqkzeJfbnXU7eitllwMB4qTuLXBKvVV+clI=&-X_=JV_4jzbPv8F HTTP/1.1Host: www.kantad.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDR; .NET4.0C; Tablet PC 2.0; BRI/2; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /focp/?xj_=mXJHtAZSrcMVNAYe0Kfq2FJYJcD6dFMzhzcfA/LZkfgqhdihAxT3aslAf9nOYajIz7QizkjlvIUHcb1FopIoHD46K0qUy9lf5cyl621RCgAfM4tktgk7yEk=&-X_=JV_4jzbPv8F HTTP/1.1Host: www.tether1.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDR; .NET4.0C; Tablet PC 2.0; BRI/2; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /ukzr/?xj_=c8Sdw1XJA8MnxKijDwV4+iGsGaGdXBRUMQX/wjvZQNM37BJs1UqcBN/OtMewyvqUP9zUkzLGOj+4xIKWaQSrBpBaWnHYV/zietlkGDrZdR1XgCNSwKKFqVY=&-X_=JV_4jzbPv8F HTTP/1.1Host: www.furacao.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDR; .NET4.0C; Tablet PC 2.0; BRI/2; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /mbjv/?-X_=JV_4jzbPv8F&xj_=5qUXdsyzVae3u/R+YEe1fYuJ83bpRvNcm4gvK8eGl2rHQDMBjzLvTzE75Mlc27Grgu3TUA1LZ1fwZl+kwnQTKUwk1NID1z97tq4+dhRS0Dv1UoS5sw0dYQg= HTTP/1.1Host: www.ylv.mediaAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDR; .NET4.0C; Tablet PC 2.0; BRI/2; .NET4.0E)
                Source: global trafficDNS traffic detected: DNS query: www.seekmeme.xyz
                Source: global trafficDNS traffic detected: DNS query: www.myfort.xyz
                Source: global trafficDNS traffic detected: DNS query: www.blockchaintourism.xyz
                Source: global trafficDNS traffic detected: DNS query: www.persembunyian.xyz
                Source: global trafficDNS traffic detected: DNS query: www.iooe.net
                Source: global trafficDNS traffic detected: DNS query: www.thisisnonft.studio
                Source: global trafficDNS traffic detected: DNS query: www.thriay.website
                Source: global trafficDNS traffic detected: DNS query: www.gane4.lat
                Source: global trafficDNS traffic detected: DNS query: www.10134.app
                Source: global trafficDNS traffic detected: DNS query: www.kantad.xyz
                Source: global trafficDNS traffic detected: DNS query: www.tether1.xyz
                Source: global trafficDNS traffic detected: DNS query: www.furacao.xyz
                Source: global trafficDNS traffic detected: DNS query: www.ylv.media
                Source: global trafficDNS traffic detected: DNS query: www.drlara.xyz
                Source: unknownHTTP traffic detected: POST /regg/ HTTP/1.1Host: www.myfort.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brConnection: closeContent-Length: 200Cache-Control: no-cacheContent-Type: application/x-www-form-urlencodedOrigin: http://www.myfort.xyzReferer: http://www.myfort.xyz/regg/User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDR; .NET4.0C; Tablet PC 2.0; BRI/2; .NET4.0E)Data Raw: 78 6a 5f 3d 43 43 4f 38 55 46 66 58 51 65 41 77 38 44 6e 72 69 7a 65 36 5a 6a 75 31 71 49 36 78 6b 57 67 4a 64 33 77 43 51 41 38 65 42 4a 63 62 69 62 74 78 4f 65 6a 4e 43 4e 34 30 44 75 4a 76 47 76 64 63 58 6a 35 42 76 63 46 66 5a 7a 4e 73 4b 4b 77 38 52 38 31 34 6c 58 30 55 31 55 6b 42 73 41 35 37 7a 41 78 6e 79 56 6b 36 48 7a 2f 57 32 63 44 4d 61 34 61 51 4b 71 36 56 73 65 6c 67 57 48 6b 7a 35 62 2f 6c 34 56 4e 42 6a 78 4c 37 75 72 4b 47 39 6b 4b 6a 2b 36 2b 68 38 67 4f 69 63 66 77 6c 38 66 54 6c 6f 36 76 71 4a 75 55 74 61 33 4e 39 71 76 33 4c 47 31 38 54 59 6f 4f 73 47 44 45 74 72 41 3d 3d Data Ascii: xj_=CCO8UFfXQeAw8Dnrize6Zju1qI6xkWgJd3wCQA8eBJcbibtxOejNCN40DuJvGvdcXj5BvcFfZzNsKKw8R814lX0U1UkBsA57zAxnyVk6Hz/W2cDMa4aQKq6VselgWHkz5b/l4VNBjxL7urKG9kKj+6+h8gOicfwl8fTlo6vqJuUta3N9qv3LG18TYoOsGDEtrA==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Wed, 26 Feb 2025 05:12:26 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 52 4b 8f d3 30 10 be f7 57 0c 41 a2 17 12 b7 74 0f 7d 24 7b a0 ad c4 4a 65 59 41 78 1d 8d 33 6d 2c 39 b6 6b 8f fb d8 5f 8f 93 6e 0a 8b 56 9c 3c b6 be d7 78 26 7f b5 fa b4 2c 7f 3e ac a1 a6 46 c1 c3 d7 f7 9b bb 25 24 29 63 df 27 4b c6 56 e5 0a 7e 7c 28 3f 6e 60 9c 8d a0 74 5c 7b 49 d2 68 ae 18 5b df 27 83 a4 26 b2 73 c6 8e c7 63 76 9c 64 c6 ed 58 f9 99 9d 5a ad 71 4b 7e 2a 53 fa 8b 99 55 54 25 b7 83 bc 33 54 5c ef 8a 04 75 02 a7 46 cd 9f dd b4 2f 5e 90 1f cf 66 b3 8b 6a d4 80 bc 46 5e c5 13 72 92 a4 b0 ad 60 ed 9c 71 70 33 ba 81 14 ee 0d c1 d6 04 5d b5 10 76 c5 e4 0d 12 07 61 34 a1 a6 22 21 3c 11 6b e3 2c 40 d4 dc 79 a4 22 d0 36 9d 26 f1 53 c8 a6 b8 0f f2 50 24 cb 0b 3c 2d cf 16 5b 6f f8 47 45 9b 54 70 51 e3 73 56 f7 94 b6 56 ce a8 2e 32 7b ca 9c ff 32 d5 19 3c 9d 15 16 c9 36 02 d2 2d 6f a4 3a cf b9 93 5c 2d 2e 16 f5 b8 47 08 a3 8c 9b bf 1e f1 c9 bb a9 58 74 78 2f 1f 71 1e 07 83 cd 05 fd 9f d6 eb 71 97 d8 f6 6a 7f f8 a3 6c 7a e5 6f 10 b6 52 d4 12 1d b8 b6 6b 0f 7a c8 c1 72 0f 6f 90 8b 40 b8 a0 be 80 d8 4f 38 f4 b7 6c 70 a7 c0 62 20 f0 43 be 93 0e aa 61 d0 08 e8 1c 06 07 84 a2 d6 72 1f 30 83 6f 18 a4 52 f8 08 ae a7 a2 f7 fc 1c 0d 83 ba 6a 3b 19 59 d8 c4 d9 64 f0 45 c2 c1 84 18 04 c1 46 c3 c8 6c e3 70 21 7a 7e 15 b9 3c 5c 73 73 1b 95 77 8e 1f 70 e1 c1 aa e0 5b 2d 1f 23 68 e2 24 0f e8 df 82 40 c5 c1 cb 9d 96 5b 89 b0 0f 43 a9 80 bf d0 a1 0f d6 3a d9 f4 46 59 b7 43 36 fe 63 ce da d1 c5 15 ee 96 e6 76 f0 1b 11 e8 b3 c9 45 03 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 1ee}RK0WAt}${JeYAx3m,9k_nV<x&,>F%$)c'KV~|(?n`t\{Ih['&scvdXZqK~*SUT%3T\uF/^fjF^r`qp3]va4"!<k,@y"6&SP$<-[oGETpQsVV.2{2<6-o:\-.GXtx/qqjlzoRkzro@O8lpb Car0oRj;YdEFlp!z~<\sswp[-#h$@[C:FYC6cvE0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Wed, 26 Feb 2025 05:12:29 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 52 4b 8f d3 30 10 be f7 57 0c 41 a2 17 12 b7 74 0f 7d 24 7b a0 ad c4 4a 65 59 41 78 1d 8d 33 6d 2c 39 b6 6b 8f fb d8 5f 8f 93 6e 0a 8b 56 9c 3c b6 be d7 78 26 7f b5 fa b4 2c 7f 3e ac a1 a6 46 c1 c3 d7 f7 9b bb 25 24 29 63 df 27 4b c6 56 e5 0a 7e 7c 28 3f 6e 60 9c 8d a0 74 5c 7b 49 d2 68 ae 18 5b df 27 83 a4 26 b2 73 c6 8e c7 63 76 9c 64 c6 ed 58 f9 99 9d 5a ad 71 4b 7e 2a 53 fa 8b 99 55 54 25 b7 83 bc 33 54 5c ef 8a 04 75 02 a7 46 cd 9f dd b4 2f 5e 90 1f cf 66 b3 8b 6a d4 80 bc 46 5e c5 13 72 92 a4 b0 ad 60 ed 9c 71 70 33 ba 81 14 ee 0d c1 d6 04 5d b5 10 76 c5 e4 0d 12 07 61 34 a1 a6 22 21 3c 11 6b e3 2c 40 d4 dc 79 a4 22 d0 36 9d 26 f1 53 c8 a6 b8 0f f2 50 24 cb 0b 3c 2d cf 16 5b 6f f8 47 45 9b 54 70 51 e3 73 56 f7 94 b6 56 ce a8 2e 32 7b ca 9c ff 32 d5 19 3c 9d 15 16 c9 36 02 d2 2d 6f a4 3a cf b9 93 5c 2d 2e 16 f5 b8 47 08 a3 8c 9b bf 1e f1 c9 bb a9 58 74 78 2f 1f 71 1e 07 83 cd 05 fd 9f d6 eb 71 97 d8 f6 6a 7f f8 a3 6c 7a e5 6f 10 b6 52 d4 12 1d b8 b6 6b 0f 7a c8 c1 72 0f 6f 90 8b 40 b8 a0 be 80 d8 4f 38 f4 b7 6c 70 a7 c0 62 20 f0 43 be 93 0e aa 61 d0 08 e8 1c 06 07 84 a2 d6 72 1f 30 83 6f 18 a4 52 f8 08 ae a7 a2 f7 fc 1c 0d 83 ba 6a 3b 19 59 d8 c4 d9 64 f0 45 c2 c1 84 18 04 c1 46 c3 c8 6c e3 70 21 7a 7e 15 b9 3c 5c 73 73 1b 95 77 8e 1f 70 e1 c1 aa e0 5b 2d 1f 23 68 e2 24 0f e8 df 82 40 c5 c1 cb 9d 96 5b 89 b0 0f 43 a9 80 bf d0 a1 0f d6 3a d9 f4 46 59 b7 43 36 fe 63 ce da d1 c5 15 ee 96 e6 76 f0 1b 11 e8 b3 c9 45 03 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 1ee}RK0WAt}${JeYAx3m,9k_nV<x&,>F%$)c'KV~|(?n`t\{Ih['&scvdXZqK~*SUT%3T\uF/^fjF^r`qp3]va4"!<k,@y"6&SP$<-[oGETpQsVV.2{2<6-o:\-.GXtx/qqjlzoRkzro@O8lpb Car0oRj;YdEFlp!z~<\sswp[-#h$@[C:FYC6cvE0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Wed, 26 Feb 2025 05:12:31 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 52 4b 8f d3 30 10 be f7 57 0c 41 a2 17 12 b7 74 0f 7d 24 7b a0 ad c4 4a 65 59 41 78 1d 8d 33 6d 2c 39 b6 6b 8f fb d8 5f 8f 93 6e 0a 8b 56 9c 3c b6 be d7 78 26 7f b5 fa b4 2c 7f 3e ac a1 a6 46 c1 c3 d7 f7 9b bb 25 24 29 63 df 27 4b c6 56 e5 0a 7e 7c 28 3f 6e 60 9c 8d a0 74 5c 7b 49 d2 68 ae 18 5b df 27 83 a4 26 b2 73 c6 8e c7 63 76 9c 64 c6 ed 58 f9 99 9d 5a ad 71 4b 7e 2a 53 fa 8b 99 55 54 25 b7 83 bc 33 54 5c ef 8a 04 75 02 a7 46 cd 9f dd b4 2f 5e 90 1f cf 66 b3 8b 6a d4 80 bc 46 5e c5 13 72 92 a4 b0 ad 60 ed 9c 71 70 33 ba 81 14 ee 0d c1 d6 04 5d b5 10 76 c5 e4 0d 12 07 61 34 a1 a6 22 21 3c 11 6b e3 2c 40 d4 dc 79 a4 22 d0 36 9d 26 f1 53 c8 a6 b8 0f f2 50 24 cb 0b 3c 2d cf 16 5b 6f f8 47 45 9b 54 70 51 e3 73 56 f7 94 b6 56 ce a8 2e 32 7b ca 9c ff 32 d5 19 3c 9d 15 16 c9 36 02 d2 2d 6f a4 3a cf b9 93 5c 2d 2e 16 f5 b8 47 08 a3 8c 9b bf 1e f1 c9 bb a9 58 74 78 2f 1f 71 1e 07 83 cd 05 fd 9f d6 eb 71 97 d8 f6 6a 7f f8 a3 6c 7a e5 6f 10 b6 52 d4 12 1d b8 b6 6b 0f 7a c8 c1 72 0f 6f 90 8b 40 b8 a0 be 80 d8 4f 38 f4 b7 6c 70 a7 c0 62 20 f0 43 be 93 0e aa 61 d0 08 e8 1c 06 07 84 a2 d6 72 1f 30 83 6f 18 a4 52 f8 08 ae a7 a2 f7 fc 1c 0d 83 ba 6a 3b 19 59 d8 c4 d9 64 f0 45 c2 c1 84 18 04 c1 46 c3 c8 6c e3 70 21 7a 7e 15 b9 3c 5c 73 73 1b 95 77 8e 1f 70 e1 c1 aa e0 5b 2d 1f 23 68 e2 24 0f e8 df 82 40 c5 c1 cb 9d 96 5b 89 b0 0f 43 a9 80 bf d0 a1 0f d6 3a d9 f4 46 59 b7 43 36 fe 63 ce da d1 c5 15 ee 96 e6 76 f0 1b 11 e8 b3 c9 45 03 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 1ee}RK0WAt}${JeYAx3m,9k_nV<x&,>F%$)c'KV~|(?n`t\{Ih['&scvdXZqK~*SUT%3T\uF/^fjF^r`qp3]va4"!<k,@y"6&SP$<-[oGETpQsVV.2{2<6-o:\-.GXtx/qqjlzoRkzro@O8lpb Car0oRj;YdEFlp!z~<\sswp[-#h$@[C:FYC6cvE0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 837Connection: closeDate: Wed, 26 Feb 2025 05:12:34 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 4c 65 20 66 69 63 68 69 65 72 20 72 65 71 75 69 73 20 6e 27 61 20 70 61 73 20 26 65 61 63 75 74 65 3b 74 26 65 61 63 75 74 65 3b 20 74 72 6f 75 76 26 65 61 63 75 74 65 3b 2e 0a 49 6c 20 70 65 75 74 20 73 27 61 67 69 72 20 64 27 75 6e 65 20 65 72 72 65 75 72 20 74 65 63 68 6e 69 71 75 65 2e 20 56 65 75 69 6c 6c 65 7a 20 72 26 65 61 63 75 74 65 3b 65 73 73 61 79 65 72 20 75 6c 74 26 65 61 63 75 74 65 3b 72 69 65 75 72 65 6d 65 6e 74 2e 20 53 69 20 76 6f 75 73 20 6e 65 20 70 6f 75 76 65 7a 20 70 61 73 20 61 63 63 26 65 61 63 75 74 65 3b 64 65 72 20 61 75 20 66 69 63 68 69 65 72 20 61 70 72 26 65 67 72 61 76 65 3b 73 20 70 6c 75 73 69 65 75 72 73 20 74 65 6e 74 61 74 69 76 65 73 2c 20 63 65 6c 61 20 73 69 67 6e 69 66 69 65 20 71 75 27 69 6c 20 61 20 26 65 61 63 75 74 65 3b 74 26 65 61 63 75 74 65 3b 20 73 75 70 70 72 69 6d 26 65 61 63 75 74 65 3b 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta c
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Feb 2025 05:12:39 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Feb 2025 05:12:42 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Feb 2025 05:12:45 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Feb 2025 05:12:47 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Feb 2025 05:13:07 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66706af2-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Feb 2025 05:13:09 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66706af2-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Feb 2025 05:13:12 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66706af2-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Feb 2025 05:13:14 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66706af2-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000002.1720088085.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000002.1720088085.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: qUbKt1u3h.exe, 00000009.00000002.4160341209.0000000000E6C000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.drlara.xyz
                Source: qUbKt1u3h.exe, 00000009.00000002.4160341209.0000000000E6C000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.drlara.xyz/mhbk/
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000002.1720088085.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000002.1720088085.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000002.1720088085.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000002.1720088085.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000002.1720088085.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000002.1720088085.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000002.1720088085.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000002.1720088085.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000002.1720088085.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000002.1720088085.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000002.1720088085.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000002.1720088085.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000002.1720088085.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000002.1720088085.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000002.1720088085.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000002.1720088085.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000002.1720088085.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000002.1720088085.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000002.1720088085.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000002.1720088085.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000002.1720088085.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000002.1720088085.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000002.1720088085.00000000071E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: dxdiag.exe, 00000008.00000003.2349355179.0000000007CC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: dxdiag.exe, 00000008.00000003.2349355179.0000000007CC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: dxdiag.exe, 00000008.00000003.2349355179.0000000007CC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: dxdiag.exe, 00000008.00000003.2349355179.0000000007CC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: dxdiag.exe, 00000008.00000003.2349355179.0000000007CC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: dxdiag.exe, 00000008.00000003.2349355179.0000000007CC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: dxdiag.exe, 00000008.00000003.2349355179.0000000007CC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: dxdiag.exe, 00000008.00000002.4159342967.0000000002AD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: dxdiag.exe, 00000008.00000002.4159342967.0000000002AD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: dxdiag.exe, 00000008.00000002.4159342967.0000000002AD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: dxdiag.exe, 00000008.00000002.4159342967.0000000002AD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: dxdiag.exe, 00000008.00000002.4159342967.0000000002AD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: dxdiag.exe, 00000008.00000002.4159342967.0000000002AD9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: dxdiag.exe, 00000008.00000003.2336957813.0000000007CBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: dxdiag.exe, 00000008.00000003.2349355179.0000000007CC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: dxdiag.exe, 00000008.00000002.4163404230.00000000079C0000.00000004.00000800.00020000.00000000.sdmp, dxdiag.exe, 00000008.00000002.4161409459.0000000005E62000.00000004.10000000.00040000.00000000.sdmp, qUbKt1u3h.exe, 00000009.00000002.4161010367.0000000003BA2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: dxdiag.exe, 00000008.00000003.2349355179.0000000007CC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.FRQ 101102-04-25-0948-015.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.FRQ 101102-04-25-0948-015.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.4160341209.0000000000E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4159091548.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2157979065.0000000000E60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2157335781.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4160603364.00000000046C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4160671939.0000000004710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4160551388.00000000030E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2163605937.00000000013C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_0042CC13 NtClose,3_2_0042CC13
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22B60 NtClose,LdrInitializeThunk,3_2_00F22B60
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_00F22C70
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_00F22DF0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F235C0 NtCreateMutant,LdrInitializeThunk,3_2_00F235C0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F24340 NtSetContextThread,3_2_00F24340
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F24650 NtSuspendThread,3_2_00F24650
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22AF0 NtWriteFile,3_2_00F22AF0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22AD0 NtReadFile,3_2_00F22AD0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22AB0 NtWaitForSingleObject,3_2_00F22AB0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22BF0 NtAllocateVirtualMemory,3_2_00F22BF0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22BE0 NtQueryValueKey,3_2_00F22BE0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22BA0 NtEnumerateValueKey,3_2_00F22BA0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22B80 NtQueryInformationFile,3_2_00F22B80
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22CF0 NtOpenProcess,3_2_00F22CF0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22CC0 NtQueryVirtualMemory,3_2_00F22CC0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22CA0 NtQueryInformationToken,3_2_00F22CA0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22C60 NtCreateKey,3_2_00F22C60
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22C00 NtQueryInformationProcess,3_2_00F22C00
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22DD0 NtDelayExecution,3_2_00F22DD0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22DB0 NtEnumerateKey,3_2_00F22DB0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22D30 NtUnmapViewOfSection,3_2_00F22D30
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22D10 NtMapViewOfSection,3_2_00F22D10
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22D00 NtSetInformationFile,3_2_00F22D00
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22EE0 NtQueueApcThread,3_2_00F22EE0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22EA0 NtAdjustPrivilegesToken,3_2_00F22EA0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22E80 NtReadVirtualMemory,3_2_00F22E80
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22E30 NtWriteVirtualMemory,3_2_00F22E30
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22FE0 NtCreateFile,3_2_00F22FE0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22FB0 NtResumeThread,3_2_00F22FB0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22FA0 NtQuerySection,3_2_00F22FA0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22F90 NtProtectVirtualMemory,3_2_00F22F90
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22F60 NtCreateProcessEx,3_2_00F22F60
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22F30 NtCreateSection,3_2_00F22F30
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F23090 NtSetValueKey,3_2_00F23090
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F23010 NtOpenDirectoryObject,3_2_00F23010
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F239B0 NtGetContextThread,3_2_00F239B0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F23D70 NtOpenThread,3_2_00F23D70
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F23D10 NtOpenProcessToken,3_2_00F23D10
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C4650 NtSuspendThread,LdrInitializeThunk,8_2_049C4650
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C4340 NtSetContextThread,LdrInitializeThunk,8_2_049C4340
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C2CA0 NtQueryInformationToken,LdrInitializeThunk,8_2_049C2CA0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C2C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_049C2C70
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C2C60 NtCreateKey,LdrInitializeThunk,8_2_049C2C60
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C2DD0 NtDelayExecution,LdrInitializeThunk,8_2_049C2DD0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C2DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_049C2DF0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C2D10 NtMapViewOfSection,LdrInitializeThunk,8_2_049C2D10
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C2D30 NtUnmapViewOfSection,LdrInitializeThunk,8_2_049C2D30
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C2E80 NtReadVirtualMemory,LdrInitializeThunk,8_2_049C2E80
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C2EE0 NtQueueApcThread,LdrInitializeThunk,8_2_049C2EE0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C2FB0 NtResumeThread,LdrInitializeThunk,8_2_049C2FB0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C2FE0 NtCreateFile,LdrInitializeThunk,8_2_049C2FE0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C2F30 NtCreateSection,LdrInitializeThunk,8_2_049C2F30
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C2AD0 NtReadFile,LdrInitializeThunk,8_2_049C2AD0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C2AF0 NtWriteFile,LdrInitializeThunk,8_2_049C2AF0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C2BA0 NtEnumerateValueKey,LdrInitializeThunk,8_2_049C2BA0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_049C2BF0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C2BE0 NtQueryValueKey,LdrInitializeThunk,8_2_049C2BE0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C2B60 NtClose,LdrInitializeThunk,8_2_049C2B60
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C35C0 NtCreateMutant,LdrInitializeThunk,8_2_049C35C0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C39B0 NtGetContextThread,LdrInitializeThunk,8_2_049C39B0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C2CC0 NtQueryVirtualMemory,8_2_049C2CC0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C2CF0 NtOpenProcess,8_2_049C2CF0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C2C00 NtQueryInformationProcess,8_2_049C2C00
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C2DB0 NtEnumerateKey,8_2_049C2DB0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C2D00 NtSetInformationFile,8_2_049C2D00
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C2EA0 NtAdjustPrivilegesToken,8_2_049C2EA0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C2E30 NtWriteVirtualMemory,8_2_049C2E30
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C2F90 NtProtectVirtualMemory,8_2_049C2F90
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C2FA0 NtQuerySection,8_2_049C2FA0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C2F60 NtCreateProcessEx,8_2_049C2F60
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C2AB0 NtWaitForSingleObject,8_2_049C2AB0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C2B80 NtQueryInformationFile,8_2_049C2B80
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C3090 NtSetValueKey,8_2_049C3090
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C3010 NtOpenDirectoryObject,8_2_049C3010
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C3D10 NtOpenProcessToken,8_2_049C3D10
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C3D70 NtOpenThread,8_2_049C3D70
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_00729570 NtCreateFile,8_2_00729570
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_007296E0 NtReadFile,8_2_007296E0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_007297D0 NtDeleteFile,8_2_007297D0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_00729870 NtClose,8_2_00729870
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_007299D0 NtAllocateVirtualMemory,8_2_007299D0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 0_2_02E2DDAC0_2_02E2DDAC
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00418B533_2_00418B53
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_004031003_2_00403100
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_0042F2433_2_0042F243
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00402BC03_2_00402BC0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_004103B33_2_004103B3
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00402BB33_2_00402BB3
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00416D633_2_00416D63
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00416D683_2_00416D68
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_0040250C3_2_0040250C
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_004025103_2_00402510
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_0040E5C33_2_0040E5C3
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_004105D33_2_004105D3
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_0040E5BA3_2_0040E5BA
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00402EA03_2_00402EA0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_0040E70E3_2_0040E70E
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_0040E7133_2_0040E713
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F820003_2_00F82000
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FA81CC3_2_00FA81CC
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FB01AA3_2_00FB01AA
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FA41A23_2_00FA41A2
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F781583_2_00F78158
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F8A1183_2_00F8A118
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE01003_2_00EE0100
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F702C03_2_00F702C0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F902743_2_00F90274
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FB03E63_2_00FB03E6
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EFE3F03_2_00EFE3F0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FAA3523_2_00FAA352
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F9E4F63_2_00F9E4F6
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FA24463_2_00FA2446
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F944203_2_00F94420
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FB05913_2_00FB0591
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF05353_2_00EF0535
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0C6E03_2_00F0C6E0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EEC7C03_2_00EEC7C0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF07703_2_00EF0770
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F147503_2_00F14750
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1E8F03_2_00F1E8F0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00ED68B83_2_00ED68B8
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF28403_2_00EF2840
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EFA8403_2_00EFA840
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF29A03_2_00EF29A0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FBA9A63_2_00FBA9A6
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F069623_2_00F06962
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EEEA803_2_00EEEA80
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FA6BD73_2_00FA6BD7
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FAAB403_2_00FAAB40
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE0CF23_2_00EE0CF2
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F90CB53_2_00F90CB5
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF0C003_2_00EF0C00
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EEADE03_2_00EEADE0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F08DBF3_2_00F08DBF
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F8CD1F3_2_00F8CD1F
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EFAD003_2_00EFAD00
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FAEEDB3_2_00FAEEDB
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F02E903_2_00F02E90
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FACE933_2_00FACE93
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF0E593_2_00EF0E59
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FAEE263_2_00FAEE26
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE2FC83_2_00EE2FC8
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F6EFA03_2_00F6EFA0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F64F403_2_00F64F40
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F10F303_2_00F10F30
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F92F303_2_00F92F30
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F32F283_2_00F32F28
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FA70E93_2_00FA70E9
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FAF0E03_2_00FAF0E0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF70C03_2_00EF70C0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F9F0CC3_2_00F9F0CC
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EFB1B03_2_00EFB1B0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FBB16B3_2_00FBB16B
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F2516C3_2_00F2516C
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EDF1723_2_00EDF172
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0D2F03_2_00F0D2F0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F912ED3_2_00F912ED
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0B2C03_2_00F0B2C0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF52A03_2_00EF52A0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F3739A3_2_00F3739A
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EDD34C3_2_00EDD34C
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FA132D3_2_00FA132D
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE14603_2_00EE1460
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FAF43F3_2_00FAF43F
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FB95C33_2_00FB95C3
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F8D5B03_2_00F8D5B0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FA75713_2_00FA7571
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FA16CC3_2_00FA16CC
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F356303_2_00F35630
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FAF7B03_2_00FAF7B0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF38E03_2_00EF38E0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F5D8003_2_00F5D800
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0B9503_2_00F0B950
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF99503_2_00EF9950
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F859103_2_00F85910
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F9DAC63_2_00F9DAC6
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F35AA03_2_00F35AA0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F8DAAC3_2_00F8DAAC
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F91AA33_2_00F91AA3
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F63A6C3_2_00F63A6C
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FAFA493_2_00FAFA49
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FA7A463_2_00FA7A46
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F65BF03_2_00F65BF0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F2DBF93_2_00F2DBF9
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0FB803_2_00F0FB80
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FAFB763_2_00FAFB76
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FAFCF23_2_00FAFCF2
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F69C323_2_00F69C32
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0FDC03_2_00F0FDC0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FA7D733_2_00FA7D73
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FA1D5A3_2_00FA1D5A
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF3D403_2_00EF3D40
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF9EB03_2_00EF9EB0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EB3FD23_2_00EB3FD2
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EB3FD53_2_00EB3FD5
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FAFFB13_2_00FAFFB1
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF1F923_2_00EF1F92
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FAFF093_2_00FAFF09
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A3E4F68_2_04A3E4F6
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A344208_2_04A34420
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A424468_2_04A42446
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A505918_2_04A50591
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049905358_2_04990535
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049AC6E08_2_049AC6E0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0498C7C08_2_0498C7C0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049B47508_2_049B4750
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049907708_2_04990770
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A220008_2_04A22000
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A441A28_2_04A441A2
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A501AA8_2_04A501AA
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A481CC8_2_04A481CC
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049801008_2_04980100
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A2A1188_2_04A2A118
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A181588_2_04A18158
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A102C08_2_04A102C0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A302748_2_04A30274
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A503E68_2_04A503E6
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0499E3F08_2_0499E3F0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A4A3528_2_04A4A352
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A30CB58_2_04A30CB5
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04980CF28_2_04980CF2
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04990C008_2_04990C00
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049A8DBF8_2_049A8DBF
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0498ADE08_2_0498ADE0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0499AD008_2_0499AD00
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A2CD1F8_2_04A2CD1F
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049A2E908_2_049A2E90
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A4CE938_2_04A4CE93
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A4EEDB8_2_04A4EEDB
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A4EE268_2_04A4EE26
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04990E598_2_04990E59
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A0EFA08_2_04A0EFA0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04982FC88_2_04982FC8
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A32F308_2_04A32F30
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049B0F308_2_049B0F30
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049D2F288_2_049D2F28
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A04F408_2_04A04F40
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049768B88_2_049768B8
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049BE8F08_2_049BE8F0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0499A8408_2_0499A840
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049928408_2_04992840
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A5A9A68_2_04A5A9A6
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049929A08_2_049929A0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049A69628_2_049A6962
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0498EA808_2_0498EA80
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A46BD78_2_04A46BD7
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A4AB408_2_04A4AB40
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A4F43F8_2_04A4F43F
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049814608_2_04981460
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A2D5B08_2_04A2D5B0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A595C38_2_04A595C3
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A475718_2_04A47571
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A416CC8_2_04A416CC
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049D56308_2_049D5630
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A4F7B08_2_04A4F7B0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A4F0E08_2_04A4F0E0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A470E98_2_04A470E9
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049970C08_2_049970C0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A3F0CC8_2_04A3F0CC
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A5B16B8_2_04A5B16B
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0497F1728_2_0497F172
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049C516C8_2_049C516C
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049952A08_2_049952A0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A312ED8_2_04A312ED
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049AB2C08_2_049AB2C0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049AD2F08_2_049AD2F0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049D739A8_2_049D739A
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A4132D8_2_04A4132D
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0497D34C8_2_0497D34C
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A4FCF28_2_04A4FCF2
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A09C328_2_04A09C32
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049AFDC08_2_049AFDC0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A47D738_2_04A47D73
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04993D408_2_04993D40
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A41D5A8_2_04A41D5A
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04999EB08_2_04999EB0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04991F928_2_04991F92
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A4FFB18_2_04A4FFB1
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04953FD58_2_04953FD5
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04953FD28_2_04953FD2
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A4FF098_2_04A4FF09
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049938E08_2_049938E0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049FD8008_2_049FD800
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A259108_2_04A25910
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049999508_2_04999950
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049AB9508_2_049AB950
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A31AA38_2_04A31AA3
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A2DAAC8_2_04A2DAAC
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049D5AA08_2_049D5AA0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A3DAC68_2_04A3DAC6
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A03A6C8_2_04A03A6C
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A47A468_2_04A47A46
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A4FA498_2_04A4FA49
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049AFB808_2_049AFB80
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A05BF08_2_04A05BF0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049CDBF98_2_049CDBF9
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04A4FB768_2_04A4FB76
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_007121208_2_00712120
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0070D0108_2_0070D010
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0070D2308_2_0070D230
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0070B2208_2_0070B220
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0070B2178_2_0070B217
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0070B3708_2_0070B370
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0070B36B8_2_0070B36B
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_007157B08_2_007157B0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_007139C08_2_007139C0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_007139C58_2_007139C5
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0072BEA08_2_0072BEA0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0481E4A38_2_0481E4A3
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_048254248_2_04825424
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0481E3848_2_0481E384
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0481E83D8_2_0481E83D
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0481D9088_2_0481D908
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04825BD18_2_04825BD1
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: String function: 00F5EA12 appears 86 times
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: String function: 00F25130 appears 58 times
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: String function: 00F6F290 appears 103 times
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: String function: 00F37E54 appears 107 times
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: String function: 00EDB970 appears 262 times
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: String function: 0497B970 appears 262 times
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: String function: 049C5130 appears 58 times
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: String function: 049FEA12 appears 86 times
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: String function: 049D7E54 appears 107 times
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: String function: 04A0F290 appears 103 times
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000000.1689997706.0000000000C00000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenametXUw.exe4 vs FRQ 101102-04-25-0948-015.exe
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000002.1719662454.00000000058E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs FRQ 101102-04-25-0948-015.exe
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000002.1717754352.0000000004029000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs FRQ 101102-04-25-0948-015.exe
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000002.1716626957.000000000306F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTL.dll" vs FRQ 101102-04-25-0948-015.exe
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000002.1714505797.00000000011EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs FRQ 101102-04-25-0948-015.exe
                Source: FRQ 101102-04-25-0948-015.exe, 00000000.00000002.1721069164.00000000079A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs FRQ 101102-04-25-0948-015.exe
                Source: FRQ 101102-04-25-0948-015.exe, 00000003.00000002.2158100543.0000000000FDD000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs FRQ 101102-04-25-0948-015.exe
                Source: FRQ 101102-04-25-0948-015.exeBinary or memory string: OriginalFilenametXUw.exe4 vs FRQ 101102-04-25-0948-015.exe
                Source: FRQ 101102-04-25-0948-015.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: FRQ 101102-04-25-0948-015.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, PkFFDb13IaLqBFbrOX.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, PkFFDb13IaLqBFbrOX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, PkFFDb13IaLqBFbrOX.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, PkFFDb13IaLqBFbrOX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, mxCMeZ4ZFsV2EFokai.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, mxCMeZ4ZFsV2EFokai.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, mxCMeZ4ZFsV2EFokai.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, mxCMeZ4ZFsV2EFokai.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, mxCMeZ4ZFsV2EFokai.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, mxCMeZ4ZFsV2EFokai.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/2@14/7
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FRQ 101102-04-25-0948-015.exe.logJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeMutant created: NULL
                Source: C:\Windows\SysWOW64\dxdiag.exeFile created: C:\Users\user\AppData\Local\Temp\20Xb-18Jump to behavior
                Source: FRQ 101102-04-25-0948-015.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: FRQ 101102-04-25-0948-015.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: dxdiag.exe, 00000008.00000002.4159342967.0000000002B37000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000008.00000003.2337925473.0000000002B37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: FRQ 101102-04-25-0948-015.exeVirustotal: Detection: 43%
                Source: FRQ 101102-04-25-0948-015.exeReversingLabs: Detection: 42%
                Source: unknownProcess created: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exe "C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exe"
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess created: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exe "C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exe"
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess created: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exe "C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exe"
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"
                Source: C:\Windows\SysWOW64\dxdiag.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess created: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exe "C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exe"Jump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess created: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exe "C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exe"Jump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: FRQ 101102-04-25-0948-015.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: FRQ 101102-04-25-0948-015.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: FRQ 101102-04-25-0948-015.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: dxdiag.pdbGCTL source: qUbKt1u3h.exe, 00000007.00000002.4159815797.00000000013EE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: FRQ 101102-04-25-0948-015.exe, 00000003.00000002.2158100543.0000000000EB0000.00000040.00001000.00020000.00000000.sdmp, dxdiag.exe, 00000008.00000002.4160883675.0000000004950000.00000040.00001000.00020000.00000000.sdmp, dxdiag.exe, 00000008.00000002.4160883675.0000000004AEE000.00000040.00001000.00020000.00000000.sdmp, dxdiag.exe, 00000008.00000003.2157574932.00000000045F0000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000008.00000003.2164234539.00000000047A3000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: dxdiag.pdb source: qUbKt1u3h.exe, 00000007.00000002.4159815797.00000000013EE000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: FRQ 101102-04-25-0948-015.exe, FRQ 101102-04-25-0948-015.exe, 00000003.00000002.2158100543.0000000000EB0000.00000040.00001000.00020000.00000000.sdmp, dxdiag.exe, dxdiag.exe, 00000008.00000002.4160883675.0000000004950000.00000040.00001000.00020000.00000000.sdmp, dxdiag.exe, 00000008.00000002.4160883675.0000000004AEE000.00000040.00001000.00020000.00000000.sdmp, dxdiag.exe, 00000008.00000003.2157574932.00000000045F0000.00000004.00000020.00020000.00000000.sdmp, dxdiag.exe, 00000008.00000003.2164234539.00000000047A3000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: qUbKt1u3h.exe, 00000007.00000000.2078529782.0000000000DEF000.00000002.00000001.01000000.0000000C.sdmp, qUbKt1u3h.exe, 00000009.00000000.2228666359.0000000000DEF000.00000002.00000001.01000000.0000000C.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: FRQ 101102-04-25-0948-015.exe, BackgroundForms.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.31ce138.0.raw.unpack, MainForm.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, mxCMeZ4ZFsV2EFokai.cs.Net Code: MOVQ9xlvo3 System.Reflection.Assembly.Load(byte[])
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.58e0000.4.raw.unpack, MainForm.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, mxCMeZ4ZFsV2EFokai.cs.Net Code: MOVQ9xlvo3 System.Reflection.Assembly.Load(byte[])
                Source: 8.2.dxdiag.exe.4f7cd14.2.raw.unpack, BackgroundForms.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                Source: 9.0.qUbKt1u3h.exe.2cbcd14.1.raw.unpack, BackgroundForms.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                Source: 9.2.qUbKt1u3h.exe.2cbcd14.1.raw.unpack, BackgroundForms.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                Source: 10.2.firefox.exe.2580cd14.0.raw.unpack, BackgroundForms.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                Source: FRQ 101102-04-25-0948-015.exeStatic PE information: 0xD984F780 [Thu Aug 23 01:53:04 2085 UTC]
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00402205 push edx; iretd 3_2_00402216
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00402217 push esi; iretd 3_2_00402218
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_004182C3 push esi; iretd 3_2_00418352
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00401AC3 push esi; retf 3_2_00401AD6
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00418334 push esi; iretd 3_2_00418352
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00404BE6 push eax; ret 3_2_00404BE7
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_004033A0 push eax; ret 3_2_004033A2
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EB225F pushad ; ret 3_2_00EB27F9
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EB27FA pushad ; ret 3_2_00EB27F9
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EB283D push eax; iretd 3_2_00EB2858
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE09AD push ecx; mov dword ptr [esp], ecx3_2_00EE09B6
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EB1368 push eax; iretd 3_2_00EB1369
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049527FA pushad ; ret 8_2_049527F9
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0495225F pushad ; ret 8_2_049527F9
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0495283D push eax; iretd 8_2_04952858
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_049809AD push ecx; mov dword ptr [esp], ecx8_2_049809B6
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0071A2F3 push 1E55D481h; retf 8_2_0071A321
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0071C33A push 4577BC2Fh; ret 8_2_0071C36E
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0071C536 push ecx; retf 8_2_0071C537
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0071287E pushfd ; ret 8_2_007128A0
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_00714F20 push esi; iretd 8_2_00714FAF
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_00714F91 push esi; iretd 8_2_00714FAF
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_00701843 push eax; ret 8_2_00701844
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0071BDAA push es; ret 8_2_0071BDC2
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0071DE30 pushad ; iretd 8_2_0071DE43
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0071BE38 push 7D3C0A07h; iretd 8_2_0071BE3D
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0481C4C5 pushfd ; retf 8_2_0481C4C6
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04817448 push eax; iretd 8_2_0481749E
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04815179 push ss; iretd 8_2_0481517A
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0481522D push eax; iretd 8_2_0481522E
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_04825262 push eax; ret 8_2_04825264
                Source: FRQ 101102-04-25-0948-015.exeStatic PE information: section name: .text entropy: 7.792813762636814
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, hZRD3sPRDq12wcHf4h.csHigh entropy of concatenated method names: 'fZRJi9bkMf', 'oBAJG7bCIT', 'ToString', 'leTJmRRb0U', 'PmNJpX2SE2', 'xyGJeZ0VnA', 'vhEJ0fYgcN', 'jVkJsd1lXg', 'tIsJITsMH5', 'H5fJ47mXv9'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, PkFFDb13IaLqBFbrOX.csHigh entropy of concatenated method names: 'XfWpXXPqqO', 'ubxpyLCUyN', 'CnCpfasMWh', 'CHvpPrJFLP', 's3vpudf9UP', 'WnUpbig6Xc', 'UO6p2K5KWJ', 'h1mpZgyQ9o', 'lS1pW87NKv', 'F96pLAxRFD'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, fHxJmdjQrwBsQZNk0Xu.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BNlEce75yG', 'nR7EtdBugV', 'MHZENnVFTg', 'BbvEEdW9p1', 'xcrEo1wwC5', 'o0tEKgCTTp', 'ebOEv3BDY0'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, FtbwLyM806VrZ4xTUY.csHigh entropy of concatenated method names: 'GcUIm5Tr7g', 'GqAIepkxIx', 'LiZIsAuOJd', 'tTpsLtAosG', 'oOFszTwR2k', 'pQnIqQa6yV', 'hhsIj5E849', 'oewI7UyZlp', 'qqCIFVqTxN', 'MwqIQejsqd'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, WuyaqLwiCuJVDY1nc7.csHigh entropy of concatenated method names: 'na80k8ZhXm', 'yCa0gmWTwf', 'RAaeBiXAAP', 'RqReHvkjsF', 'Lpne59iFJq', 'DgNeYxjpwf', 'BIneMPmgTk', 'ojheVgwdWf', 'xp0eRcSUV4', 'liWeD1qDTN'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, qIY0dnj7HlhTsVtmo8M.csHigh entropy of concatenated method names: 'ToString', 'BSON1batur', 'SNANnaQGBx', 'kdgNwyOPgD', 'xnnNAQtonb', 'MbTNh8jl4D', 'AveNBdSfry', 'yr1NHbdIWk', 'EsR97wszop4AyBFdijk', 'hVZqHZGjlMM3RJsLcqJ'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, YmPeeIpAcHK2nfhEsQ.csHigh entropy of concatenated method names: 'Dispose', 'rhGjWRvYMn', 'YEb7hky4T2', 'nSNHaKVCIo', 'ebjjLmaWLx', 'JCojzvlbTc', 'ProcessDialogKey', 'TNn7q0yPKA', 'yXg7jx9H9t', 'm3p77fG5BC'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, SG5BCYLNAMfo7fnU15.csHigh entropy of concatenated method names: 'YPsteSP0dV', 'NuIt0wMvK4', 'y02tsBh3QO', 'hiatIiJow5', 'KDEtcbT0fh', 'eKOt4kv7t7', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, NTUhMFQ7j6dZbgkUho.csHigh entropy of concatenated method names: 'OFajIkFFDb', 'eIaj4LqBFb', 'FjXjiQl9Gg', 'C51jG3Zuya', 'K1njxc7uMA', 'RqqjljZJ94', 'l5uMpi2vuygjdMp9Lt', 'F5VdMCRWSCCHyEIDpd', 'vObjjjmHDk', 'k92jF7q1Dv'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, OHSUdWjjlkbIl7E1fhK.csHigh entropy of concatenated method names: 'zjMtLiL6KS', 'RIEtz1luuE', 'mi4NqkMZCO', 'cQMNj7ygOs', 'nN6N78Y0A1', 'edKNF5Kvnp', 'mZUNQ7ZGu5', 'UbiN3ChFyg', 'AZ2Nmsxl64', 'jElNpgUrdd'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, Yfxlv562bi6p6tPeiq.csHigh entropy of concatenated method names: 'EBMT1DeTI5', 'ym4TnXnu1W', 'IHfTA8EhFY', 'lTEThiHMhT', 'oCuTH0Y0sI', 'QvlT5qA9Lo', 'z1FTMPiZqP', 't2hTVVGDfv', 'cYsTDp5Gb4', 'xMoTOS26X0'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, qDSYffbT7ZoMKNIPQ7.csHigh entropy of concatenated method names: 'nNFJZGFLSW', 'KQwJLjdGts', 'TCqUqv6JOB', 'o1yUjyhbJ9', 'cqQJOkSyrt', 'RRXJagOT65', 'DHJJ6K9eDo', 'NYJJXADE7v', 'TTBJyaDXW8', 'Sn0JfSwWb7'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, CubVbCzEr9x7B13p05.csHigh entropy of concatenated method names: 'sD9t8Zf7ma', 'dGdt1tQIIw', 'nZPtnTNTck', 'BxrtAFibY1', 'x64thP76ob', 'Bf3tHwbdJH', 'Syht5qM17H', 'AsntvSnLJM', 'Lo8tS6w71r', 'FSatCJ0tND'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, xpgSlsYiosjZHUm4ZY.csHigh entropy of concatenated method names: 'zrRsfDrABl', 'djBsP9mFCQ', 'C85suddqeS', 'ToString', 'xY3sbQisEJ', 'gpAs2q4WDp', 'v6Qny0vZKjiEbMfk0md', 'XgO4eqvngNC1iL37atF', 'jZAcbrvaB846SjDwaZs'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, mxCMeZ4ZFsV2EFokai.csHigh entropy of concatenated method names: 'oeeF3iyBgO', 'y3jFme9NGW', 'gDOFpEXvpB', 'agDFeFY5er', 'EI4F0muobt', 'GtTFsTfdnv', 'N80FIfcggT', 'MjmF4vyJhY', 'anpFrvgq9w', 'pH4FiwUJlI'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, E0yPKAWCXgx9H9ti3p.csHigh entropy of concatenated method names: 'OT3cAlnXvY', 'sKDchtG3T9', 'fQjcBJmJxP', 'o9LcHog2H3', 'Cgkc52oTFS', 'y2AcYVELg1', 'Jm5cMdqVjc', 'N54cVpjeKX', 'GTNcRGg1iN', 'EWXcDiMCTE'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, WrJ0fmRQjonuvViq9A.csHigh entropy of concatenated method names: 'b6oISNroh9', 'BUUICvbgDE', 'xRnI9jdktY', 'K90IdHrdvq', 'Q91Ik4fs3T', 'NZAI88TBN1', 'Tq4IgV8ubF', 'B7hI1hWpc2', 'eU3InjBnRn', 'SQvIwWbn4R'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, lYEku0XFjfAYuNid58.csHigh entropy of concatenated method names: 'DRJxDCNe9l', 'borxarZvx8', 'A0nxXOFAlQ', 'IONxyidsvi', 'j17xha92oF', 'nxtxBNmpbx', 'TBgxHWmVrc', 'Sxux5oujCv', 'pQWxYyyKWO', 'gm6xMkTDWm'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, tp2jbyjqZ5cQ2xyXhbR.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uPRtOOfYhd', 't3vtaFc0HX', 'HJZt6dx3he', 'aHatX4vQFh', 'IcPtyHYJFD', 'q13tfHdtYU', 'IomtP9X1p4'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, EdseoseMHMPKYOIPfR.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'CtD7WmWSIH', 'zvi7L0m27y', 'Veu7z9Acev', 'a2dFqVGrwA', 'EmcFjWAT86', 'VI1F7ykpRX', 'adnFFrVmSI', 'YYQVBkbGrw6rMCNhgAy'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, hQXCap2VFchGRvYMn3.csHigh entropy of concatenated method names: 'XDacxoCsQp', 'GRvcJl71WY', 'shJcc9elgY', 'Ro1cNwGjtn', 'IPrcowMu7r', 'KT7cvVUjf7', 'Dispose', 'W6SUm1S6o5', 'S5aUpgW3u7', 'mKZUe8ABWH'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, UMAXqqAjZJ94S59OXZ.csHigh entropy of concatenated method names: 'NF0s3CJSYH', 'NuOspdiXYm', 'zsqs0c0r7S', 'MvVsIVUp7V', 'gnHs4Zp6s7', 'pTT0uNV4XM', 'oOK0bvMkgj', 'x1602U6PLD', 'hZI0ZQ0dDn', 'HSm0WjbVLx'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, BuEBtwnjXQl9Gg8513.csHigh entropy of concatenated method names: 'TcoediUXYB', 'e6Le8MKZr9', 'WVNe1gZYrc', 'oXcenv7P3s', 'yXhexKdJ7S', 'R3helSV3IP', 'mqTeJAJXln', 'XT9eUclikF', 'Po9ecy579Y', 'CMJet6YMkW'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, vvE4qC7cdjckAfq0va.csHigh entropy of concatenated method names: 'Tjq9l6Se9', 'KRUdKlWUK', 'Lrp8oxdjT', 'vDngCSW3n', 'EqCnwTJF3', 'vAUwbb8mj', 'kg3pcQnoD9Odu80lHY', 'NJIQIEasM76n8hKdK0', 'DY9UP0GSI', 'p1wtOchr1'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.79a0000.5.raw.unpack, EfHOV4Hg6sqYyBB22Y.csHigh entropy of concatenated method names: 'BNtsvkXXaZ', 'wDEsSyqtHk', 'mZss98OsGO', 'W0Csd6KYSk', 'Dqgs8J6ja3', 'BTcsggJtFo', 'JvBsn3200A', 'uqrswQVusR', 'c0sE9pvNu73HbwLIrSC', 'OM1PetvI7NilhLE2kMJ'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, hZRD3sPRDq12wcHf4h.csHigh entropy of concatenated method names: 'fZRJi9bkMf', 'oBAJG7bCIT', 'ToString', 'leTJmRRb0U', 'PmNJpX2SE2', 'xyGJeZ0VnA', 'vhEJ0fYgcN', 'jVkJsd1lXg', 'tIsJITsMH5', 'H5fJ47mXv9'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, PkFFDb13IaLqBFbrOX.csHigh entropy of concatenated method names: 'XfWpXXPqqO', 'ubxpyLCUyN', 'CnCpfasMWh', 'CHvpPrJFLP', 's3vpudf9UP', 'WnUpbig6Xc', 'UO6p2K5KWJ', 'h1mpZgyQ9o', 'lS1pW87NKv', 'F96pLAxRFD'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, fHxJmdjQrwBsQZNk0Xu.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'BNlEce75yG', 'nR7EtdBugV', 'MHZENnVFTg', 'BbvEEdW9p1', 'xcrEo1wwC5', 'o0tEKgCTTp', 'ebOEv3BDY0'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, FtbwLyM806VrZ4xTUY.csHigh entropy of concatenated method names: 'GcUIm5Tr7g', 'GqAIepkxIx', 'LiZIsAuOJd', 'tTpsLtAosG', 'oOFszTwR2k', 'pQnIqQa6yV', 'hhsIj5E849', 'oewI7UyZlp', 'qqCIFVqTxN', 'MwqIQejsqd'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, WuyaqLwiCuJVDY1nc7.csHigh entropy of concatenated method names: 'na80k8ZhXm', 'yCa0gmWTwf', 'RAaeBiXAAP', 'RqReHvkjsF', 'Lpne59iFJq', 'DgNeYxjpwf', 'BIneMPmgTk', 'ojheVgwdWf', 'xp0eRcSUV4', 'liWeD1qDTN'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, qIY0dnj7HlhTsVtmo8M.csHigh entropy of concatenated method names: 'ToString', 'BSON1batur', 'SNANnaQGBx', 'kdgNwyOPgD', 'xnnNAQtonb', 'MbTNh8jl4D', 'AveNBdSfry', 'yr1NHbdIWk', 'EsR97wszop4AyBFdijk', 'hVZqHZGjlMM3RJsLcqJ'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, YmPeeIpAcHK2nfhEsQ.csHigh entropy of concatenated method names: 'Dispose', 'rhGjWRvYMn', 'YEb7hky4T2', 'nSNHaKVCIo', 'ebjjLmaWLx', 'JCojzvlbTc', 'ProcessDialogKey', 'TNn7q0yPKA', 'yXg7jx9H9t', 'm3p77fG5BC'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, SG5BCYLNAMfo7fnU15.csHigh entropy of concatenated method names: 'YPsteSP0dV', 'NuIt0wMvK4', 'y02tsBh3QO', 'hiatIiJow5', 'KDEtcbT0fh', 'eKOt4kv7t7', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, NTUhMFQ7j6dZbgkUho.csHigh entropy of concatenated method names: 'OFajIkFFDb', 'eIaj4LqBFb', 'FjXjiQl9Gg', 'C51jG3Zuya', 'K1njxc7uMA', 'RqqjljZJ94', 'l5uMpi2vuygjdMp9Lt', 'F5VdMCRWSCCHyEIDpd', 'vObjjjmHDk', 'k92jF7q1Dv'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, OHSUdWjjlkbIl7E1fhK.csHigh entropy of concatenated method names: 'zjMtLiL6KS', 'RIEtz1luuE', 'mi4NqkMZCO', 'cQMNj7ygOs', 'nN6N78Y0A1', 'edKNF5Kvnp', 'mZUNQ7ZGu5', 'UbiN3ChFyg', 'AZ2Nmsxl64', 'jElNpgUrdd'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, Yfxlv562bi6p6tPeiq.csHigh entropy of concatenated method names: 'EBMT1DeTI5', 'ym4TnXnu1W', 'IHfTA8EhFY', 'lTEThiHMhT', 'oCuTH0Y0sI', 'QvlT5qA9Lo', 'z1FTMPiZqP', 't2hTVVGDfv', 'cYsTDp5Gb4', 'xMoTOS26X0'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, qDSYffbT7ZoMKNIPQ7.csHigh entropy of concatenated method names: 'nNFJZGFLSW', 'KQwJLjdGts', 'TCqUqv6JOB', 'o1yUjyhbJ9', 'cqQJOkSyrt', 'RRXJagOT65', 'DHJJ6K9eDo', 'NYJJXADE7v', 'TTBJyaDXW8', 'Sn0JfSwWb7'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, CubVbCzEr9x7B13p05.csHigh entropy of concatenated method names: 'sD9t8Zf7ma', 'dGdt1tQIIw', 'nZPtnTNTck', 'BxrtAFibY1', 'x64thP76ob', 'Bf3tHwbdJH', 'Syht5qM17H', 'AsntvSnLJM', 'Lo8tS6w71r', 'FSatCJ0tND'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, xpgSlsYiosjZHUm4ZY.csHigh entropy of concatenated method names: 'zrRsfDrABl', 'djBsP9mFCQ', 'C85suddqeS', 'ToString', 'xY3sbQisEJ', 'gpAs2q4WDp', 'v6Qny0vZKjiEbMfk0md', 'XgO4eqvngNC1iL37atF', 'jZAcbrvaB846SjDwaZs'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, mxCMeZ4ZFsV2EFokai.csHigh entropy of concatenated method names: 'oeeF3iyBgO', 'y3jFme9NGW', 'gDOFpEXvpB', 'agDFeFY5er', 'EI4F0muobt', 'GtTFsTfdnv', 'N80FIfcggT', 'MjmF4vyJhY', 'anpFrvgq9w', 'pH4FiwUJlI'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, E0yPKAWCXgx9H9ti3p.csHigh entropy of concatenated method names: 'OT3cAlnXvY', 'sKDchtG3T9', 'fQjcBJmJxP', 'o9LcHog2H3', 'Cgkc52oTFS', 'y2AcYVELg1', 'Jm5cMdqVjc', 'N54cVpjeKX', 'GTNcRGg1iN', 'EWXcDiMCTE'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, WrJ0fmRQjonuvViq9A.csHigh entropy of concatenated method names: 'b6oISNroh9', 'BUUICvbgDE', 'xRnI9jdktY', 'K90IdHrdvq', 'Q91Ik4fs3T', 'NZAI88TBN1', 'Tq4IgV8ubF', 'B7hI1hWpc2', 'eU3InjBnRn', 'SQvIwWbn4R'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, lYEku0XFjfAYuNid58.csHigh entropy of concatenated method names: 'DRJxDCNe9l', 'borxarZvx8', 'A0nxXOFAlQ', 'IONxyidsvi', 'j17xha92oF', 'nxtxBNmpbx', 'TBgxHWmVrc', 'Sxux5oujCv', 'pQWxYyyKWO', 'gm6xMkTDWm'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, tp2jbyjqZ5cQ2xyXhbR.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uPRtOOfYhd', 't3vtaFc0HX', 'HJZt6dx3he', 'aHatX4vQFh', 'IcPtyHYJFD', 'q13tfHdtYU', 'IomtP9X1p4'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, EdseoseMHMPKYOIPfR.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'CtD7WmWSIH', 'zvi7L0m27y', 'Veu7z9Acev', 'a2dFqVGrwA', 'EmcFjWAT86', 'VI1F7ykpRX', 'adnFFrVmSI', 'YYQVBkbGrw6rMCNhgAy'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, hQXCap2VFchGRvYMn3.csHigh entropy of concatenated method names: 'XDacxoCsQp', 'GRvcJl71WY', 'shJcc9elgY', 'Ro1cNwGjtn', 'IPrcowMu7r', 'KT7cvVUjf7', 'Dispose', 'W6SUm1S6o5', 'S5aUpgW3u7', 'mKZUe8ABWH'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, UMAXqqAjZJ94S59OXZ.csHigh entropy of concatenated method names: 'NF0s3CJSYH', 'NuOspdiXYm', 'zsqs0c0r7S', 'MvVsIVUp7V', 'gnHs4Zp6s7', 'pTT0uNV4XM', 'oOK0bvMkgj', 'x1602U6PLD', 'hZI0ZQ0dDn', 'HSm0WjbVLx'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, BuEBtwnjXQl9Gg8513.csHigh entropy of concatenated method names: 'TcoediUXYB', 'e6Le8MKZr9', 'WVNe1gZYrc', 'oXcenv7P3s', 'yXhexKdJ7S', 'R3helSV3IP', 'mqTeJAJXln', 'XT9eUclikF', 'Po9ecy579Y', 'CMJet6YMkW'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, vvE4qC7cdjckAfq0va.csHigh entropy of concatenated method names: 'Tjq9l6Se9', 'KRUdKlWUK', 'Lrp8oxdjT', 'vDngCSW3n', 'EqCnwTJF3', 'vAUwbb8mj', 'kg3pcQnoD9Odu80lHY', 'NJIQIEasM76n8hKdK0', 'DY9UP0GSI', 'p1wtOchr1'
                Source: 0.2.FRQ 101102-04-25-0948-015.exe.42a0238.2.raw.unpack, EfHOV4Hg6sqYyBB22Y.csHigh entropy of concatenated method names: 'BNtsvkXXaZ', 'wDEsSyqtHk', 'mZss98OsGO', 'W0Csd6KYSk', 'Dqgs8J6ja3', 'BTcsggJtFo', 'JvBsn3200A', 'uqrswQVusR', 'c0sE9pvNu73HbwLIrSC', 'OM1PetvI7NilhLE2kMJ'
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: FRQ 101102-04-25-0948-015.exe PID: 7300, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\dxdiag.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
                Source: C:\Windows\SysWOW64\dxdiag.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
                Source: C:\Windows\SysWOW64\dxdiag.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
                Source: C:\Windows\SysWOW64\dxdiag.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
                Source: C:\Windows\SysWOW64\dxdiag.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
                Source: C:\Windows\SysWOW64\dxdiag.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
                Source: C:\Windows\SysWOW64\dxdiag.exeAPI/Special instruction interceptor: Address: 7FFE22210154
                Source: C:\Windows\SysWOW64\dxdiag.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeMemory allocated: 1460000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeMemory allocated: 3020000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeMemory allocated: 2D30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeMemory allocated: 9180000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeMemory allocated: 7B70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeMemory allocated: A180000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeMemory allocated: B180000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F2096E rdtsc 3_2_00F2096E
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeWindow / User API: threadDelayed 4804Jump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeWindow / User API: threadDelayed 5169Jump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\dxdiag.exeAPI coverage: 2.7 %
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exe TID: 7304Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exe TID: 7320Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exe TID: 7944Thread sleep count: 4804 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exe TID: 7944Thread sleep time: -9608000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exe TID: 7944Thread sleep count: 5169 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exe TID: 7944Thread sleep time: -10338000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exe TID: 7988Thread sleep time: -80000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exe TID: 7988Thread sleep time: -52500s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exe TID: 7988Thread sleep time: -36000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\dxdiag.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\dxdiag.exeCode function: 8_2_0071C9E0 FindFirstFileW,FindNextFileW,FindClose,8_2_0071C9E0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeThread delayed: delay time: 30000Jump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: dxdiag.exe, 00000008.00000002.4159342967.0000000002ACA000.00000004.00000020.00020000.00000000.sdmp, qUbKt1u3h.exe, 00000009.00000002.4159862915.0000000000BC9000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000A.00000002.2456476365.00000234657BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F2096E rdtsc 3_2_00F2096E
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00417CF3 LdrLoadDll,3_2_00417CF3
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F220F0 mov ecx, dword ptr fs:[00000030h]3_2_00F220F0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE80E9 mov eax, dword ptr fs:[00000030h]3_2_00EE80E9
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EDA0E3 mov ecx, dword ptr fs:[00000030h]3_2_00EDA0E3
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F660E0 mov eax, dword ptr fs:[00000030h]3_2_00F660E0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EDC0F0 mov eax, dword ptr fs:[00000030h]3_2_00EDC0F0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F620DE mov eax, dword ptr fs:[00000030h]3_2_00F620DE
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FA60B8 mov eax, dword ptr fs:[00000030h]3_2_00FA60B8
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FA60B8 mov ecx, dword ptr fs:[00000030h]3_2_00FA60B8
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00ED80A0 mov eax, dword ptr fs:[00000030h]3_2_00ED80A0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F780A8 mov eax, dword ptr fs:[00000030h]3_2_00F780A8
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE208A mov eax, dword ptr fs:[00000030h]3_2_00EE208A
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0C073 mov eax, dword ptr fs:[00000030h]3_2_00F0C073
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F66050 mov eax, dword ptr fs:[00000030h]3_2_00F66050
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE2050 mov eax, dword ptr fs:[00000030h]3_2_00EE2050
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F76030 mov eax, dword ptr fs:[00000030h]3_2_00F76030
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EDA020 mov eax, dword ptr fs:[00000030h]3_2_00EDA020
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EDC020 mov eax, dword ptr fs:[00000030h]3_2_00EDC020
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F64000 mov ecx, dword ptr fs:[00000030h]3_2_00F64000
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F82000 mov eax, dword ptr fs:[00000030h]3_2_00F82000
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F82000 mov eax, dword ptr fs:[00000030h]3_2_00F82000
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F82000 mov eax, dword ptr fs:[00000030h]3_2_00F82000
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F82000 mov eax, dword ptr fs:[00000030h]3_2_00F82000
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F82000 mov eax, dword ptr fs:[00000030h]3_2_00F82000
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F82000 mov eax, dword ptr fs:[00000030h]3_2_00F82000
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F82000 mov eax, dword ptr fs:[00000030h]3_2_00F82000
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F82000 mov eax, dword ptr fs:[00000030h]3_2_00F82000
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EFE016 mov eax, dword ptr fs:[00000030h]3_2_00EFE016
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EFE016 mov eax, dword ptr fs:[00000030h]3_2_00EFE016
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EFE016 mov eax, dword ptr fs:[00000030h]3_2_00EFE016
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EFE016 mov eax, dword ptr fs:[00000030h]3_2_00EFE016
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F101F8 mov eax, dword ptr fs:[00000030h]3_2_00F101F8
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FB61E5 mov eax, dword ptr fs:[00000030h]3_2_00FB61E5
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F5E1D0 mov eax, dword ptr fs:[00000030h]3_2_00F5E1D0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F5E1D0 mov eax, dword ptr fs:[00000030h]3_2_00F5E1D0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F5E1D0 mov ecx, dword ptr fs:[00000030h]3_2_00F5E1D0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F5E1D0 mov eax, dword ptr fs:[00000030h]3_2_00F5E1D0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F5E1D0 mov eax, dword ptr fs:[00000030h]3_2_00F5E1D0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FA61C3 mov eax, dword ptr fs:[00000030h]3_2_00FA61C3
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FA61C3 mov eax, dword ptr fs:[00000030h]3_2_00FA61C3
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F6019F mov eax, dword ptr fs:[00000030h]3_2_00F6019F
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F6019F mov eax, dword ptr fs:[00000030h]3_2_00F6019F
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F6019F mov eax, dword ptr fs:[00000030h]3_2_00F6019F
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F6019F mov eax, dword ptr fs:[00000030h]3_2_00F6019F
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F9C188 mov eax, dword ptr fs:[00000030h]3_2_00F9C188
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F9C188 mov eax, dword ptr fs:[00000030h]3_2_00F9C188
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F20185 mov eax, dword ptr fs:[00000030h]3_2_00F20185
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F84180 mov eax, dword ptr fs:[00000030h]3_2_00F84180
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F84180 mov eax, dword ptr fs:[00000030h]3_2_00F84180
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EDA197 mov eax, dword ptr fs:[00000030h]3_2_00EDA197
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EDA197 mov eax, dword ptr fs:[00000030h]3_2_00EDA197
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EDA197 mov eax, dword ptr fs:[00000030h]3_2_00EDA197
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FB4164 mov eax, dword ptr fs:[00000030h]3_2_00FB4164
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FB4164 mov eax, dword ptr fs:[00000030h]3_2_00FB4164
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F78158 mov eax, dword ptr fs:[00000030h]3_2_00F78158
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F74144 mov eax, dword ptr fs:[00000030h]3_2_00F74144
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F74144 mov eax, dword ptr fs:[00000030h]3_2_00F74144
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F74144 mov ecx, dword ptr fs:[00000030h]3_2_00F74144
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F74144 mov eax, dword ptr fs:[00000030h]3_2_00F74144
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F74144 mov eax, dword ptr fs:[00000030h]3_2_00F74144
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE6154 mov eax, dword ptr fs:[00000030h]3_2_00EE6154
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE6154 mov eax, dword ptr fs:[00000030h]3_2_00EE6154
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EDC156 mov eax, dword ptr fs:[00000030h]3_2_00EDC156
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F10124 mov eax, dword ptr fs:[00000030h]3_2_00F10124
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F8A118 mov ecx, dword ptr fs:[00000030h]3_2_00F8A118
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F8A118 mov eax, dword ptr fs:[00000030h]3_2_00F8A118
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F8A118 mov eax, dword ptr fs:[00000030h]3_2_00F8A118
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F8A118 mov eax, dword ptr fs:[00000030h]3_2_00F8A118
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FA0115 mov eax, dword ptr fs:[00000030h]3_2_00FA0115
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F8E10E mov eax, dword ptr fs:[00000030h]3_2_00F8E10E
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F8E10E mov ecx, dword ptr fs:[00000030h]3_2_00F8E10E
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F8E10E mov eax, dword ptr fs:[00000030h]3_2_00F8E10E
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F8E10E mov eax, dword ptr fs:[00000030h]3_2_00F8E10E
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F8E10E mov ecx, dword ptr fs:[00000030h]3_2_00F8E10E
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F8E10E mov eax, dword ptr fs:[00000030h]3_2_00F8E10E
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F8E10E mov eax, dword ptr fs:[00000030h]3_2_00F8E10E
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F8E10E mov ecx, dword ptr fs:[00000030h]3_2_00F8E10E
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F8E10E mov eax, dword ptr fs:[00000030h]3_2_00F8E10E
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F8E10E mov ecx, dword ptr fs:[00000030h]3_2_00F8E10E
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF02E1 mov eax, dword ptr fs:[00000030h]3_2_00EF02E1
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF02E1 mov eax, dword ptr fs:[00000030h]3_2_00EF02E1
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF02E1 mov eax, dword ptr fs:[00000030h]3_2_00EF02E1
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EEA2C3 mov eax, dword ptr fs:[00000030h]3_2_00EEA2C3
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EEA2C3 mov eax, dword ptr fs:[00000030h]3_2_00EEA2C3
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EEA2C3 mov eax, dword ptr fs:[00000030h]3_2_00EEA2C3
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EEA2C3 mov eax, dword ptr fs:[00000030h]3_2_00EEA2C3
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EEA2C3 mov eax, dword ptr fs:[00000030h]3_2_00EEA2C3
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FB62D6 mov eax, dword ptr fs:[00000030h]3_2_00FB62D6
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF02A0 mov eax, dword ptr fs:[00000030h]3_2_00EF02A0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF02A0 mov eax, dword ptr fs:[00000030h]3_2_00EF02A0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F762A0 mov eax, dword ptr fs:[00000030h]3_2_00F762A0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F762A0 mov ecx, dword ptr fs:[00000030h]3_2_00F762A0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F762A0 mov eax, dword ptr fs:[00000030h]3_2_00F762A0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F762A0 mov eax, dword ptr fs:[00000030h]3_2_00F762A0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F762A0 mov eax, dword ptr fs:[00000030h]3_2_00F762A0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F762A0 mov eax, dword ptr fs:[00000030h]3_2_00F762A0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F60283 mov eax, dword ptr fs:[00000030h]3_2_00F60283
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F60283 mov eax, dword ptr fs:[00000030h]3_2_00F60283
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F60283 mov eax, dword ptr fs:[00000030h]3_2_00F60283
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1E284 mov eax, dword ptr fs:[00000030h]3_2_00F1E284
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1E284 mov eax, dword ptr fs:[00000030h]3_2_00F1E284
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00ED826B mov eax, dword ptr fs:[00000030h]3_2_00ED826B
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F90274 mov eax, dword ptr fs:[00000030h]3_2_00F90274
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F90274 mov eax, dword ptr fs:[00000030h]3_2_00F90274
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F90274 mov eax, dword ptr fs:[00000030h]3_2_00F90274
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F90274 mov eax, dword ptr fs:[00000030h]3_2_00F90274
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F90274 mov eax, dword ptr fs:[00000030h]3_2_00F90274
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F90274 mov eax, dword ptr fs:[00000030h]3_2_00F90274
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F90274 mov eax, dword ptr fs:[00000030h]3_2_00F90274
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F90274 mov eax, dword ptr fs:[00000030h]3_2_00F90274
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F90274 mov eax, dword ptr fs:[00000030h]3_2_00F90274
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F90274 mov eax, dword ptr fs:[00000030h]3_2_00F90274
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F90274 mov eax, dword ptr fs:[00000030h]3_2_00F90274
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F90274 mov eax, dword ptr fs:[00000030h]3_2_00F90274
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE4260 mov eax, dword ptr fs:[00000030h]3_2_00EE4260
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE4260 mov eax, dword ptr fs:[00000030h]3_2_00EE4260
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE4260 mov eax, dword ptr fs:[00000030h]3_2_00EE4260
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FB625D mov eax, dword ptr fs:[00000030h]3_2_00FB625D
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F9A250 mov eax, dword ptr fs:[00000030h]3_2_00F9A250
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F9A250 mov eax, dword ptr fs:[00000030h]3_2_00F9A250
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F68243 mov eax, dword ptr fs:[00000030h]3_2_00F68243
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F68243 mov ecx, dword ptr fs:[00000030h]3_2_00F68243
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE6259 mov eax, dword ptr fs:[00000030h]3_2_00EE6259
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EDA250 mov eax, dword ptr fs:[00000030h]3_2_00EDA250
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00ED823B mov eax, dword ptr fs:[00000030h]3_2_00ED823B
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF03E9 mov eax, dword ptr fs:[00000030h]3_2_00EF03E9
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF03E9 mov eax, dword ptr fs:[00000030h]3_2_00EF03E9
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF03E9 mov eax, dword ptr fs:[00000030h]3_2_00EF03E9
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF03E9 mov eax, dword ptr fs:[00000030h]3_2_00EF03E9
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF03E9 mov eax, dword ptr fs:[00000030h]3_2_00EF03E9
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF03E9 mov eax, dword ptr fs:[00000030h]3_2_00EF03E9
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF03E9 mov eax, dword ptr fs:[00000030h]3_2_00EF03E9
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF03E9 mov eax, dword ptr fs:[00000030h]3_2_00EF03E9
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F163FF mov eax, dword ptr fs:[00000030h]3_2_00F163FF
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EFE3F0 mov eax, dword ptr fs:[00000030h]3_2_00EFE3F0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EFE3F0 mov eax, dword ptr fs:[00000030h]3_2_00EFE3F0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EFE3F0 mov eax, dword ptr fs:[00000030h]3_2_00EFE3F0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F8E3DB mov eax, dword ptr fs:[00000030h]3_2_00F8E3DB
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F8E3DB mov eax, dword ptr fs:[00000030h]3_2_00F8E3DB
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F8E3DB mov ecx, dword ptr fs:[00000030h]3_2_00F8E3DB
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F8E3DB mov eax, dword ptr fs:[00000030h]3_2_00F8E3DB
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F843D4 mov eax, dword ptr fs:[00000030h]3_2_00F843D4
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F843D4 mov eax, dword ptr fs:[00000030h]3_2_00F843D4
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EEA3C0 mov eax, dword ptr fs:[00000030h]3_2_00EEA3C0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EEA3C0 mov eax, dword ptr fs:[00000030h]3_2_00EEA3C0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EEA3C0 mov eax, dword ptr fs:[00000030h]3_2_00EEA3C0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EEA3C0 mov eax, dword ptr fs:[00000030h]3_2_00EEA3C0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EEA3C0 mov eax, dword ptr fs:[00000030h]3_2_00EEA3C0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EEA3C0 mov eax, dword ptr fs:[00000030h]3_2_00EEA3C0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE83C0 mov eax, dword ptr fs:[00000030h]3_2_00EE83C0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE83C0 mov eax, dword ptr fs:[00000030h]3_2_00EE83C0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE83C0 mov eax, dword ptr fs:[00000030h]3_2_00EE83C0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE83C0 mov eax, dword ptr fs:[00000030h]3_2_00EE83C0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F9C3CD mov eax, dword ptr fs:[00000030h]3_2_00F9C3CD
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F663C0 mov eax, dword ptr fs:[00000030h]3_2_00F663C0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EDE388 mov eax, dword ptr fs:[00000030h]3_2_00EDE388
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EDE388 mov eax, dword ptr fs:[00000030h]3_2_00EDE388
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EDE388 mov eax, dword ptr fs:[00000030h]3_2_00EDE388
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00ED8397 mov eax, dword ptr fs:[00000030h]3_2_00ED8397
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00ED8397 mov eax, dword ptr fs:[00000030h]3_2_00ED8397
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00ED8397 mov eax, dword ptr fs:[00000030h]3_2_00ED8397
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0438F mov eax, dword ptr fs:[00000030h]3_2_00F0438F
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0438F mov eax, dword ptr fs:[00000030h]3_2_00F0438F
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F8437C mov eax, dword ptr fs:[00000030h]3_2_00F8437C
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FAA352 mov eax, dword ptr fs:[00000030h]3_2_00FAA352
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F88350 mov ecx, dword ptr fs:[00000030h]3_2_00F88350
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F6035C mov eax, dword ptr fs:[00000030h]3_2_00F6035C
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F6035C mov eax, dword ptr fs:[00000030h]3_2_00F6035C
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F6035C mov eax, dword ptr fs:[00000030h]3_2_00F6035C
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F6035C mov ecx, dword ptr fs:[00000030h]3_2_00F6035C
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F6035C mov eax, dword ptr fs:[00000030h]3_2_00F6035C
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F6035C mov eax, dword ptr fs:[00000030h]3_2_00F6035C
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FB634F mov eax, dword ptr fs:[00000030h]3_2_00FB634F
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F62349 mov eax, dword ptr fs:[00000030h]3_2_00F62349
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F62349 mov eax, dword ptr fs:[00000030h]3_2_00F62349
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F62349 mov eax, dword ptr fs:[00000030h]3_2_00F62349
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F62349 mov eax, dword ptr fs:[00000030h]3_2_00F62349
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F62349 mov eax, dword ptr fs:[00000030h]3_2_00F62349
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F62349 mov eax, dword ptr fs:[00000030h]3_2_00F62349
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F62349 mov eax, dword ptr fs:[00000030h]3_2_00F62349
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F62349 mov eax, dword ptr fs:[00000030h]3_2_00F62349
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F62349 mov eax, dword ptr fs:[00000030h]3_2_00F62349
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F62349 mov eax, dword ptr fs:[00000030h]3_2_00F62349
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F62349 mov eax, dword ptr fs:[00000030h]3_2_00F62349
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F62349 mov eax, dword ptr fs:[00000030h]3_2_00F62349
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F62349 mov eax, dword ptr fs:[00000030h]3_2_00F62349
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F62349 mov eax, dword ptr fs:[00000030h]3_2_00F62349
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F62349 mov eax, dword ptr fs:[00000030h]3_2_00F62349
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FB8324 mov eax, dword ptr fs:[00000030h]3_2_00FB8324
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FB8324 mov ecx, dword ptr fs:[00000030h]3_2_00FB8324
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FB8324 mov eax, dword ptr fs:[00000030h]3_2_00FB8324
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FB8324 mov eax, dword ptr fs:[00000030h]3_2_00FB8324
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F00310 mov ecx, dword ptr fs:[00000030h]3_2_00F00310
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1A30B mov eax, dword ptr fs:[00000030h]3_2_00F1A30B
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1A30B mov eax, dword ptr fs:[00000030h]3_2_00F1A30B
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1A30B mov eax, dword ptr fs:[00000030h]3_2_00F1A30B
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EDC310 mov ecx, dword ptr fs:[00000030h]3_2_00EDC310
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE04E5 mov ecx, dword ptr fs:[00000030h]3_2_00EE04E5
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F144B0 mov ecx, dword ptr fs:[00000030h]3_2_00F144B0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE64AB mov eax, dword ptr fs:[00000030h]3_2_00EE64AB
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F6A4B0 mov eax, dword ptr fs:[00000030h]3_2_00F6A4B0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F9A49A mov eax, dword ptr fs:[00000030h]3_2_00F9A49A
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0A470 mov eax, dword ptr fs:[00000030h]3_2_00F0A470
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0A470 mov eax, dword ptr fs:[00000030h]3_2_00F0A470
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0A470 mov eax, dword ptr fs:[00000030h]3_2_00F0A470
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F6C460 mov ecx, dword ptr fs:[00000030h]3_2_00F6C460
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0245A mov eax, dword ptr fs:[00000030h]3_2_00F0245A
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F9A456 mov eax, dword ptr fs:[00000030h]3_2_00F9A456
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00ED645D mov eax, dword ptr fs:[00000030h]3_2_00ED645D
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1E443 mov eax, dword ptr fs:[00000030h]3_2_00F1E443
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1E443 mov eax, dword ptr fs:[00000030h]3_2_00F1E443
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1E443 mov eax, dword ptr fs:[00000030h]3_2_00F1E443
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1E443 mov eax, dword ptr fs:[00000030h]3_2_00F1E443
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1E443 mov eax, dword ptr fs:[00000030h]3_2_00F1E443
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1E443 mov eax, dword ptr fs:[00000030h]3_2_00F1E443
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1E443 mov eax, dword ptr fs:[00000030h]3_2_00F1E443
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1E443 mov eax, dword ptr fs:[00000030h]3_2_00F1E443
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EDC427 mov eax, dword ptr fs:[00000030h]3_2_00EDC427
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EDE420 mov eax, dword ptr fs:[00000030h]3_2_00EDE420
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EDE420 mov eax, dword ptr fs:[00000030h]3_2_00EDE420
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EDE420 mov eax, dword ptr fs:[00000030h]3_2_00EDE420
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F66420 mov eax, dword ptr fs:[00000030h]3_2_00F66420
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F66420 mov eax, dword ptr fs:[00000030h]3_2_00F66420
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F66420 mov eax, dword ptr fs:[00000030h]3_2_00F66420
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F66420 mov eax, dword ptr fs:[00000030h]3_2_00F66420
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F66420 mov eax, dword ptr fs:[00000030h]3_2_00F66420
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F66420 mov eax, dword ptr fs:[00000030h]3_2_00F66420
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F66420 mov eax, dword ptr fs:[00000030h]3_2_00F66420
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F18402 mov eax, dword ptr fs:[00000030h]3_2_00F18402
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F18402 mov eax, dword ptr fs:[00000030h]3_2_00F18402
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F18402 mov eax, dword ptr fs:[00000030h]3_2_00F18402
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE25E0 mov eax, dword ptr fs:[00000030h]3_2_00EE25E0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0E5E7 mov eax, dword ptr fs:[00000030h]3_2_00F0E5E7
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0E5E7 mov eax, dword ptr fs:[00000030h]3_2_00F0E5E7
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0E5E7 mov eax, dword ptr fs:[00000030h]3_2_00F0E5E7
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0E5E7 mov eax, dword ptr fs:[00000030h]3_2_00F0E5E7
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0E5E7 mov eax, dword ptr fs:[00000030h]3_2_00F0E5E7
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0E5E7 mov eax, dword ptr fs:[00000030h]3_2_00F0E5E7
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0E5E7 mov eax, dword ptr fs:[00000030h]3_2_00F0E5E7
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0E5E7 mov eax, dword ptr fs:[00000030h]3_2_00F0E5E7
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1C5ED mov eax, dword ptr fs:[00000030h]3_2_00F1C5ED
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1C5ED mov eax, dword ptr fs:[00000030h]3_2_00F1C5ED
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1A5D0 mov eax, dword ptr fs:[00000030h]3_2_00F1A5D0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1A5D0 mov eax, dword ptr fs:[00000030h]3_2_00F1A5D0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1E5CF mov eax, dword ptr fs:[00000030h]3_2_00F1E5CF
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1E5CF mov eax, dword ptr fs:[00000030h]3_2_00F1E5CF
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE65D0 mov eax, dword ptr fs:[00000030h]3_2_00EE65D0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F045B1 mov eax, dword ptr fs:[00000030h]3_2_00F045B1
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F045B1 mov eax, dword ptr fs:[00000030h]3_2_00F045B1
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F605A7 mov eax, dword ptr fs:[00000030h]3_2_00F605A7
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F605A7 mov eax, dword ptr fs:[00000030h]3_2_00F605A7
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F605A7 mov eax, dword ptr fs:[00000030h]3_2_00F605A7
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE2582 mov eax, dword ptr fs:[00000030h]3_2_00EE2582
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE2582 mov ecx, dword ptr fs:[00000030h]3_2_00EE2582
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1E59C mov eax, dword ptr fs:[00000030h]3_2_00F1E59C
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F14588 mov eax, dword ptr fs:[00000030h]3_2_00F14588
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1656A mov eax, dword ptr fs:[00000030h]3_2_00F1656A
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1656A mov eax, dword ptr fs:[00000030h]3_2_00F1656A
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1656A mov eax, dword ptr fs:[00000030h]3_2_00F1656A
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE8550 mov eax, dword ptr fs:[00000030h]3_2_00EE8550
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE8550 mov eax, dword ptr fs:[00000030h]3_2_00EE8550
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0E53E mov eax, dword ptr fs:[00000030h]3_2_00F0E53E
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0E53E mov eax, dword ptr fs:[00000030h]3_2_00F0E53E
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0E53E mov eax, dword ptr fs:[00000030h]3_2_00F0E53E
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0E53E mov eax, dword ptr fs:[00000030h]3_2_00F0E53E
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0E53E mov eax, dword ptr fs:[00000030h]3_2_00F0E53E
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF0535 mov eax, dword ptr fs:[00000030h]3_2_00EF0535
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF0535 mov eax, dword ptr fs:[00000030h]3_2_00EF0535
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF0535 mov eax, dword ptr fs:[00000030h]3_2_00EF0535
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF0535 mov eax, dword ptr fs:[00000030h]3_2_00EF0535
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF0535 mov eax, dword ptr fs:[00000030h]3_2_00EF0535
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF0535 mov eax, dword ptr fs:[00000030h]3_2_00EF0535
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F76500 mov eax, dword ptr fs:[00000030h]3_2_00F76500
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FB4500 mov eax, dword ptr fs:[00000030h]3_2_00FB4500
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FB4500 mov eax, dword ptr fs:[00000030h]3_2_00FB4500
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FB4500 mov eax, dword ptr fs:[00000030h]3_2_00FB4500
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FB4500 mov eax, dword ptr fs:[00000030h]3_2_00FB4500
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FB4500 mov eax, dword ptr fs:[00000030h]3_2_00FB4500
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FB4500 mov eax, dword ptr fs:[00000030h]3_2_00FB4500
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FB4500 mov eax, dword ptr fs:[00000030h]3_2_00FB4500
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F5E6F2 mov eax, dword ptr fs:[00000030h]3_2_00F5E6F2
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F5E6F2 mov eax, dword ptr fs:[00000030h]3_2_00F5E6F2
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F5E6F2 mov eax, dword ptr fs:[00000030h]3_2_00F5E6F2
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F5E6F2 mov eax, dword ptr fs:[00000030h]3_2_00F5E6F2
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F606F1 mov eax, dword ptr fs:[00000030h]3_2_00F606F1
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F606F1 mov eax, dword ptr fs:[00000030h]3_2_00F606F1
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1A6C7 mov ebx, dword ptr fs:[00000030h]3_2_00F1A6C7
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1A6C7 mov eax, dword ptr fs:[00000030h]3_2_00F1A6C7
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F166B0 mov eax, dword ptr fs:[00000030h]3_2_00F166B0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1C6A6 mov eax, dword ptr fs:[00000030h]3_2_00F1C6A6
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE4690 mov eax, dword ptr fs:[00000030h]3_2_00EE4690
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE4690 mov eax, dword ptr fs:[00000030h]3_2_00EE4690
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F12674 mov eax, dword ptr fs:[00000030h]3_2_00F12674
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1A660 mov eax, dword ptr fs:[00000030h]3_2_00F1A660
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1A660 mov eax, dword ptr fs:[00000030h]3_2_00F1A660
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FA866E mov eax, dword ptr fs:[00000030h]3_2_00FA866E
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FA866E mov eax, dword ptr fs:[00000030h]3_2_00FA866E
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EFC640 mov eax, dword ptr fs:[00000030h]3_2_00EFC640
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE262C mov eax, dword ptr fs:[00000030h]3_2_00EE262C
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EFE627 mov eax, dword ptr fs:[00000030h]3_2_00EFE627
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F16620 mov eax, dword ptr fs:[00000030h]3_2_00F16620
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F18620 mov eax, dword ptr fs:[00000030h]3_2_00F18620
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF260B mov eax, dword ptr fs:[00000030h]3_2_00EF260B
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF260B mov eax, dword ptr fs:[00000030h]3_2_00EF260B
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF260B mov eax, dword ptr fs:[00000030h]3_2_00EF260B
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF260B mov eax, dword ptr fs:[00000030h]3_2_00EF260B
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF260B mov eax, dword ptr fs:[00000030h]3_2_00EF260B
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF260B mov eax, dword ptr fs:[00000030h]3_2_00EF260B
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF260B mov eax, dword ptr fs:[00000030h]3_2_00EF260B
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22619 mov eax, dword ptr fs:[00000030h]3_2_00F22619
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F5E609 mov eax, dword ptr fs:[00000030h]3_2_00F5E609
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE47FB mov eax, dword ptr fs:[00000030h]3_2_00EE47FB
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE47FB mov eax, dword ptr fs:[00000030h]3_2_00EE47FB
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F6E7E1 mov eax, dword ptr fs:[00000030h]3_2_00F6E7E1
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F027ED mov eax, dword ptr fs:[00000030h]3_2_00F027ED
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F027ED mov eax, dword ptr fs:[00000030h]3_2_00F027ED
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F027ED mov eax, dword ptr fs:[00000030h]3_2_00F027ED
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EEC7C0 mov eax, dword ptr fs:[00000030h]3_2_00EEC7C0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F607C3 mov eax, dword ptr fs:[00000030h]3_2_00F607C3
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE07AF mov eax, dword ptr fs:[00000030h]3_2_00EE07AF
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F947A0 mov eax, dword ptr fs:[00000030h]3_2_00F947A0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F8678E mov eax, dword ptr fs:[00000030h]3_2_00F8678E
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE8770 mov eax, dword ptr fs:[00000030h]3_2_00EE8770
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF0770 mov eax, dword ptr fs:[00000030h]3_2_00EF0770
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF0770 mov eax, dword ptr fs:[00000030h]3_2_00EF0770
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF0770 mov eax, dword ptr fs:[00000030h]3_2_00EF0770
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF0770 mov eax, dword ptr fs:[00000030h]3_2_00EF0770
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF0770 mov eax, dword ptr fs:[00000030h]3_2_00EF0770
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF0770 mov eax, dword ptr fs:[00000030h]3_2_00EF0770
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF0770 mov eax, dword ptr fs:[00000030h]3_2_00EF0770
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF0770 mov eax, dword ptr fs:[00000030h]3_2_00EF0770
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF0770 mov eax, dword ptr fs:[00000030h]3_2_00EF0770
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF0770 mov eax, dword ptr fs:[00000030h]3_2_00EF0770
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF0770 mov eax, dword ptr fs:[00000030h]3_2_00EF0770
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF0770 mov eax, dword ptr fs:[00000030h]3_2_00EF0770
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22750 mov eax, dword ptr fs:[00000030h]3_2_00F22750
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F22750 mov eax, dword ptr fs:[00000030h]3_2_00F22750
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F64755 mov eax, dword ptr fs:[00000030h]3_2_00F64755
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F6E75D mov eax, dword ptr fs:[00000030h]3_2_00F6E75D
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1674D mov esi, dword ptr fs:[00000030h]3_2_00F1674D
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1674D mov eax, dword ptr fs:[00000030h]3_2_00F1674D
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1674D mov eax, dword ptr fs:[00000030h]3_2_00F1674D
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE0750 mov eax, dword ptr fs:[00000030h]3_2_00EE0750
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F5C730 mov eax, dword ptr fs:[00000030h]3_2_00F5C730
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1273C mov eax, dword ptr fs:[00000030h]3_2_00F1273C
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1273C mov ecx, dword ptr fs:[00000030h]3_2_00F1273C
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1273C mov eax, dword ptr fs:[00000030h]3_2_00F1273C
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1C720 mov eax, dword ptr fs:[00000030h]3_2_00F1C720
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1C720 mov eax, dword ptr fs:[00000030h]3_2_00F1C720
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F10710 mov eax, dword ptr fs:[00000030h]3_2_00F10710
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1C700 mov eax, dword ptr fs:[00000030h]3_2_00F1C700
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE0710 mov eax, dword ptr fs:[00000030h]3_2_00EE0710
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1C8F9 mov eax, dword ptr fs:[00000030h]3_2_00F1C8F9
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1C8F9 mov eax, dword ptr fs:[00000030h]3_2_00F1C8F9
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FAA8E4 mov eax, dword ptr fs:[00000030h]3_2_00FAA8E4
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0E8C0 mov eax, dword ptr fs:[00000030h]3_2_00F0E8C0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FB08C0 mov eax, dword ptr fs:[00000030h]3_2_00FB08C0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE0887 mov eax, dword ptr fs:[00000030h]3_2_00EE0887
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F6C89D mov eax, dword ptr fs:[00000030h]3_2_00F6C89D
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F6E872 mov eax, dword ptr fs:[00000030h]3_2_00F6E872
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F6E872 mov eax, dword ptr fs:[00000030h]3_2_00F6E872
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F76870 mov eax, dword ptr fs:[00000030h]3_2_00F76870
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F76870 mov eax, dword ptr fs:[00000030h]3_2_00F76870
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F10854 mov eax, dword ptr fs:[00000030h]3_2_00F10854
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF2840 mov ecx, dword ptr fs:[00000030h]3_2_00EF2840
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE4859 mov eax, dword ptr fs:[00000030h]3_2_00EE4859
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE4859 mov eax, dword ptr fs:[00000030h]3_2_00EE4859
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1A830 mov eax, dword ptr fs:[00000030h]3_2_00F1A830
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F8483A mov eax, dword ptr fs:[00000030h]3_2_00F8483A
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F8483A mov eax, dword ptr fs:[00000030h]3_2_00F8483A
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F02835 mov eax, dword ptr fs:[00000030h]3_2_00F02835
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F02835 mov eax, dword ptr fs:[00000030h]3_2_00F02835
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F02835 mov eax, dword ptr fs:[00000030h]3_2_00F02835
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F02835 mov ecx, dword ptr fs:[00000030h]3_2_00F02835
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F02835 mov eax, dword ptr fs:[00000030h]3_2_00F02835
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F02835 mov eax, dword ptr fs:[00000030h]3_2_00F02835
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F6C810 mov eax, dword ptr fs:[00000030h]3_2_00F6C810
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F129F9 mov eax, dword ptr fs:[00000030h]3_2_00F129F9
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F129F9 mov eax, dword ptr fs:[00000030h]3_2_00F129F9
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F6E9E0 mov eax, dword ptr fs:[00000030h]3_2_00F6E9E0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F149D0 mov eax, dword ptr fs:[00000030h]3_2_00F149D0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FAA9D3 mov eax, dword ptr fs:[00000030h]3_2_00FAA9D3
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F769C0 mov eax, dword ptr fs:[00000030h]3_2_00F769C0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EEA9D0 mov eax, dword ptr fs:[00000030h]3_2_00EEA9D0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EEA9D0 mov eax, dword ptr fs:[00000030h]3_2_00EEA9D0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EEA9D0 mov eax, dword ptr fs:[00000030h]3_2_00EEA9D0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EEA9D0 mov eax, dword ptr fs:[00000030h]3_2_00EEA9D0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EEA9D0 mov eax, dword ptr fs:[00000030h]3_2_00EEA9D0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EEA9D0 mov eax, dword ptr fs:[00000030h]3_2_00EEA9D0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE09AD mov eax, dword ptr fs:[00000030h]3_2_00EE09AD
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE09AD mov eax, dword ptr fs:[00000030h]3_2_00EE09AD
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F689B3 mov esi, dword ptr fs:[00000030h]3_2_00F689B3
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F689B3 mov eax, dword ptr fs:[00000030h]3_2_00F689B3
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F689B3 mov eax, dword ptr fs:[00000030h]3_2_00F689B3
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF29A0 mov eax, dword ptr fs:[00000030h]3_2_00EF29A0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF29A0 mov eax, dword ptr fs:[00000030h]3_2_00EF29A0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF29A0 mov eax, dword ptr fs:[00000030h]3_2_00EF29A0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF29A0 mov eax, dword ptr fs:[00000030h]3_2_00EF29A0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF29A0 mov eax, dword ptr fs:[00000030h]3_2_00EF29A0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF29A0 mov eax, dword ptr fs:[00000030h]3_2_00EF29A0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF29A0 mov eax, dword ptr fs:[00000030h]3_2_00EF29A0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF29A0 mov eax, dword ptr fs:[00000030h]3_2_00EF29A0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF29A0 mov eax, dword ptr fs:[00000030h]3_2_00EF29A0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF29A0 mov eax, dword ptr fs:[00000030h]3_2_00EF29A0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF29A0 mov eax, dword ptr fs:[00000030h]3_2_00EF29A0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF29A0 mov eax, dword ptr fs:[00000030h]3_2_00EF29A0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF29A0 mov eax, dword ptr fs:[00000030h]3_2_00EF29A0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F84978 mov eax, dword ptr fs:[00000030h]3_2_00F84978
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F84978 mov eax, dword ptr fs:[00000030h]3_2_00F84978
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F6C97C mov eax, dword ptr fs:[00000030h]3_2_00F6C97C
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F06962 mov eax, dword ptr fs:[00000030h]3_2_00F06962
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F06962 mov eax, dword ptr fs:[00000030h]3_2_00F06962
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F06962 mov eax, dword ptr fs:[00000030h]3_2_00F06962
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F2096E mov eax, dword ptr fs:[00000030h]3_2_00F2096E
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F2096E mov edx, dword ptr fs:[00000030h]3_2_00F2096E
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F2096E mov eax, dword ptr fs:[00000030h]3_2_00F2096E
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F60946 mov eax, dword ptr fs:[00000030h]3_2_00F60946
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FB4940 mov eax, dword ptr fs:[00000030h]3_2_00FB4940
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F6892A mov eax, dword ptr fs:[00000030h]3_2_00F6892A
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F7892B mov eax, dword ptr fs:[00000030h]3_2_00F7892B
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F6C912 mov eax, dword ptr fs:[00000030h]3_2_00F6C912
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00ED8918 mov eax, dword ptr fs:[00000030h]3_2_00ED8918
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00ED8918 mov eax, dword ptr fs:[00000030h]3_2_00ED8918
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F5E908 mov eax, dword ptr fs:[00000030h]3_2_00F5E908
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F5E908 mov eax, dword ptr fs:[00000030h]3_2_00F5E908
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1AAEE mov eax, dword ptr fs:[00000030h]3_2_00F1AAEE
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1AAEE mov eax, dword ptr fs:[00000030h]3_2_00F1AAEE
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F14AD0 mov eax, dword ptr fs:[00000030h]3_2_00F14AD0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F14AD0 mov eax, dword ptr fs:[00000030h]3_2_00F14AD0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE0AD0 mov eax, dword ptr fs:[00000030h]3_2_00EE0AD0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F36ACC mov eax, dword ptr fs:[00000030h]3_2_00F36ACC
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F36ACC mov eax, dword ptr fs:[00000030h]3_2_00F36ACC
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F36ACC mov eax, dword ptr fs:[00000030h]3_2_00F36ACC
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE8AA0 mov eax, dword ptr fs:[00000030h]3_2_00EE8AA0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE8AA0 mov eax, dword ptr fs:[00000030h]3_2_00EE8AA0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F36AA4 mov eax, dword ptr fs:[00000030h]3_2_00F36AA4
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F18A90 mov edx, dword ptr fs:[00000030h]3_2_00F18A90
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EEEA80 mov eax, dword ptr fs:[00000030h]3_2_00EEEA80
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EEEA80 mov eax, dword ptr fs:[00000030h]3_2_00EEEA80
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EEEA80 mov eax, dword ptr fs:[00000030h]3_2_00EEEA80
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EEEA80 mov eax, dword ptr fs:[00000030h]3_2_00EEEA80
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EEEA80 mov eax, dword ptr fs:[00000030h]3_2_00EEEA80
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EEEA80 mov eax, dword ptr fs:[00000030h]3_2_00EEEA80
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EEEA80 mov eax, dword ptr fs:[00000030h]3_2_00EEEA80
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EEEA80 mov eax, dword ptr fs:[00000030h]3_2_00EEEA80
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EEEA80 mov eax, dword ptr fs:[00000030h]3_2_00EEEA80
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FB4A80 mov eax, dword ptr fs:[00000030h]3_2_00FB4A80
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F5CA72 mov eax, dword ptr fs:[00000030h]3_2_00F5CA72
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F5CA72 mov eax, dword ptr fs:[00000030h]3_2_00F5CA72
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F8EA60 mov eax, dword ptr fs:[00000030h]3_2_00F8EA60
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1CA6F mov eax, dword ptr fs:[00000030h]3_2_00F1CA6F
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1CA6F mov eax, dword ptr fs:[00000030h]3_2_00F1CA6F
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1CA6F mov eax, dword ptr fs:[00000030h]3_2_00F1CA6F
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF0A5B mov eax, dword ptr fs:[00000030h]3_2_00EF0A5B
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF0A5B mov eax, dword ptr fs:[00000030h]3_2_00EF0A5B
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE6A50 mov eax, dword ptr fs:[00000030h]3_2_00EE6A50
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE6A50 mov eax, dword ptr fs:[00000030h]3_2_00EE6A50
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE6A50 mov eax, dword ptr fs:[00000030h]3_2_00EE6A50
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE6A50 mov eax, dword ptr fs:[00000030h]3_2_00EE6A50
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE6A50 mov eax, dword ptr fs:[00000030h]3_2_00EE6A50
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE6A50 mov eax, dword ptr fs:[00000030h]3_2_00EE6A50
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE6A50 mov eax, dword ptr fs:[00000030h]3_2_00EE6A50
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F04A35 mov eax, dword ptr fs:[00000030h]3_2_00F04A35
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F04A35 mov eax, dword ptr fs:[00000030h]3_2_00F04A35
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F1CA24 mov eax, dword ptr fs:[00000030h]3_2_00F1CA24
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0EA2E mov eax, dword ptr fs:[00000030h]3_2_00F0EA2E
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F6CA11 mov eax, dword ptr fs:[00000030h]3_2_00F6CA11
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F6CBF0 mov eax, dword ptr fs:[00000030h]3_2_00F6CBF0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0EBFC mov eax, dword ptr fs:[00000030h]3_2_00F0EBFC
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE8BF0 mov eax, dword ptr fs:[00000030h]3_2_00EE8BF0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE8BF0 mov eax, dword ptr fs:[00000030h]3_2_00EE8BF0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE8BF0 mov eax, dword ptr fs:[00000030h]3_2_00EE8BF0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE0BCD mov eax, dword ptr fs:[00000030h]3_2_00EE0BCD
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE0BCD mov eax, dword ptr fs:[00000030h]3_2_00EE0BCD
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EE0BCD mov eax, dword ptr fs:[00000030h]3_2_00EE0BCD
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F8EBD0 mov eax, dword ptr fs:[00000030h]3_2_00F8EBD0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F00BCB mov eax, dword ptr fs:[00000030h]3_2_00F00BCB
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F00BCB mov eax, dword ptr fs:[00000030h]3_2_00F00BCB
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F00BCB mov eax, dword ptr fs:[00000030h]3_2_00F00BCB
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F94BB0 mov eax, dword ptr fs:[00000030h]3_2_00F94BB0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F94BB0 mov eax, dword ptr fs:[00000030h]3_2_00F94BB0
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF0BBE mov eax, dword ptr fs:[00000030h]3_2_00EF0BBE
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EF0BBE mov eax, dword ptr fs:[00000030h]3_2_00EF0BBE
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00EDCB7E mov eax, dword ptr fs:[00000030h]3_2_00EDCB7E
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F8EB50 mov eax, dword ptr fs:[00000030h]3_2_00F8EB50
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FB2B57 mov eax, dword ptr fs:[00000030h]3_2_00FB2B57
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FB2B57 mov eax, dword ptr fs:[00000030h]3_2_00FB2B57
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FB2B57 mov eax, dword ptr fs:[00000030h]3_2_00FB2B57
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FB2B57 mov eax, dword ptr fs:[00000030h]3_2_00FB2B57
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F94B4B mov eax, dword ptr fs:[00000030h]3_2_00F94B4B
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F94B4B mov eax, dword ptr fs:[00000030h]3_2_00F94B4B
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F76B40 mov eax, dword ptr fs:[00000030h]3_2_00F76B40
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F76B40 mov eax, dword ptr fs:[00000030h]3_2_00F76B40
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FAAB40 mov eax, dword ptr fs:[00000030h]3_2_00FAAB40
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F88B42 mov eax, dword ptr fs:[00000030h]3_2_00F88B42
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00ED8B50 mov eax, dword ptr fs:[00000030h]3_2_00ED8B50
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0EB20 mov eax, dword ptr fs:[00000030h]3_2_00F0EB20
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F0EB20 mov eax, dword ptr fs:[00000030h]3_2_00F0EB20
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FA8B28 mov eax, dword ptr fs:[00000030h]3_2_00FA8B28
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00FA8B28 mov eax, dword ptr fs:[00000030h]3_2_00FA8B28
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeCode function: 3_2_00F5EB1D mov eax, dword ptr fs:[00000030h]3_2_00F5EB1D
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtClose: Direct from: 0x76F02B6C
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeSection loaded: NULL target: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeSection loaded: NULL target: C:\Windows\SysWOW64\dxdiag.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: NULL target: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: NULL target: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\dxdiag.exeThread register set: target process: 8088Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\dxdiag.exeThread APC queued: target process: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess created: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exe "C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exe"Jump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeProcess created: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exe "C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exe"Jump to behavior
                Source: C:\Program Files (x86)\NmFWWCrWgdpYQqAmnXcXEJNXoYzJYUdAtRovfPrqSKoHOmx\qUbKt1u3h.exeProcess created: C:\Windows\SysWOW64\dxdiag.exe "C:\Windows\SysWOW64\dxdiag.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: qUbKt1u3h.exe, 00000007.00000002.4160071402.0000000001970000.00000002.00000001.00040000.00000000.sdmp, qUbKt1u3h.exe, 00000007.00000000.2078936908.0000000001970000.00000002.00000001.00040000.00000000.sdmp, qUbKt1u3h.exe, 00000009.00000000.2228797622.00000000012A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: qUbKt1u3h.exe, 00000007.00000002.4160071402.0000000001970000.00000002.00000001.00040000.00000000.sdmp, qUbKt1u3h.exe, 00000007.00000000.2078936908.0000000001970000.00000002.00000001.00040000.00000000.sdmp, qUbKt1u3h.exe, 00000009.00000000.2228797622.00000000012A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: qUbKt1u3h.exe, 00000007.00000002.4160071402.0000000001970000.00000002.00000001.00040000.00000000.sdmp, qUbKt1u3h.exe, 00000007.00000000.2078936908.0000000001970000.00000002.00000001.00040000.00000000.sdmp, qUbKt1u3h.exe, 00000009.00000000.2228797622.00000000012A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: qUbKt1u3h.exe, 00000007.00000002.4160071402.0000000001970000.00000002.00000001.00040000.00000000.sdmp, qUbKt1u3h.exe, 00000007.00000000.2078936908.0000000001970000.00000002.00000001.00040000.00000000.sdmp, qUbKt1u3h.exe, 00000009.00000000.2228797622.00000000012A1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\FRQ 101102-04-25-0948-015.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.FRQ 101102-04-25-0948-015.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.FRQ 101102-04-25-0948-015.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.4160341209.0000000000E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4159091548.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2157979065.0000000000E60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2157335781.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4160603364.00000000046C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4160671939.0000000004710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4160551388.00000000030E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2163605937.00000000013C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\dxdiag.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\dxdiag.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.FRQ 101102-04-25-0948-015.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.FRQ 101102-04-25-0948-015.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.4160341209.0000000000E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4159091548.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2157979065.0000000000E60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2157335781.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4160603364.00000000046C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.4160671939.0000000004710000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4160551388.00000000030E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2163605937.00000000013C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		312
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		121
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                Abuse Elevation Control Mechanism                		1
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook312
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Timestomp                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                DLL Side-Loading                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1624291 Sample: FRQ 101102-04-25-0948-015.exe Startdate: 26/02/2025 Architecture: WINDOWS Score: 100 32 www.tether1.xyz 2->32 34 www.persembunyian.xyz 2->34 36 13 other IPs or domains 2->36 46 Suricata IDS alerts for network traffic 2->46 48 Antivirus detection for URL or domain 2->48 50 Multi AV Scanner detection for submitted file 2->50 54 4 other signatures 2->54 10 FRQ 101102-04-25-0948-015.exe 3 2->10         started        signatures3 52 Performs DNS queries to domains with low reputation 34->52 process4 file5 30 C:\...\FRQ 101102-04-25-0948-015.exe.log, ASCII 10->30 dropped 13 FRQ 101102-04-25-0948-015.exe 10->13         started        16 FRQ 101102-04-25-0948-015.exe 10->16         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 18 qUbKt1u3h.exe 13->18 injected process8 signatures9 44 Found direct / indirect Syscall (likely to bypass EDR) 18->44 21 dxdiag.exe 13 18->21         started        process10 signatures11 56 Tries to steal Mail credentials (via file / registry access) 21->56 58 Tries to harvest and steal browser information (history, passwords, etc) 21->58 60 Modifies the context of a thread in another process (thread injection) 21->60 62 3 other signatures 21->62 24 qUbKt1u3h.exe 21->24 injected 28 firefox.exe 21->28         started        process12 dnsIp13 38 www.10134.app 107.148.6.145, 50039, 50040, 50041 PEGTECHINCUS United States 24->38 40 www.thisisnonft.studio 217.160.0.236, 50027, 50028, 50029 ONEANDONE-ASBrauerstrasse48DE Germany 24->40 42 5 other IPs or domains 24->42 64 Found direct / indirect Syscall (likely to bypass EDR) 24->64 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.