Edit tour

Windows Analysis Report
Quotation.exe

Overview

General Information

Sample name:	Quotation.exe
Analysis ID:	1617803
MD5:	f2d4a32db67f82c93b697ec6ce9a634a
SHA1:	4b24ec6ee3a4379b65dc31395effdcc4fa1160a9
SHA256:	b604d14fff0103500662f72e757d3c0d6138b9715d752ea68096ce75d0da18d6
Tags:	exeQuotationuser-cocaman
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

.NET source code contains very large strings

Adds a directory exclusion to Windows Defender

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Quotation.exe (PID: 964 cmdline: "C:\Users\user\Desktop\Quotation.exe" MD5: F2D4A32DB67F82C93B697EC6CE9A634A)

powershell.exe (PID: 3564 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 4972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 6304 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

Quotation.exe (PID: 5484 cmdline: "C:\Users\user\Desktop\Quotation.exe" MD5: F2D4A32DB67F82C93B697EC6CE9A634A)

giRzMM68LdwnHolLIsDhfg.exe (PID: 2332 cmdline: "C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\MnwEUnwb9Nw.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

msfeedssync.exe (PID: 2192 cmdline: "C:\Windows\SysWOW64\msfeedssync.exe" MD5: E1C1AB8118F67D856FD140FB7175BF13)

giRzMM68LdwnHolLIsDhfg.exe (PID: 768 cmdline: "C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\MvmJ7SUIhCP9L.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 1016 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.2385527930.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.4594898939.0000000000140000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.4598967878.0000000002600000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.2387197505.0000000001730000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.4607153953.0000000004E10000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.4599292144.0000000002650000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.2387354242.00000000035F0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.4604929340.00000000043B0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: Quotation.exe PID: 964	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.Quotation.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
4.2.Quotation.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation.exe", ParentImage: C:\Users\user\Desktop\Quotation.exe, ParentProcessId: 964, ParentProcessName: Quotation.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation.exe", ProcessId: 3564, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation.exe", ParentImage: C:\Users\user\Desktop\Quotation.exe, ParentProcessId: 964, ParentProcessName: Quotation.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation.exe", ProcessId: 3564, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T09:10:52.064775+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	49897	148.72.247.70	80	TCP
2025-02-18T09:11:15.420640+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	55380	46.30.211.38	80	TCP
2025-02-18T09:11:29.750103+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	55384	47.83.1.90	80	TCP
2025-02-18T09:12:05.801461+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	55390	149.104.184.89	80	TCP
2025-02-18T09:12:19.247811+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	55395	209.74.64.58	80	TCP
2025-02-18T09:12:32.670691+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	55399	199.59.243.228	80	TCP
2025-02-18T09:12:46.090855+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	55403	13.248.169.48	80	TCP
2025-02-18T09:13:01.219284+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	55407	47.83.1.90	80	TCP
2025-02-18T09:13:15.381096+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	55412	104.21.80.1	80	TCP
2025-02-18T09:13:28.550304+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	55416	13.248.169.48	80	TCP
2025-02-18T09:13:42.290962+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	55420	103.106.67.112	80	TCP
2025-02-18T09:13:55.494520+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	55424	13.248.169.48	80	TCP
2025-02-18T09:14:09.025035+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	55428	144.76.229.203	80	TCP
2025-02-18T09:14:23.460675+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.6	55432	13.248.169.48	80	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T09:10:52.064775+0100	2855465	1	A Network Trojan was detected	192.168.2.6	49897	148.72.247.70	80	TCP
2025-02-18T09:11:15.420640+0100	2855465	1	A Network Trojan was detected	192.168.2.6	55380	46.30.211.38	80	TCP
2025-02-18T09:11:29.750103+0100	2855465	1	A Network Trojan was detected	192.168.2.6	55384	47.83.1.90	80	TCP
2025-02-18T09:12:05.801461+0100	2855465	1	A Network Trojan was detected	192.168.2.6	55390	149.104.184.89	80	TCP
2025-02-18T09:12:19.247811+0100	2855465	1	A Network Trojan was detected	192.168.2.6	55395	209.74.64.58	80	TCP
2025-02-18T09:12:32.670691+0100	2855465	1	A Network Trojan was detected	192.168.2.6	55399	199.59.243.228	80	TCP
2025-02-18T09:12:46.090855+0100	2855465	1	A Network Trojan was detected	192.168.2.6	55403	13.248.169.48	80	TCP
2025-02-18T09:13:01.219284+0100	2855465	1	A Network Trojan was detected	192.168.2.6	55407	47.83.1.90	80	TCP
2025-02-18T09:13:15.381096+0100	2855465	1	A Network Trojan was detected	192.168.2.6	55412	104.21.80.1	80	TCP
2025-02-18T09:13:28.550304+0100	2855465	1	A Network Trojan was detected	192.168.2.6	55416	13.248.169.48	80	TCP
2025-02-18T09:13:42.290962+0100	2855465	1	A Network Trojan was detected	192.168.2.6	55420	103.106.67.112	80	TCP
2025-02-18T09:13:55.494520+0100	2855465	1	A Network Trojan was detected	192.168.2.6	55424	13.248.169.48	80	TCP
2025-02-18T09:14:09.025035+0100	2855465	1	A Network Trojan was detected	192.168.2.6	55428	144.76.229.203	80	TCP
2025-02-18T09:14:23.460675+0100	2855465	1	A Network Trojan was detected	192.168.2.6	55432	13.248.169.48	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-18T09:11:07.781401+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55375	46.30.211.38	80	TCP
2025-02-18T09:11:10.332398+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55377	46.30.211.38	80	TCP
2025-02-18T09:11:12.865069+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55378	46.30.211.38	80	TCP
2025-02-18T09:11:21.997902+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55381	47.83.1.90	80	TCP
2025-02-18T09:11:24.544706+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55382	47.83.1.90	80	TCP
2025-02-18T09:11:27.091597+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55383	47.83.1.90	80	TCP
2025-02-18T09:11:38.028984+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55386	149.104.184.89	80	TCP
2025-02-18T09:11:40.653952+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55388	149.104.184.89	80	TCP
2025-02-18T09:11:43.388412+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55389	149.104.184.89	80	TCP
2025-02-18T09:12:11.613701+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55392	209.74.64.58	80	TCP
2025-02-18T09:12:14.155260+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55393	209.74.64.58	80	TCP
2025-02-18T09:12:16.698941+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55394	209.74.64.58	80	TCP
2025-02-18T09:12:25.038325+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55396	199.59.243.228	80	TCP
2025-02-18T09:12:28.432962+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55397	199.59.243.228	80	TCP
2025-02-18T09:12:30.135583+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55398	199.59.243.228	80	TCP
2025-02-18T09:12:38.268563+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55400	13.248.169.48	80	TCP
2025-02-18T09:12:40.939237+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55401	13.248.169.48	80	TCP
2025-02-18T09:12:43.578412+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55402	13.248.169.48	80	TCP
2025-02-18T09:12:53.282426+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55404	47.83.1.90	80	TCP
2025-02-18T09:12:55.828449+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55405	47.83.1.90	80	TCP
2025-02-18T09:12:58.388445+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55406	47.83.1.90	80	TCP
2025-02-18T09:13:07.196833+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55408	104.21.80.1	80	TCP
2025-02-18T09:13:09.709671+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55409	104.21.80.1	80	TCP
2025-02-18T09:13:12.604778+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55410	104.21.80.1	80	TCP
2025-02-18T09:13:21.950963+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55413	13.248.169.48	80	TCP
2025-02-18T09:13:23.444828+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55414	13.248.169.48	80	TCP
2025-02-18T09:13:26.029172+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55415	13.248.169.48	80	TCP
2025-02-18T09:13:34.397506+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55417	103.106.67.112	80	TCP
2025-02-18T09:13:36.943915+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55418	103.106.67.112	80	TCP
2025-02-18T09:13:39.498486+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55419	103.106.67.112	80	TCP
2025-02-18T09:13:47.796641+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55421	13.248.169.48	80	TCP
2025-02-18T09:13:51.406649+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55422	13.248.169.48	80	TCP
2025-02-18T09:13:52.888967+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55423	13.248.169.48	80	TCP
2025-02-18T09:14:01.223579+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55425	144.76.229.203	80	TCP
2025-02-18T09:14:03.797513+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55426	144.76.229.203	80	TCP
2025-02-18T09:14:06.441710+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55427	144.76.229.203	80	TCP
2025-02-18T09:14:14.511521+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55429	13.248.169.48	80	TCP
2025-02-18T09:14:17.080636+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55430	13.248.169.48	80	TCP
2025-02-18T09:14:20.901335+0100	2855464	1	A Network Trojan was detected	192.168.2.6	55431	13.248.169.48	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.askvtwv8.top/uztg/	Avira URL Cloud: Label: malware
Source: http://www.askvtwv8.top/uztg/?aD=dZHdiL7xvLOLPBQ&Tzr8_=+nnD4c3c3KEL/rpdey5PpuGEtusQHjNHKRoYtOqDasD0Qg1/WG/4NRhjA5miSBE9J8NC1pB0d1xeGfzelhsR1S3jYJp+47fQ47PDO4Kd95McmCWmHYCq+jA9bpNCOZRxRWyQ4ww=	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: Quotation.exe	Virustotal: Detection: 29%			Perma Link
Source: Quotation.exe	ReversingLabs: Detection: 13%

Yara detected FormBook

Source: Yara match	File source: 4.2.Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Quotation.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2385527930.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4594898939.0000000000140000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4598967878.0000000002600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2387197505.0000000001730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4607153953.0000000004E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4599292144.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2387354242.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4604929340.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Quotation.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Quotation.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: msfeedssync.pdbUGP source: Quotation.exe, 00000004.00000002.2385800533.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, giRzMM68LdwnHolLIsDhfg.exe, 0000000A.00000002.4604033327.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: Quotation.exe, 00000004.00000002.2386077501.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, msfeedssync.exe, 0000000B.00000003.2388123605.00000000029D3000.00000004.00000020.00020000.00000000.sdmp, msfeedssync.exe, 0000000B.00000002.4605625145.0000000002D1E000.00000040.00001000.00020000.00000000.sdmp, msfeedssync.exe, 0000000B.00000002.4605625145.0000000002B80000.00000040.00001000.00020000.00000000.sdmp, msfeedssync.exe, 0000000B.00000003.2385856352.0000000002829000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Quotation.exe, Quotation.exe, 00000004.00000002.2386077501.00000000013E0000.00000040.00001000.00020000.00000000.sdmp, msfeedssync.exe, msfeedssync.exe, 0000000B.00000003.2388123605.00000000029D3000.00000004.00000020.00020000.00000000.sdmp, msfeedssync.exe, 0000000B.00000002.4605625145.0000000002D1E000.00000040.00001000.00020000.00000000.sdmp, msfeedssync.exe, 0000000B.00000002.4605625145.0000000002B80000.00000040.00001000.00020000.00000000.sdmp, msfeedssync.exe, 0000000B.00000003.2385856352.0000000002829000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msfeedssync.pdb source: Quotation.exe, 00000004.00000002.2385800533.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, giRzMM68LdwnHolLIsDhfg.exe, 0000000A.00000002.4604033327.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EtWr.pdb source: Quotation.exe
Source:	Binary string: EtWr.pdbSHA256 source: Quotation.exe
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: giRzMM68LdwnHolLIsDhfg.exe, 0000000A.00000000.2303158175.00000000006EF000.00000002.00000001.01000000.0000000C.sdmp, giRzMM68LdwnHolLIsDhfg.exe, 0000000C.00000002.4601918491.00000000006EF000.00000002.00000001.01000000.0000000C.sdmp

Source: C:\Windows\SysWOW64\msfeedssync.exe

Code function: 11_2_0015C680 FindFirstFileW,FindNextFileW,FindClose,

11_2_0015C680

Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 4x nop then xor eax, eax		11_2_00149EC0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 4x nop then mov ebx, 00000004h		11_2_02ED04E8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49897 -> 148.72.247.70:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49897 -> 148.72.247.70:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:55380 -> 46.30.211.38:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:55380 -> 46.30.211.38:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55377 -> 46.30.211.38:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55383 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55388 -> 149.104.184.89:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:55412 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:55412 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55392 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55381 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55404 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55386 -> 149.104.184.89:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55421 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55375 -> 46.30.211.38:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55396 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55415 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55408 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:55416 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:55416 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55405 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55398 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:55384 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:55384 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55429 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:55424 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55401 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:55424 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55430 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55378 -> 46.30.211.38:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55409 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55389 -> 149.104.184.89:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55413 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55393 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55425 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55431 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55426 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55382 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:55390 -> 149.104.184.89:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:55390 -> 149.104.184.89:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:55428 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:55428 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:55395 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:55395 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55394 -> 209.74.64.58:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55410 -> 104.21.80.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55419 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55402 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:55420 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:55420 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:55432 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:55432 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55418 -> 103.106.67.112:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55423 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55400 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55397 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:55399 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:55399 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:55403 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:55403 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:55407 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:55407 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55406 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55422 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55414 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55427 -> 144.76.229.203:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:55417 -> 103.106.67.112:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.melengkung.xyz
Source:	DNS query: www.berkilau.xyz
Source:	DNS query: www.seasay.xyz
Source:	DNS query: www.shibfestival.xyz
Source:	DNS query: www.031234103.xyz
Source:	DNS query: www.corsix.xyz

Source: global traffic

TCP traffic: 192.168.2.6:55296 -> 162.159.36.2:53

Source: Joe Sandbox View	IP Address: 144.76.229.203 144.76.229.203
Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /2i0k/?aD=dZHdiL7xvLOLPBQ&Tzr8_=WeJYadYniKRZByzzvxCLkkT/xti9VVMxwhfBQxnm132QdHMxzjTmB7Uw1lV55of2Ql4+U0VOq1+fhb57LzOydbzqbp/IZSD6gq9oPJFLXUDkZYj1AmTpf49c+0TtcAhO79gfZn4= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.rds845.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /wydt/?Tzr8_=5VV5zaVyioKvui6f8qyG3IDGVPdlSdk2dL73T3ZYMn8k+e/vfjfehV3uAXE74CW6mr84kubQb7PqfuL3sByk4zAHSCf3WxUfTguS+kvnS9xqBSPOxgzlOh0MefbSUW4+G6if384=&aD=dZHdiL7xvLOLPBQ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.schoeler.proConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /uzd2/?aD=dZHdiL7xvLOLPBQ&Tzr8_=fT9N3FsFDTNmTIZF4xptKfralz4kO9B+ENo/4lsaoo6HwYKpm4Najr2/W9Iv2vCiqIxfJAhVyMrxfUWcGsu8s4NcSddAFPEATdGR+1Krlc4bMxgLXUkZ9+4qwx2v0B27l+HM6E0= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.kpilal.infoConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /bl60/?Tzr8_=7KqBeI51pekf0AVUSicAI1mJWWXcRARBaI0jAhY/A6pzh5mI8UIGMoQN96TYM7FYKU4GVIyckkKWvlHhgwmaAPr5PDKlfB0Nypg1LMgEB4DjXvFpXBtAkVFg1XxlfnTdf41yxLk=&aD=dZHdiL7xvLOLPBQ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.zkkv3oae.vipConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /m9bw/?Tzr8_=c65Z66AH1nUgI224hybr4IHRoXEWVrV7RgpnxZMoMLGYnYeAoGqkN18+TNo8D4wVxrXfp68kmIM9xs3h0cs0qBmzaG/IJhDBE6KkOXv1fGCXK96Lmu+F1mhSNooUcKLPluRUpxM=&aD=dZHdiL7xvLOLPBQ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.thrivell.lifeConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /cpbw/?Tzr8_=j9x9kJU7UcAYEWEUt+89zuhJLorgOhrRwP39zrhC/EoZ+NnF04QyCgHeuwZnNkDy+Eh6VfeEAKF098oSI0wQVyoKCk+kNqeZ5J32c0Yn0TaV9onAGPkZAad5NAUzp9eQRGuVGi8=&aD=dZHdiL7xvLOLPBQ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.sscexampyq.watchesConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /0y3r/?Tzr8_=NNsUrfDYogd5KgEmfHOhLiCUpL/ycyxUxiUVjETpADofQQCG23LbddXApMRWYwqNAPEF3q7toS5EuqqD+puOFUcCoZs2SjXBx6OKWylLgLNsG7+G8BBWhyCM6ST7exjkwRtD7v8=&aD=dZHdiL7xvLOLPBQ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.melengkung.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /wbzo/?Tzr8_=q3KlCKDmK4ELQKWWUcg/FlbQjxqr8Ug1u9jBPrpibm9/r1bZuSVNTJsKRKTfBrL1Q74mhVPLBmu2gNX7pDwWH1ZFwu0RuU1OqXQ55frXrQuy4zOufCIf2xZSmE4mBVnP4X7L4o8=&aD=dZHdiL7xvLOLPBQ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.vvxcss.infoConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /uztg/?aD=dZHdiL7xvLOLPBQ&Tzr8_=+nnD4c3c3KEL/rpdey5PpuGEtusQHjNHKRoYtOqDasD0Qg1/WG/4NRhjA5miSBE9J8NC1pB0d1xeGfzelhsR1S3jYJp+47fQ47PDO4Kd95McmCWmHYCq+jA9bpNCOZRxRWyQ4ww= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.askvtwv8.topConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /0a6h/?Tzr8_=4iO46mqIBVv4+k9W6LsUvCVaOUZDGEFnn7WAcz/P0eLSsJADjC1P1ze0v25FROBtMqAu0yYT6nFt/u3VwLGumvmxY2ZCttU2tqN3zj8iga/CXHm+gHUKrZMhfx8ALGtb6zfPvbA=&aD=dZHdiL7xvLOLPBQ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.berkilau.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /36xs/?aD=dZHdiL7xvLOLPBQ&Tzr8_=RgfpXspOgsNiHmosVF1KbpPv72dzNmiTBjL/Nd6qGeZ/g3rBomzgIOO7wigAI/htEgjf23cNUotiJq7H3GsdxzDVPbajzumommKHi90NSuQU+p/ERxGsu2ZmMOqrV9flKg0CCRQ= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.seasay.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /gy4u/?Tzr8_=LcvWm9PoXmh0ed+OrIDToYlIrZw2q35DEYIU6sknWZxapDsLCzJUOh5d+BBm/MfusN5GInj1wF1Jz1YJRWWIBTh6UJL8j/qwdkhQ8cf9NXR7wD6CkVng0KVakLL3T+jqTA6cIG0=&aD=dZHdiL7xvLOLPBQ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.shibfestival.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /z0it/?aD=dZHdiL7xvLOLPBQ&Tzr8_=DaqYyDhfRyWIR4xS4E63/qTRIQgqoWSI9b+QdYveO98qQ64GTsQjKE9BhC2RGwgAmUZQI386DZwQTzGkc+2gVo8kGrmTzk6IQynrcBxHw5zDhLwaeX/sIAA/FuuaSbwjCsR/ynE= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.031234103.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16
Source: global traffic	HTTP traffic detected: GET /vfs3/?Tzr8_=KGtC6huJ4au9g2crOn4yKOveJg5tp2yoY9H48UkY9VT0CpunUoTAthUg4dvK3NVgO3OSivHm6ijFKYAZ8peYOGRBruj7bSpN0ILzuWa3aDCwm2BYeKRUnvFyJDHwcZleLFCIw3c=&aD=dZHdiL7xvLOLPBQ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.corsix.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16

Source: global traffic	DNS traffic detected: DNS query: www.rds845.shop
Source: global traffic	DNS traffic detected: DNS query: www.schoeler.pro
Source: global traffic	DNS traffic detected: DNS query: www.kpilal.info
Source: global traffic	DNS traffic detected: DNS query: www.zkkv3oae.vip
Source: global traffic	DNS traffic detected: DNS query: www.thrivell.life
Source: global traffic	DNS traffic detected: DNS query: www.sscexampyq.watches
Source: global traffic	DNS traffic detected: DNS query: www.melengkung.xyz
Source: global traffic	DNS traffic detected: DNS query: www.vvxcss.info
Source: global traffic	DNS traffic detected: DNS query: www.askvtwv8.top
Source: global traffic	DNS traffic detected: DNS query: www.berkilau.xyz
Source: global traffic	DNS traffic detected: DNS query: www.seasay.xyz
Source: global traffic	DNS traffic detected: DNS query: www.shibfestival.xyz
Source: global traffic	DNS traffic detected: DNS query: www.031234103.xyz
Source: global traffic	DNS traffic detected: DNS query: www.corsix.xyz

Source: unknown

HTTP traffic detected: POST /wydt/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USAccept-Encoding: gzip, deflateHost: www.schoeler.proOrigin: http://www.schoeler.proCache-Control: max-age=0Connection: closeContent-Length: 210Content-Type: application/x-www-form-urlencodedReferer: http://www.schoeler.pro/wydt/User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 12.16Data Raw: 54 7a 72 38 5f 3d 30 58 39 5a 77 75 6f 46 32 72 2f 43 7a 68 32 34 34 35 43 58 6b 34 7a 6d 51 63 6f 5a 58 64 70 6d 44 5a 76 74 4d 68 6c 59 5a 6b 4d 43 33 4b 76 50 61 51 54 73 6f 54 62 41 58 7a 5a 4b 6b 48 32 6e 76 34 56 4c 77 2b 4c 69 64 6f 71 53 65 4e 43 43 67 6b 65 78 32 46 70 39 62 68 6a 56 50 41 55 68 55 79 69 52 33 6a 57 59 61 50 74 49 4a 42 66 59 34 67 79 73 45 51 4d 6a 58 4f 66 64 4e 7a 59 5a 4c 6f 53 54 2b 71 43 43 5a 36 71 33 4b 37 62 7a 42 78 78 53 67 31 57 64 49 45 41 76 4b 67 57 32 50 4c 4b 36 41 69 51 38 48 59 6c 56 32 4a 30 6b 6c 7a 51 49 47 79 47 2b 67 67 5a 39 57 58 49 77 6e 55 68 75 30 45 52 6d 6c 39 52 33 Data Ascii: Tzr8_=0X9ZwuoF2r/Czh2445CXk4zmQcoZXdpmDZvtMhlYZkMC3KvPaQTsoTbAXzZKkH2nv4VLw+LidoqSeNCCgkex2Fp9bhjVPAUhUyiR3jWYaPtIJBfY4gysEQMjXOfdNzYZLoST+qCCZ6q3K7bzBxxSg1WdIEAvKgW2PLK6AiQ8HYlV2J0klzQIGyG+ggZ9WXIwnUhu0ERml9R3

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 18 Feb 2025 08:11:07 GMTContent-Type: text/html; charset=UTF-8Content-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 18 Feb 2025 08:11:10 GMTContent-Type: text/html; charset=UTF-8Content-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 18 Feb 2025 08:11:12 GMTContent-Type: text/html; charset=UTF-8Content-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 18 Feb 2025 08:11:15 GMTContent-Type: text/html; charset=UTF-8Content-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 08:12:11 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 08:12:14 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 08:12:16 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 08:12:19 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 08:13:07 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E0BSkq6JXX0wqW87SwDTMEbLGaQoIdk0W8yFYgezfl82h2v8MqD8tPtz7S334QhYU5%2B8HVm1g99p%2BiMWk6uLR3kcERVdjg2ynT3XwbbzOEqOlEiomMrfeN8G03Zv4cU7nIXD"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913c8e54aec541d2-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2072&min_rtt=2072&rtt_var=1036&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=736&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 08:13:09 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JxsHALqkxLIPblXOCyZDgPjY6Sth4PMTrOfRzI2NCpVTMxUntbnpG6GRLy%2F3G0b5kllVSWqVdpv1r1hNKtqZAbVWDtAK%2FlaVJ0bG8dlKP0y5HlQwTx01qU20U%2Fb01Yzw1dXL"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913c8e649dfc42c7-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2389&min_rtt=2389&rtt_var=1194&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=760&delivery_rate=0&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a 36 33 0d 0a b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f63(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 08:13:12 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YJiNqnfaGPEegcNnqWmKRuNNrAcPlVK61Up9DpBLQLy26D2R7s%2BNN3e5sJQ47ZpzqijMZw8fnEg0o3mDpxG2pVFaNqFBB%2F4BxEiG186Ky1nKjwxWjaaZMggY7mqt1SOZxEgz"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913c8e77f8d542e4-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1678&min_rtt=1678&rtt_var=839&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1773&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 08:13:15 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C2LTM5%2FrdlMQABY%2BYB0XgWJsxCRpYjtzUB63S1xuv%2BlLqIFOKjs3K8PiI5UcKXuljmMcxKX%2FpBR7Wngoce1fzl%2FJFai0uyGXTINsGGxHFWOHJasxRXfHdEc3EiHKLsG8JkOz"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913c8e87fe624217-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1572&min_rtt=1572&rtt_var=786&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=486&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 08:14:01 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 08:14:03 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 08:14:06 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 08:14:08 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: Quotation.exe, 00000000.00000002.2153136917.00000000029B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: giRzMM68LdwnHolLIsDhfg.exe, 0000000C.00000002.4607153953.0000000004EA4000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.corsix.xyz
Source: giRzMM68LdwnHolLIsDhfg.exe, 0000000C.00000002.4607153953.0000000004EA4000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.corsix.xyz/vfs3/
Source: msfeedssync.exe, 0000000B.00000002.4609390563.0000000007548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: msfeedssync.exe, 0000000B.00000002.4609390563.0000000007548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: msfeedssync.exe, 0000000B.00000002.4609390563.0000000007548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: msfeedssync.exe, 0000000B.00000002.4609390563.0000000007548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: msfeedssync.exe, 0000000B.00000002.4609390563.0000000007548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: msfeedssync.exe, 0000000B.00000002.4609390563.0000000007548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: msfeedssync.exe, 0000000B.00000002.4609390563.0000000007548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: msfeedssync.exe, 0000000B.00000002.4600877846.000000000276F000.00000004.00000020.00020000.00000000.sdmp, msfeedssync.exe, 0000000B.00000002.4600877846.0000000002742000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: msfeedssync.exe, 0000000B.00000002.4600877846.0000000002742000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: msfeedssync.exe, 0000000B.00000003.2570294768.000000000752A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: msfeedssync.exe, 0000000B.00000002.4600877846.0000000002742000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: msfeedssync.exe, 0000000B.00000002.4600877846.0000000002742000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: msfeedssync.exe, 0000000B.00000002.4600877846.0000000002742000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: msfeedssync.exe, 0000000B.00000002.4600877846.0000000002742000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: msfeedssync.exe, 0000000B.00000002.4609390563.0000000007548000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: msfeedssync.exe, 0000000B.00000002.4607173873.0000000003E0E000.00000004.10000000.00040000.00000000.sdmp, msfeedssync.exe, 0000000B.00000002.4609257498.0000000005B00000.00000004.00000800.00020000.00000000.sdmp, giRzMM68LdwnHolLIsDhfg.exe, 0000000C.00000002.4605190718.000000000359E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: msfeedssync.exe, 0000000B.00000002.4607173873.00000000045E8000.00000004.10000000.00040000.00000000.sdmp, giRzMM68LdwnHolLIsDhfg.exe, 0000000C.00000002.4605190718.0000000003D78000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.seasay.xyz/36xs/?aD=dZHdiL7xvLOLPBQ&Tzr8_=RgfpXspOgsNiHmosVF1KbpPv72dzNmiTBjL/Nd6qGeZ/g3
Source: msfeedssync.exe, 0000000B.00000002.4607173873.00000000045E8000.00000004.10000000.00040000.00000000.sdmp, giRzMM68LdwnHolLIsDhfg.exe, 0000000C.00000002.4605190718.0000000003D78000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.seasay.xyz/36xs/?aD=dZHdiL7xvLOLPBQ&Tzr8_=RgfpXspOgsNiHmosVF1KbpPv72dzNmiTBjL/Nd6qGe

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 4.2.Quotation.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Quotation.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2385527930.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4594898939.0000000000140000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4598967878.0000000002600000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2387197505.0000000001730000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4607153953.0000000004E10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4599292144.0000000002650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2387354242.00000000035F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4604929340.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

.NET source code contains very large strings

Source: Quotation.exe, frmLogin.cs	Long String: Length: 169248
Source: 11.2.msfeedssync.exe.324cd14.2.raw.unpack, frmLogin.cs	Long String: Length: 169248

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Quotation.exe

Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0042C763 NtClose,	4_2_0042C763
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01452B60 NtClose,LdrInitializeThunk,	4_2_01452B60
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01452DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_01452DF0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01452C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_01452C70
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014535C0 NtCreateMutant,LdrInitializeThunk,	4_2_014535C0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01454340 NtSetContextThread,	4_2_01454340
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01454650 NtSuspendThread,	4_2_01454650
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01452BE0 NtQueryValueKey,	4_2_01452BE0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01452BF0 NtAllocateVirtualMemory,	4_2_01452BF0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01452B80 NtQueryInformationFile,	4_2_01452B80
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01452BA0 NtEnumerateValueKey,	4_2_01452BA0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01452AD0 NtReadFile,	4_2_01452AD0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01452AF0 NtWriteFile,	4_2_01452AF0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01452AB0 NtWaitForSingleObject,	4_2_01452AB0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01452D00 NtSetInformationFile,	4_2_01452D00
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01452D10 NtMapViewOfSection,	4_2_01452D10
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01452D30 NtUnmapViewOfSection,	4_2_01452D30
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01452DD0 NtDelayExecution,	4_2_01452DD0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01452DB0 NtEnumerateKey,	4_2_01452DB0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01452C60 NtCreateKey,	4_2_01452C60
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01452C00 NtQueryInformationProcess,	4_2_01452C00
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01452CC0 NtQueryVirtualMemory,	4_2_01452CC0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01452CF0 NtOpenProcess,	4_2_01452CF0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01452CA0 NtQueryInformationToken,	4_2_01452CA0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01452F60 NtCreateProcessEx,	4_2_01452F60
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01452F30 NtCreateSection,	4_2_01452F30
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01452FE0 NtCreateFile,	4_2_01452FE0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01452F90 NtProtectVirtualMemory,	4_2_01452F90
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01452FA0 NtQuerySection,	4_2_01452FA0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01452FB0 NtResumeThread,	4_2_01452FB0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01452E30 NtWriteVirtualMemory,	4_2_01452E30
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01452EE0 NtQueueApcThread,	4_2_01452EE0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01452E80 NtReadVirtualMemory,	4_2_01452E80
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01452EA0 NtAdjustPrivilegesToken,	4_2_01452EA0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01453010 NtOpenDirectoryObject,	4_2_01453010
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01453090 NtSetValueKey,	4_2_01453090
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014539B0 NtGetContextThread,	4_2_014539B0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01453D70 NtOpenThread,	4_2_01453D70
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01453D10 NtOpenProcessToken,	4_2_01453D10
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF4340 NtSetContextThread,LdrInitializeThunk,	11_2_02BF4340
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF4650 NtSuspendThread,LdrInitializeThunk,	11_2_02BF4650
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF2AF0 NtWriteFile,LdrInitializeThunk,	11_2_02BF2AF0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF2AD0 NtReadFile,LdrInitializeThunk,	11_2_02BF2AD0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF2BA0 NtEnumerateValueKey,LdrInitializeThunk,	11_2_02BF2BA0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	11_2_02BF2BF0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF2BE0 NtQueryValueKey,LdrInitializeThunk,	11_2_02BF2BE0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF2B60 NtClose,LdrInitializeThunk,	11_2_02BF2B60
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF2E80 NtReadVirtualMemory,LdrInitializeThunk,	11_2_02BF2E80
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF2EE0 NtQueueApcThread,LdrInitializeThunk,	11_2_02BF2EE0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF2FB0 NtResumeThread,LdrInitializeThunk,	11_2_02BF2FB0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF2FE0 NtCreateFile,LdrInitializeThunk,	11_2_02BF2FE0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF2F30 NtCreateSection,LdrInitializeThunk,	11_2_02BF2F30
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF2CA0 NtQueryInformationToken,LdrInitializeThunk,	11_2_02BF2CA0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF2C70 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_02BF2C70
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF2C60 NtCreateKey,LdrInitializeThunk,	11_2_02BF2C60
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF2DF0 NtQuerySystemInformation,LdrInitializeThunk,	11_2_02BF2DF0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF2DD0 NtDelayExecution,LdrInitializeThunk,	11_2_02BF2DD0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF2D30 NtUnmapViewOfSection,LdrInitializeThunk,	11_2_02BF2D30
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF2D10 NtMapViewOfSection,LdrInitializeThunk,	11_2_02BF2D10
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF35C0 NtCreateMutant,LdrInitializeThunk,	11_2_02BF35C0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF39B0 NtGetContextThread,LdrInitializeThunk,	11_2_02BF39B0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF2AB0 NtWaitForSingleObject,	11_2_02BF2AB0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF2B80 NtQueryInformationFile,	11_2_02BF2B80
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF2EA0 NtAdjustPrivilegesToken,	11_2_02BF2EA0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF2E30 NtWriteVirtualMemory,	11_2_02BF2E30
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF2FA0 NtQuerySection,	11_2_02BF2FA0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF2F90 NtProtectVirtualMemory,	11_2_02BF2F90
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF2F60 NtCreateProcessEx,	11_2_02BF2F60
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF2CF0 NtOpenProcess,	11_2_02BF2CF0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF2CC0 NtQueryVirtualMemory,	11_2_02BF2CC0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF2C00 NtQueryInformationProcess,	11_2_02BF2C00
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF2DB0 NtEnumerateKey,	11_2_02BF2DB0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF2D00 NtSetInformationFile,	11_2_02BF2D00
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF3090 NtSetValueKey,	11_2_02BF3090
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF3010 NtOpenDirectoryObject,	11_2_02BF3010
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF3D10 NtOpenProcessToken,	11_2_02BF3D10
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF3D70 NtOpenThread,	11_2_02BF3D70
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_001691D0 NtCreateFile,	11_2_001691D0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_00169330 NtReadFile,	11_2_00169330
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_00169420 NtDeleteFile,	11_2_00169420
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_001694C0 NtClose,	11_2_001694C0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_00169610 NtAllocateVirtualMemory,	11_2_00169610
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02EDF884 NtUnmapViewOfSection,	11_2_02EDF884

Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_0255D424	0_2_0255D424
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_0520ED50	0_2_0520ED50
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_0520ED40	0_2_0520ED40
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_0A920130	0_2_0A920130
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_0A92BA98	0_2_0A92BA98
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_0A924B99	0_2_0A924B99
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_0A924BA8	0_2_0A924BA8
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_0A92AB10	0_2_0A92AB10
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_0A924E88	0_2_0A924E88
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_0A92BED0	0_2_0A92BED0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_0A924E78	0_2_0A924E78
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_0A923C17	0_2_0A923C17
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_0A923C28	0_2_0A923C28
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_0A92C308	0_2_0A92C308
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_0A920120	0_2_0A920120
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_0A9226E0	0_2_0A9226E0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_0A92D710	0_2_0A92D710
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_0A92E4C0	0_2_0A92E4C0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_10BF2CE0	0_2_10BF2CE0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_004186C3	4_2_004186C3
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_00403000	4_2_00403000
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_004168C3	4_2_004168C3
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0040E0C3	4_2_0040E0C3
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_004100D3	4_2_004100D3
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_004168BE	4_2_004168BE
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_004021DA	4_2_004021DA
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_004021E0	4_2_004021E0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_004011A0	4_2_004011A0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0040E25C	4_2_0040E25C
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0040E207	4_2_0040E207
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0040E213	4_2_0040E213
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0040239D	4_2_0040239D
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_004023A0	4_2_004023A0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0042ED53	4_2_0042ED53
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_00402690	4_2_00402690
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0040FEAD	4_2_0040FEAD
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0040FEB3	4_2_0040FEB3
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014A8158	4_2_014A8158
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01410100	4_2_01410100
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014BA118	4_2_014BA118
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014D81CC	4_2_014D81CC
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014E01AA	4_2_014E01AA
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014D41A2	4_2_014D41A2
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014B2000	4_2_014B2000
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014DA352	4_2_014DA352
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014E03E6	4_2_014E03E6
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0142E3F0	4_2_0142E3F0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014C0274	4_2_014C0274
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014A02C0	4_2_014A02C0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01420535	4_2_01420535
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014E0591	4_2_014E0591
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014D2446	4_2_014D2446
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014C4420	4_2_014C4420
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014CE4F6	4_2_014CE4F6
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01444750	4_2_01444750
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01420770	4_2_01420770
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0141C7C0	4_2_0141C7C0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0143C6E0	4_2_0143C6E0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01436962	4_2_01436962
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014229A0	4_2_014229A0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014EA9A6	4_2_014EA9A6
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01422840	4_2_01422840
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0142A840	4_2_0142A840
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0144E8F0	4_2_0144E8F0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014068B8	4_2_014068B8
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014DAB40	4_2_014DAB40
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014D6BD7	4_2_014D6BD7
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0141EA80	4_2_0141EA80
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0142AD00	4_2_0142AD00
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014BCD1F	4_2_014BCD1F
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0141ADE0	4_2_0141ADE0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01438DBF	4_2_01438DBF
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01420C00	4_2_01420C00
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01410CF2	4_2_01410CF2
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014C0CB5	4_2_014C0CB5
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01494F40	4_2_01494F40
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01462F28	4_2_01462F28
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01440F30	4_2_01440F30
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014C2F30	4_2_014C2F30
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01412FC8	4_2_01412FC8
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0142CFE0	4_2_0142CFE0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0149EFA0	4_2_0149EFA0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01420E59	4_2_01420E59
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014DEE26	4_2_014DEE26
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014DEEDB	4_2_014DEEDB
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01432E90	4_2_01432E90
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014DCE93	4_2_014DCE93
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014EB16B	4_2_014EB16B
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0145516C	4_2_0145516C
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0140F172	4_2_0140F172
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0142B1B0	4_2_0142B1B0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014CF0CC	4_2_014CF0CC
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014270C0	4_2_014270C0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014D70E9	4_2_014D70E9
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014DF0E0	4_2_014DF0E0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0140D34C	4_2_0140D34C
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014D132D	4_2_014D132D
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0146739A	4_2_0146739A
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0143B2C0	4_2_0143B2C0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014C12ED	4_2_014C12ED
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014252A0	4_2_014252A0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014D7571	4_2_014D7571
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014E95C3	4_2_014E95C3
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014BD5B0	4_2_014BD5B0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01411460	4_2_01411460
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014DF43F	4_2_014DF43F
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014DF7B0	4_2_014DF7B0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01465630	4_2_01465630
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014D16CC	4_2_014D16CC
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01429950	4_2_01429950
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0143B950	4_2_0143B950
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014B5910	4_2_014B5910
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0148D800	4_2_0148D800
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014238E0	4_2_014238E0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014DFB76	4_2_014DFB76
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01495BF0	4_2_01495BF0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0145DBF9	4_2_0145DBF9
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0143FB80	4_2_0143FB80
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014DFA49	4_2_014DFA49
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014D7A46	4_2_014D7A46
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01493A6C	4_2_01493A6C
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014CDAC6	4_2_014CDAC6
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01465AA0	4_2_01465AA0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014BDAAC	4_2_014BDAAC
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014C1AA3	4_2_014C1AA3
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01423D40	4_2_01423D40
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014D1D5A	4_2_014D1D5A
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014D7D73	4_2_014D7D73
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0143FDC0	4_2_0143FDC0
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01499C32	4_2_01499C32
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014DFCF2	4_2_014DFCF2
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014DFF09	4_2_014DFF09
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01421F92	4_2_01421F92
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_013E3FD5	4_2_013E3FD5
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_013E3FD2	4_2_013E3FD2
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014DFFB1	4_2_014DFFB1
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_01429EB0	4_2_01429EB0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C402C0	11_2_02C402C0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C60274	11_2_02C60274
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C803E6	11_2_02C803E6
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BCE3F0	11_2_02BCE3F0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C7A352	11_2_02C7A352
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C52000	11_2_02C52000
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C781CC	11_2_02C781CC
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C801AA	11_2_02C801AA
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C741A2	11_2_02C741A2
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C48158	11_2_02C48158
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BB0100	11_2_02BB0100
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C5A118	11_2_02C5A118
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BDC6E0	11_2_02BDC6E0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BBC7C0	11_2_02BBC7C0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BC0770	11_2_02BC0770
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BE4750	11_2_02BE4750
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C6E4F6	11_2_02C6E4F6
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C72446	11_2_02C72446
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C64420	11_2_02C64420
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C80591	11_2_02C80591
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BC0535	11_2_02BC0535
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BBEA80	11_2_02BBEA80
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C76BD7	11_2_02C76BD7
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C7AB40	11_2_02C7AB40
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BA68B8	11_2_02BA68B8
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BEE8F0	11_2_02BEE8F0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BC2840	11_2_02BC2840
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BCA840	11_2_02BCA840
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BC29A0	11_2_02BC29A0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C8A9A6	11_2_02C8A9A6
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BD6962	11_2_02BD6962
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C7EEDB	11_2_02C7EEDB
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BD2E90	11_2_02BD2E90
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C7CE93	11_2_02C7CE93
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C7EE26	11_2_02C7EE26
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BC0E59	11_2_02BC0E59
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BCCFE0	11_2_02BCCFE0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C3EFA0	11_2_02C3EFA0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BB2FC8	11_2_02BB2FC8
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C34F40	11_2_02C34F40
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BE0F30	11_2_02BE0F30
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C02F28	11_2_02C02F28
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C62F30	11_2_02C62F30
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BB0CF2	11_2_02BB0CF2
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C60CB5	11_2_02C60CB5
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BC0C00	11_2_02BC0C00
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BD8DBF	11_2_02BD8DBF
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BBADE0	11_2_02BBADE0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BCAD00	11_2_02BCAD00
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C5CD1F	11_2_02C5CD1F
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BC52A0	11_2_02BC52A0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C612ED	11_2_02C612ED
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BDB2C0	11_2_02BDB2C0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C0739A	11_2_02C0739A
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C7132D	11_2_02C7132D
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BAD34C	11_2_02BAD34C
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C6F0CC	11_2_02C6F0CC
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C7F0E0	11_2_02C7F0E0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C770E9	11_2_02C770E9
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BC70C0	11_2_02BC70C0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BCB1B0	11_2_02BCB1B0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C8B16B	11_2_02C8B16B
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BAF172	11_2_02BAF172
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BF516C	11_2_02BF516C
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C716CC	11_2_02C716CC
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C05630	11_2_02C05630
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C7F7B0	11_2_02C7F7B0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BB1460	11_2_02BB1460
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C7F43F	11_2_02C7F43F
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C895C3	11_2_02C895C3
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C5D5B0	11_2_02C5D5B0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C77571	11_2_02C77571
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C6DAC6	11_2_02C6DAC6
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C05AA0	11_2_02C05AA0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C61AA3	11_2_02C61AA3
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C5DAAC	11_2_02C5DAAC
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C77A46	11_2_02C77A46
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C7FA49	11_2_02C7FA49
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C33A6C	11_2_02C33A6C
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C35BF0	11_2_02C35BF0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BDFB80	11_2_02BDFB80
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BFDBF9	11_2_02BFDBF9
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C7FB76	11_2_02C7FB76
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BC38E0	11_2_02BC38E0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C2D800	11_2_02C2D800
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C55910	11_2_02C55910
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BC9950	11_2_02BC9950
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BDB950	11_2_02BDB950
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BC9EB0	11_2_02BC9EB0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BC1F92	11_2_02BC1F92
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02B83FD2	11_2_02B83FD2
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02B83FD5	11_2_02B83FD5
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C7FFB1	11_2_02C7FFB1
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C7FF09	11_2_02C7FF09
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C7FCF2	11_2_02C7FCF2
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C39C32	11_2_02C39C32
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BDFDC0	11_2_02BDFDC0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C71D5A	11_2_02C71D5A
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02C77D73	11_2_02C77D73
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BC3D40	11_2_02BC3D40
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_00151D90	11_2_00151D90
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_0014CC10	11_2_0014CC10
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_0014CC0A	11_2_0014CC0A
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_0014CE30	11_2_0014CE30
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_0014AE20	11_2_0014AE20
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_0014AF70	11_2_0014AF70
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_0014AF64	11_2_0014AF64
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_0014AFB9	11_2_0014AFB9
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_00155420	11_2_00155420
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_0015361B	11_2_0015361B
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_00153620	11_2_00153620
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_0016BAB0	11_2_0016BAB0
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02EDE313	11_2_02EDE313
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02EDE1F5	11_2_02EDE1F5
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02EDE6AC	11_2_02EDE6AC
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02EDD778	11_2_02EDD778
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02EDCA18	11_2_02EDCA18
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02EDC9EE	11_2_02EDC9EE

Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: String function: 02BAB970 appears 280 times
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: String function: 02C07E54 appears 111 times
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: String function: 02C2EA12 appears 86 times
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: String function: 02BF5130 appears 58 times
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: String function: 02C3F290 appears 105 times
Source: C:\Users\user\Desktop\Quotation.exe	Code function: String function: 01455130 appears 58 times
Source: C:\Users\user\Desktop\Quotation.exe	Code function: String function: 0149F290 appears 105 times
Source: C:\Users\user\Desktop\Quotation.exe	Code function: String function: 0148EA12 appears 86 times
Source: C:\Users\user\Desktop\Quotation.exe	Code function: String function: 0140B970 appears 280 times
Source: C:\Users\user\Desktop\Quotation.exe	Code function: String function: 01467E54 appears 111 times

Source: Quotation.exe, 00000000.00000002.2164277316.0000000007030000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Quotation.exe
Source: Quotation.exe, 00000000.00000002.2137675104.000000000089E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Quotation.exe
Source: Quotation.exe, 00000000.00000002.2155631603.0000000003731000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Quotation.exe
Source: Quotation.exe, 00000000.00000002.2155631603.0000000003FFE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Quotation.exe
Source: Quotation.exe, 00000000.00000000.2121936187.00000000001F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEtWr.exeH vs Quotation.exe
Source: Quotation.exe, 00000000.00000002.2165152257.0000000007350000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs Quotation.exe
Source: Quotation.exe, 00000004.00000002.2386077501.000000000150D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Quotation.exe
Source: Quotation.exe, 00000004.00000002.2385800533.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsfeedssync.exeD vs Quotation.exe
Source: Quotation.exe, 00000004.00000002.2385800533.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsfeedssync.exeD vs Quotation.exe
Source: Quotation.exe	Binary or memory string: OriginalFilenameEtWr.exeH vs Quotation.exe

Source: Quotation.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Quotation.exe.42c7f50.3.raw.unpack, q7rKqClR0VtgmyiZ9k.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Quotation.exe.42c7f50.3.raw.unpack, q7rKqClR0VtgmyiZ9k.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quotation.exe.42c7f50.3.raw.unpack, q7rKqClR0VtgmyiZ9k.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Quotation.exe.423d330.0.raw.unpack, q7rKqClR0VtgmyiZ9k.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Quotation.exe.423d330.0.raw.unpack, q7rKqClR0VtgmyiZ9k.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quotation.exe.423d330.0.raw.unpack, q7rKqClR0VtgmyiZ9k.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Quotation.exe.7030000.5.raw.unpack, qbSm9MtWo11E4ypis0.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Quotation.exe.7030000.5.raw.unpack, qbSm9MtWo11E4ypis0.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quotation.exe.42c7f50.3.raw.unpack, qbSm9MtWo11E4ypis0.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Quotation.exe.42c7f50.3.raw.unpack, qbSm9MtWo11E4ypis0.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quotation.exe.7030000.5.raw.unpack, q7rKqClR0VtgmyiZ9k.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Quotation.exe.7030000.5.raw.unpack, q7rKqClR0VtgmyiZ9k.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Quotation.exe.7030000.5.raw.unpack, q7rKqClR0VtgmyiZ9k.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Quotation.exe.423d330.0.raw.unpack, qbSm9MtWo11E4ypis0.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Quotation.exe.423d330.0.raw.unpack, qbSm9MtWo11E4ypis0.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@11/7@15/10

Source: C:\Users\user\Desktop\Quotation.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation.exe.log

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4972:120:WilError_03

Source: Quotation.exe, 00000000.00000000.2121936187.00000000001F2000.00000002.00000001.01000000.00000003.sdmp, msfeedssync.exe, 0000000B.00000002.4607173873.000000000324C000.00000004.10000000.00040000.00000000.sdmp, msfeedssync.exe, 0000000B.00000002.4605269869.000000000292E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000002.2681409711.000000000EFDC000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT TOP 200 o.onum [Order ID],c.companyShortName [Client name], o.odate [Order date],o.supplydate [Date of delivery],o.ototal [Total price],o.odesc [Order description],o.paymentStatus [Mode of payment],o.orderStatus [Status] FROM order_list o JOIN order_detail od ON o.odate = od.odate JOIN clients c ON od.cnum=c.cnum WHERE o.odesc LIKE @Status1 AND o.orderStatus LIKE @Status2 GROUP BY o.odate,o.onum,c.companyShortName,o.supplydate,o.ototal,o.odesc,o.paymentStatus,o.orderStatus ORDER BY o.supplydate ;
Source: Quotation.exe, 00000000.00000000.2121936187.00000000001F2000.00000002.00000001.01000000.00000003.sdmp, msfeedssync.exe, 0000000B.00000002.4607173873.000000000324C000.00000004.10000000.00040000.00000000.sdmp, msfeedssync.exe, 0000000B.00000002.4605269869.000000000292E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000002.2681409711.000000000EFDC000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT * FROM order_list WHERE (CAST(supplydate AS DATE) BETWEEN @From AND @To) AND orderStatus LIKE '%Completed%';
Source: Quotation.exe, 00000000.00000000.2121936187.00000000001F2000.00000002.00000001.01000000.00000003.sdmp, msfeedssync.exe, 0000000B.00000002.4607173873.000000000324C000.00000004.10000000.00040000.00000000.sdmp, msfeedssync.exe, 0000000B.00000002.4605269869.000000000292E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000002.2681409711.000000000EFDC000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT COUNT(*) FROM order_list WHERE (CAST(supplydate AS DATE) BETWEEN @From AND @To) AND orderStatus LIKE '%Completed%';
Source: Quotation.exe, 00000000.00000000.2121936187.00000000001F2000.00000002.00000001.01000000.00000003.sdmp, msfeedssync.exe, 0000000B.00000002.4607173873.000000000324C000.00000004.10000000.00040000.00000000.sdmp, msfeedssync.exe, 0000000B.00000002.4605269869.000000000292E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000002.2681409711.000000000EFDC000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT TOP 200 o.onum [Order ID],c.companyShortName [Client name], o.odate [Order date],o.supplydate [Date of delivery],o.ototal [Total price],o.odesc [Order description],o.paymentStatus [Mode of payment],o.orderStatus [Status] FROM order_list o JOIN order_detail od ON o.odate = od.odate JOIN clients c ON od.cnum=c.cnum WHERE o.supplydate BETWEEN @startDate AND @endDate GROUP BY o.odate,o.onum,c.companyShortName,o.supplydate,o.ototal,o.odesc,o.paymentStatus,o.orderStatus ORDER BY o.onum desc;
Source: Quotation.exe, 00000000.00000000.2121936187.00000000001F2000.00000002.00000001.01000000.00000003.sdmp, msfeedssync.exe, 0000000B.00000002.4607173873.000000000324C000.00000004.10000000.00040000.00000000.sdmp, msfeedssync.exe, 0000000B.00000002.4605269869.000000000292E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000002.2681409711.000000000EFDC000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE order_list SET supplydate=@DeferDate,odesc = odesc+@Add WHERE onum=@OID;
Source: Quotation.exe, 00000000.00000000.2121936187.00000000001F2000.00000002.00000001.01000000.00000003.sdmp, msfeedssync.exe, 0000000B.00000002.4607173873.000000000324C000.00000004.10000000.00040000.00000000.sdmp, msfeedssync.exe, 0000000B.00000002.4605269869.000000000292E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000002.2681409711.000000000EFDC000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT p.pNum [Product ID],pc.categoriesName Category,p.productsName [Product name],p.productsSeedStock [Seed stock],p.produceDays [Estimated Production Period] FROM products p LEFT JOIN products_categories pc ON p.categoriesNum = pc.categoriesNum;
Source: Quotation.exe, 00000000.00000000.2121936187.00000000001F2000.00000002.00000001.01000000.00000003.sdmp, msfeedssync.exe, 0000000B.00000002.4607173873.000000000324C000.00000004.10000000.00040000.00000000.sdmp, msfeedssync.exe, 0000000B.00000002.4605269869.000000000292E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000002.2681409711.000000000EFDC000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE order_list SET orderStatus=@Cancel,supplydate=@DateFinish WHERE onum=@OID;
Source: Quotation.exe, 00000000.00000000.2121936187.00000000001F2000.00000002.00000001.01000000.00000003.sdmp, msfeedssync.exe, 0000000B.00000002.4607173873.000000000324C000.00000004.10000000.00040000.00000000.sdmp, msfeedssync.exe, 0000000B.00000002.4605269869.000000000292E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000002.2681409711.000000000EFDC000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE staff SET sname=@NewName,sbirth=@NewBirth,ssex=@NewSex,sphone=@NewPhone,sEmail=@NewEmail,sresignation=@NewFire,saddressContact=@NewAddressC,saddressDomicile=@NewAddressD,ssal=@NewSal,stitle=@NewTitle,sInChargeProject=@NewInCharge WHERE snum=@SearchId;
Source: Quotation.exe, 00000000.00000000.2121936187.00000000001F2000.00000002.00000001.01000000.00000003.sdmp, msfeedssync.exe, 0000000B.00000002.4607173873.000000000324C000.00000004.10000000.00040000.00000000.sdmp, msfeedssync.exe, 0000000B.00000002.4605269869.000000000292E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000002.2681409711.000000000EFDC000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT TOP 200 od.pname [Product Name],s.container [Container (oz)],s.pweight [Product Weight],s.pprice Price,od.pamount Amount,s.packageDescription [Package Description] FROM order_detail od JOIN order_list o ON od.odate = o.odate JOIN specifications s ON od.specificationsNum=s.specificationsNum WHERE od.odate = @SearchDate;
Source: Quotation.exe, 00000000.00000000.2121936187.00000000001F2000.00000002.00000001.01000000.00000003.sdmp, msfeedssync.exe, 0000000B.00000002.4607173873.000000000324C000.00000004.10000000.00040000.00000000.sdmp, msfeedssync.exe, 0000000B.00000002.4605269869.000000000292E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000002.2681409711.000000000EFDC000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO specifications VALUES (@PContainer,@PWeight,@PDesc,@PPrice,@PID);ISuccessfully added. Rows changed:{0}
Source: Quotation.exe, 00000000.00000000.2121936187.00000000001F2000.00000002.00000001.01000000.00000003.sdmp, msfeedssync.exe, 0000000B.00000002.4607173873.000000000324C000.00000004.10000000.00040000.00000000.sdmp, msfeedssync.exe, 0000000B.00000002.4605269869.000000000292E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000002.2681409711.000000000EFDC000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT TOP 200 od.pname [Product Name],s.container [Container (oz)],s.pweight [Product Weight],s.pprice Price,od.pamount Amount,s.packageDescription [Package Description] FROM order_detail od JOIN order_list o ON od.odate = o.odate JOIN specifications s ON od.specificationsNum=s.specificationsNum WHERE od.odate=@Search;
Source: msfeedssync.exe, 0000000B.00000002.4600877846.00000000027B3000.00000004.00000020.00020000.00000000.sdmp, msfeedssync.exe, 0000000B.00000002.4600877846.00000000027A9000.00000004.00000020.00020000.00000000.sdmp, msfeedssync.exe, 0000000B.00000003.2571203315.00000000027A9000.00000004.00000020.00020000.00000000.sdmp, msfeedssync.exe, 0000000B.00000002.4600877846.00000000027D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Quotation.exe, 00000000.00000000.2121936187.00000000001F2000.00000002.00000001.01000000.00000003.sdmp, msfeedssync.exe, 0000000B.00000002.4607173873.000000000324C000.00000004.10000000.00040000.00000000.sdmp, msfeedssync.exe, 0000000B.00000002.4605269869.000000000292E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000002.2681409711.000000000EFDC000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT TOP 200 * FROM products WHERE productsSeedStock != 0 ORDER BY productsName;pNum
Source: Quotation.exe, 00000000.00000000.2121936187.00000000001F2000.00000002.00000001.01000000.00000003.sdmp, msfeedssync.exe, 0000000B.00000002.4607173873.000000000324C000.00000004.10000000.00040000.00000000.sdmp, msfeedssync.exe, 0000000B.00000002.4605269869.000000000292E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000002.2681409711.000000000EFDC000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT companyShortName FROM clients ORDER BY companyShortName;!companyShortName
Source: Quotation.exe, 00000000.00000000.2121936187.00000000001F2000.00000002.00000001.01000000.00000003.sdmp, msfeedssync.exe, 0000000B.00000002.4607173873.000000000324C000.00000004.10000000.00040000.00000000.sdmp, msfeedssync.exe, 0000000B.00000002.4605269869.000000000292E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000002.2681409711.000000000EFDC000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE products_categories SET categoriesName=@NewCategory WHERE categoriesNum=@CategoryId;
Source: Quotation.exe, 00000000.00000000.2121936187.00000000001F2000.00000002.00000001.01000000.00000003.sdmp, msfeedssync.exe, 0000000B.00000002.4607173873.000000000324C000.00000004.10000000.00040000.00000000.sdmp, msfeedssync.exe, 0000000B.00000002.4605269869.000000000292E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000002.2681409711.000000000EFDC000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT pNum ID,productsName [Products Name],productsSeedStock [Seed stock] FROM products WHERE productsSeedStock <=5;

Source: unknown	Process created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"
Source: C:\Users\user\Desktop\Quotation.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation.exe"
Source: C:\Users\user\Desktop\Quotation.exe	Process created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	Process created: C:\Windows\SysWOW64\msfeedssync.exe "C:\Windows\SysWOW64\msfeedssync.exe"
Source: C:\Windows\SysWOW64\msfeedssync.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Quotation.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Quotation.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process created: C:\Users\user\Desktop\Quotation.exe "C:\Users\user\Desktop\Quotation.exe"	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	Process created: C:\Windows\SysWOW64\msfeedssync.exe "C:\Windows\SysWOW64\msfeedssync.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: Quotation.exe, frmLogin.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.Quotation.exe.7350000.6.raw.unpack, RK.cs	.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.Quotation.exe.423d330.0.raw.unpack, q7rKqClR0VtgmyiZ9k.cs	.Net Code: wqAw5H3npY System.Reflection.Assembly.Load(byte[])
Source: 0.2.Quotation.exe.42c7f50.3.raw.unpack, q7rKqClR0VtgmyiZ9k.cs	.Net Code: wqAw5H3npY System.Reflection.Assembly.Load(byte[])
Source: 0.2.Quotation.exe.7030000.5.raw.unpack, q7rKqClR0VtgmyiZ9k.cs	.Net Code: wqAw5H3npY System.Reflection.Assembly.Load(byte[])
Source: 0.2.Quotation.exe.37e73f0.2.raw.unpack, RK.cs	.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])
Source: 11.2.msfeedssync.exe.324cd14.2.raw.unpack, frmLogin.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_0520ED10 pushfd ; iretd	0_2_0520ED1D
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_10BF11D8 pushfd ; ret	0_2_10BF11D9
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 0_2_10BF323F push es; iretd	0_2_10BF3240
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_004170F5 push ebp; ret	4_2_004171B1
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_004170B6 push ecx; iretd	4_2_004170B7
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_00417152 push ebp; ret	4_2_004171B1
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_004032A0 push eax; ret	4_2_004032A2
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_00414B89 push ebx; iretd	4_2_00414B8A
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_00401450 push esi; retf 89E0h	4_2_00401545
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_00418C2D push ss; retf	4_2_00418CBA
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_0040BD8D push eax; retf	4_2_0040BD8E
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_00417E53 push es; ret	4_2_00417E82
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_00417ED2 push esi; iretd	4_2_00417EDA
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_00415FE3 push esi; retf	4_2_00415FEE
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_013E225F pushad ; ret	4_2_013E27F9
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_013E27FA pushad ; ret	4_2_013E27F9
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_014109AD push ecx; mov dword ptr [esp], ecx	4_2_014109B6
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_013E283D push eax; iretd	4_2_013E2858
Source: C:\Users\user\Desktop\Quotation.exe	Code function: 4_2_013E135E push eax; iretd	4_2_013E1369
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02B8225F pushad ; ret	11_2_02B827F9
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02B827FA pushad ; ret	11_2_02B827F9
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02B8283D push eax; iretd	11_2_02B82858
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02BB09AD push ecx; mov dword ptr [esp], ecx	11_2_02BB09B6
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_02B81368 push eax; iretd	11_2_02B81369
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_0016080D push edi; ret	11_2_0016080E
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_00148AEA push eax; retf	11_2_00148AEB
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_00154BB0 push es; ret	11_2_00154BDF
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_00154C2F push esi; iretd	11_2_00154C37
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_00152D40 push esi; retf	11_2_00152D4B
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_001518E6 push ebx; iretd	11_2_001518E7
Source: C:\Windows\SysWOW64\msfeedssync.exe	Code function: 11_2_0015DADD push ecx; retf	11_2_0015DADE

Source: 0.2.Quotation.exe.423d330.0.raw.unpack, bYguYTfs5mWdHcD1kR.cs	High entropy of concatenated method names: 'Hbd9t5TixP', 'Ftg9VsRUir', 'fqD9y04mA5', 'eFV9mGcSIr', 'Lt39Z1h15V', 'qYT9kP7eUK', 'qs59QS0hsc', 'SVG9aGcyYK', 'caZ9gM9nwf', 'QG59F1ddmS'
Source: 0.2.Quotation.exe.423d330.0.raw.unpack, qbSm9MtWo11E4ypis0.cs	High entropy of concatenated method names: 'dVVUSlwZoZ', 'bsVUYHOkmy', 'wnqU6sDYHL', 'EZIU0NWYxA', 'LxrUq4UVNq', 'vedUN6PZbn', 'euZUhvunZh', 'c2nUGRQMSN', 'gFHU8mGZ9R', 'usjUA5rf3P'
Source: 0.2.Quotation.exe.423d330.0.raw.unpack, gZIVuhwH2sDyGhBf2T.cs	High entropy of concatenated method names: 'UXIPebSm9M', 'ao1Pl1E4yp', 'S3PPpCKoE8', 'ksdPBMcndU', 'TFQP7ZpUM2', 'CZAPJ4mGuA', 'ELCK49outP95EuAndw', 'Dk9tPQh8bGckLZiclZ', 'DJbPPgeKmx', 'y3mPbloElp'
Source: 0.2.Quotation.exe.423d330.0.raw.unpack, qndUxBDY3ogZg0FQZp.cs	High entropy of concatenated method names: 'oJxR2SZP06', 'Lt4RrF4LrU', 'ACEjux3KN6', 'KCgjZHEsd4', 'Duojkd2kIP', 'SafjvmtEXF', 'Wl9jQaW3Ia', 'Vr8janvueG', 'oIBjXlSgHJ', 'Wgnjg8Z9VY'
Source: 0.2.Quotation.exe.423d330.0.raw.unpack, drDY5ZQrw3vhx4aQZR.cs	High entropy of concatenated method names: 'yREe3cYLw4', 'hvjejJk53v', 'gnde1pkGso', 'svM1A0V5t6', 'hYh1zKG28C', 'IvUeWkq6gy', 'YOHePTkOvJ', 'mTPeEe3XKT', 'EWPebtBrir', 'AfHewuTqBF'
Source: 0.2.Quotation.exe.423d330.0.raw.unpack, d4juCvPPrFAZegDkUm9.cs	High entropy of concatenated method names: 'No1TA8Nkng', 'Eh5TzHUieR', 'KByMWbicr1', 'fxYMPIhF3a', 'kpkMEMsKE2', 'l2mMbt5s9S', 'gSNMwKptx6', 'KZsMxpZ1J2', 'vu4M3MaELD', 'zQBMU9vjeE'
Source: 0.2.Quotation.exe.423d330.0.raw.unpack, XwkPab82C4rmQwj4SM.cs	High entropy of concatenated method names: 'COasy71vsy', 'VQcsm9bSGL', 'ewJsuc6ZBP', 'JUlsZsSDG2', 'ulDskx6PX9', 'antsvu9j6j', 'l6VsQiO38P', 'XbesamAdR7', 'qUhsXNDMDX', 'MgdsgQPgbH'
Source: 0.2.Quotation.exe.423d330.0.raw.unpack, gcAprN0nZcnXjvNU8V.cs	High entropy of concatenated method names: 'AE4cp87LEJ', 'p7JcBERQLr', 'ToString', 'YoTc3XTCNV', 'HHVcU0Boqo', 'fYMcjXIiXY', 'PAGcRGdGEN', 'PeFc1IWT1r', 'l3XceAr2a7', 'DdAclLUk9s'
Source: 0.2.Quotation.exe.423d330.0.raw.unpack, q7rKqClR0VtgmyiZ9k.cs	High entropy of concatenated method names: 'zMTbxux9kK', 'iipb34elVV', 'qBObU1Wkbi', 'VfkbjVIpa1', 'krobRJybqk', 'N7Xb1JvRYX', 'H1Lbevo2gV', 'wJNblv5k4p', 'wIXbODbGyD', 'Vc0bpxqgGB'
Source: 0.2.Quotation.exe.423d330.0.raw.unpack, pWyTVjjcwexi4ap9s2.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'dMkE85vCLa', 'IyYEArJ2q0', 'LYbEzmdpVK', 'ssHbW8vnsg', 'vm3bPsAJrZ', 'vxKbEkj2C2', 'cyKbbHiDU7', 'uV6TpWFU6sGV4in6lV'
Source: 0.2.Quotation.exe.423d330.0.raw.unpack, eLYjcVXuYhV6E8deAn.cs	High entropy of concatenated method names: 'w0LeL0pxG3', 'xb3e4yZqCt', 'Rnie5Eaip9', 'SUUenSZVaQ', 'luXe2xJsHK', 'rxmedVxpyu', 'FIxerGL356', 'dReetwikmg', 'uoReVAggTV', 'KUBeDviRci'
Source: 0.2.Quotation.exe.423d330.0.raw.unpack, guEVSASdoLol375CAS.cs	High entropy of concatenated method names: 'eeA7gFOjp3', 'MLO7KsK7cQ', 'JnG7S7JT7D', 'xj07YPHUhL', 'T447mMHUBb', 'Qvj7u7mhHD', 'wfL7ZtFXRN', 'BXl7k0XGZG', 'pvV7v4l55u', 'AU07Qy1o9v'
Source: 0.2.Quotation.exe.423d330.0.raw.unpack, Do17lLN0gRl6wqyP3e.cs	High entropy of concatenated method names: 'PwEcGDuklp', 'H0TcApEMJ5', 'p7mIWwUU2x', 'jqhIPTcdWX', 'vTrcFgpqcp', 'xsgcKh1y61', 'L5EcfvyjpQ', 'zpWcS72rcI', 'GUycYw34ei', 'QP6c6o6fBF'
Source: 0.2.Quotation.exe.423d330.0.raw.unpack, hUXaNrzH028t79s0PM.cs	High entropy of concatenated method names: 'wuXTdenNuX', 'qmYTt4nQwg', 'pjMTVKqaDq', 'ug2TyY8coB', 'z5qTmbZDR5', 'zjKTZq9lMP', 'sCATkptJaB', 'hnbTiCju5w', 'KtqTL3wEqO', 'HN6T4ZKVDN'
Source: 0.2.Quotation.exe.423d330.0.raw.unpack, hDS4SUhLeuyAG6OPcG.cs	High entropy of concatenated method names: 'mJ2s71etko', 'C6ZscjG7cC', 'Cw6ssAVRoo', 'bktsMyQhXU', 'ttisCDKMcc', 'z92siaQffW', 'Dispose', 'taOI3KE5th', 'aCQIU5wJV1', 'N2rIjtu8yk'
Source: 0.2.Quotation.exe.423d330.0.raw.unpack, guGbQYV3PCKoE8lsdM.cs	High entropy of concatenated method names: 'y5XjnZo4FU', 'WHOjdLohLq', 'ujJjt9HbTs', 'QwsjV94FfN', 'M0hj7G10NG', 'ajpjJYABi8', 'qw3jcPMJ5o', 'AiCjIBfXy1', 'W0fjsKPPsi', 'qTNjTidWDj'
Source: 0.2.Quotation.exe.423d330.0.raw.unpack, gM2dZAy4mGuA9acxVN.cs	High entropy of concatenated method names: 'qq21xXMy4L', 'nfG1Uxa63M', 'vtZ1RSV66B', 'XHq1eERaYt', 'CQM1lR3eIw', 'kPTRqZDESD', 'Q1LRNWanQJ', 'RSKRhndRuo', 'afkRG0uN19', 'ArRR82S7o9'
Source: 0.2.Quotation.exe.423d330.0.raw.unpack, FSlDIAULWsOZyBgUio.cs	High entropy of concatenated method names: 'Dispose', 'HyAP8G6OPc', 'IqtEmcLrtZ', 'nO75QThCV5', 'Ws3PANnHOK', 'VFZPzveAR2', 'ProcessDialogKey', 'tn8EWwkPab', 'AC4EPrmQwj', 'ySMEEEAGV2'
Source: 0.2.Quotation.exe.423d330.0.raw.unpack, cUob9L68Orw83r4y3n.cs	High entropy of concatenated method names: 'ToString', 'icoJF5X14L', 'iLIJmujCmo', 'bRkJu7oZpT', 'zqCJZucAQn', 'y26Jk6fovo', 'Mj4Jv1QppV', 'YRwJQoqlOw', 'zREJaciKQc', 'HqyJX1rAbg'
Source: 0.2.Quotation.exe.423d330.0.raw.unpack, GAqMo6PwXhEnGrnB70N.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tJtosfnAKH', 'YDkoTyVWXi', 'AyYoMShc1C', 'M3Joo7YoVB', 'YBpoCE5dNe', 'NW6oHvggUc', 'GxxoiXlRNg'
Source: 0.2.Quotation.exe.423d330.0.raw.unpack, tQpX2TPWhXV3G3CHo8C.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NKpTFwsFGE', 'IYdTKuwBsL', 'WfHTfCxFTg', 'OQYTSsGdht', 'C2sTYxPIpg', 'xPlT6anqyn', 'qRTT0I88CA'
Source: 0.2.Quotation.exe.423d330.0.raw.unpack, nY5xMTEfYsiMCnJwR5.cs	High entropy of concatenated method names: 'gct5EyJXw', 'u3dntln4y', 'DG4dih589', 'arurpHey5', 'qbKVV1hbc', 'jgIDjiwnc', 'icarqX3RrlbWwNLZXq', 'jV5XLTQPC6tFW96SNf', 'RTbIOVSgK', 'lSpTJED7d'
Source: 0.2.Quotation.exe.423d330.0.raw.unpack, bAGV2ZANSMi8EFRhWH.cs	High entropy of concatenated method names: 'afsTjrZawp', 'LwXTRkiaOh', 'i7IT1t5XQM', 'MPnTe9OPl9', 'LUBTsHIujg', 'fb6TlcXb7q', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Quotation.exe.42c7f50.3.raw.unpack, bYguYTfs5mWdHcD1kR.cs	High entropy of concatenated method names: 'Hbd9t5TixP', 'Ftg9VsRUir', 'fqD9y04mA5', 'eFV9mGcSIr', 'Lt39Z1h15V', 'qYT9kP7eUK', 'qs59QS0hsc', 'SVG9aGcyYK', 'caZ9gM9nwf', 'QG59F1ddmS'
Source: 0.2.Quotation.exe.42c7f50.3.raw.unpack, qbSm9MtWo11E4ypis0.cs	High entropy of concatenated method names: 'dVVUSlwZoZ', 'bsVUYHOkmy', 'wnqU6sDYHL', 'EZIU0NWYxA', 'LxrUq4UVNq', 'vedUN6PZbn', 'euZUhvunZh', 'c2nUGRQMSN', 'gFHU8mGZ9R', 'usjUA5rf3P'
Source: 0.2.Quotation.exe.42c7f50.3.raw.unpack, gZIVuhwH2sDyGhBf2T.cs	High entropy of concatenated method names: 'UXIPebSm9M', 'ao1Pl1E4yp', 'S3PPpCKoE8', 'ksdPBMcndU', 'TFQP7ZpUM2', 'CZAPJ4mGuA', 'ELCK49outP95EuAndw', 'Dk9tPQh8bGckLZiclZ', 'DJbPPgeKmx', 'y3mPbloElp'
Source: 0.2.Quotation.exe.42c7f50.3.raw.unpack, qndUxBDY3ogZg0FQZp.cs	High entropy of concatenated method names: 'oJxR2SZP06', 'Lt4RrF4LrU', 'ACEjux3KN6', 'KCgjZHEsd4', 'Duojkd2kIP', 'SafjvmtEXF', 'Wl9jQaW3Ia', 'Vr8janvueG', 'oIBjXlSgHJ', 'Wgnjg8Z9VY'
Source: 0.2.Quotation.exe.42c7f50.3.raw.unpack, drDY5ZQrw3vhx4aQZR.cs	High entropy of concatenated method names: 'yREe3cYLw4', 'hvjejJk53v', 'gnde1pkGso', 'svM1A0V5t6', 'hYh1zKG28C', 'IvUeWkq6gy', 'YOHePTkOvJ', 'mTPeEe3XKT', 'EWPebtBrir', 'AfHewuTqBF'
Source: 0.2.Quotation.exe.42c7f50.3.raw.unpack, d4juCvPPrFAZegDkUm9.cs	High entropy of concatenated method names: 'No1TA8Nkng', 'Eh5TzHUieR', 'KByMWbicr1', 'fxYMPIhF3a', 'kpkMEMsKE2', 'l2mMbt5s9S', 'gSNMwKptx6', 'KZsMxpZ1J2', 'vu4M3MaELD', 'zQBMU9vjeE'
Source: 0.2.Quotation.exe.42c7f50.3.raw.unpack, XwkPab82C4rmQwj4SM.cs	High entropy of concatenated method names: 'COasy71vsy', 'VQcsm9bSGL', 'ewJsuc6ZBP', 'JUlsZsSDG2', 'ulDskx6PX9', 'antsvu9j6j', 'l6VsQiO38P', 'XbesamAdR7', 'qUhsXNDMDX', 'MgdsgQPgbH'
Source: 0.2.Quotation.exe.42c7f50.3.raw.unpack, gcAprN0nZcnXjvNU8V.cs	High entropy of concatenated method names: 'AE4cp87LEJ', 'p7JcBERQLr', 'ToString', 'YoTc3XTCNV', 'HHVcU0Boqo', 'fYMcjXIiXY', 'PAGcRGdGEN', 'PeFc1IWT1r', 'l3XceAr2a7', 'DdAclLUk9s'
Source: 0.2.Quotation.exe.42c7f50.3.raw.unpack, q7rKqClR0VtgmyiZ9k.cs	High entropy of concatenated method names: 'zMTbxux9kK', 'iipb34elVV', 'qBObU1Wkbi', 'VfkbjVIpa1', 'krobRJybqk', 'N7Xb1JvRYX', 'H1Lbevo2gV', 'wJNblv5k4p', 'wIXbODbGyD', 'Vc0bpxqgGB'
Source: 0.2.Quotation.exe.42c7f50.3.raw.unpack, pWyTVjjcwexi4ap9s2.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'dMkE85vCLa', 'IyYEArJ2q0', 'LYbEzmdpVK', 'ssHbW8vnsg', 'vm3bPsAJrZ', 'vxKbEkj2C2', 'cyKbbHiDU7', 'uV6TpWFU6sGV4in6lV'
Source: 0.2.Quotation.exe.42c7f50.3.raw.unpack, eLYjcVXuYhV6E8deAn.cs	High entropy of concatenated method names: 'w0LeL0pxG3', 'xb3e4yZqCt', 'Rnie5Eaip9', 'SUUenSZVaQ', 'luXe2xJsHK', 'rxmedVxpyu', 'FIxerGL356', 'dReetwikmg', 'uoReVAggTV', 'KUBeDviRci'
Source: 0.2.Quotation.exe.42c7f50.3.raw.unpack, guEVSASdoLol375CAS.cs	High entropy of concatenated method names: 'eeA7gFOjp3', 'MLO7KsK7cQ', 'JnG7S7JT7D', 'xj07YPHUhL', 'T447mMHUBb', 'Qvj7u7mhHD', 'wfL7ZtFXRN', 'BXl7k0XGZG', 'pvV7v4l55u', 'AU07Qy1o9v'
Source: 0.2.Quotation.exe.42c7f50.3.raw.unpack, Do17lLN0gRl6wqyP3e.cs	High entropy of concatenated method names: 'PwEcGDuklp', 'H0TcApEMJ5', 'p7mIWwUU2x', 'jqhIPTcdWX', 'vTrcFgpqcp', 'xsgcKh1y61', 'L5EcfvyjpQ', 'zpWcS72rcI', 'GUycYw34ei', 'QP6c6o6fBF'
Source: 0.2.Quotation.exe.42c7f50.3.raw.unpack, hUXaNrzH028t79s0PM.cs	High entropy of concatenated method names: 'wuXTdenNuX', 'qmYTt4nQwg', 'pjMTVKqaDq', 'ug2TyY8coB', 'z5qTmbZDR5', 'zjKTZq9lMP', 'sCATkptJaB', 'hnbTiCju5w', 'KtqTL3wEqO', 'HN6T4ZKVDN'
Source: 0.2.Quotation.exe.42c7f50.3.raw.unpack, hDS4SUhLeuyAG6OPcG.cs	High entropy of concatenated method names: 'mJ2s71etko', 'C6ZscjG7cC', 'Cw6ssAVRoo', 'bktsMyQhXU', 'ttisCDKMcc', 'z92siaQffW', 'Dispose', 'taOI3KE5th', 'aCQIU5wJV1', 'N2rIjtu8yk'
Source: 0.2.Quotation.exe.42c7f50.3.raw.unpack, guGbQYV3PCKoE8lsdM.cs	High entropy of concatenated method names: 'y5XjnZo4FU', 'WHOjdLohLq', 'ujJjt9HbTs', 'QwsjV94FfN', 'M0hj7G10NG', 'ajpjJYABi8', 'qw3jcPMJ5o', 'AiCjIBfXy1', 'W0fjsKPPsi', 'qTNjTidWDj'
Source: 0.2.Quotation.exe.42c7f50.3.raw.unpack, gM2dZAy4mGuA9acxVN.cs	High entropy of concatenated method names: 'qq21xXMy4L', 'nfG1Uxa63M', 'vtZ1RSV66B', 'XHq1eERaYt', 'CQM1lR3eIw', 'kPTRqZDESD', 'Q1LRNWanQJ', 'RSKRhndRuo', 'afkRG0uN19', 'ArRR82S7o9'
Source: 0.2.Quotation.exe.42c7f50.3.raw.unpack, FSlDIAULWsOZyBgUio.cs	High entropy of concatenated method names: 'Dispose', 'HyAP8G6OPc', 'IqtEmcLrtZ', 'nO75QThCV5', 'Ws3PANnHOK', 'VFZPzveAR2', 'ProcessDialogKey', 'tn8EWwkPab', 'AC4EPrmQwj', 'ySMEEEAGV2'
Source: 0.2.Quotation.exe.42c7f50.3.raw.unpack, cUob9L68Orw83r4y3n.cs	High entropy of concatenated method names: 'ToString', 'icoJF5X14L', 'iLIJmujCmo', 'bRkJu7oZpT', 'zqCJZucAQn', 'y26Jk6fovo', 'Mj4Jv1QppV', 'YRwJQoqlOw', 'zREJaciKQc', 'HqyJX1rAbg'
Source: 0.2.Quotation.exe.42c7f50.3.raw.unpack, GAqMo6PwXhEnGrnB70N.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tJtosfnAKH', 'YDkoTyVWXi', 'AyYoMShc1C', 'M3Joo7YoVB', 'YBpoCE5dNe', 'NW6oHvggUc', 'GxxoiXlRNg'
Source: 0.2.Quotation.exe.42c7f50.3.raw.unpack, tQpX2TPWhXV3G3CHo8C.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NKpTFwsFGE', 'IYdTKuwBsL', 'WfHTfCxFTg', 'OQYTSsGdht', 'C2sTYxPIpg', 'xPlT6anqyn', 'qRTT0I88CA'
Source: 0.2.Quotation.exe.42c7f50.3.raw.unpack, nY5xMTEfYsiMCnJwR5.cs	High entropy of concatenated method names: 'gct5EyJXw', 'u3dntln4y', 'DG4dih589', 'arurpHey5', 'qbKVV1hbc', 'jgIDjiwnc', 'icarqX3RrlbWwNLZXq', 'jV5XLTQPC6tFW96SNf', 'RTbIOVSgK', 'lSpTJED7d'
Source: 0.2.Quotation.exe.42c7f50.3.raw.unpack, bAGV2ZANSMi8EFRhWH.cs	High entropy of concatenated method names: 'afsTjrZawp', 'LwXTRkiaOh', 'i7IT1t5XQM', 'MPnTe9OPl9', 'LUBTsHIujg', 'fb6TlcXb7q', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Quotation.exe.7030000.5.raw.unpack, bYguYTfs5mWdHcD1kR.cs	High entropy of concatenated method names: 'Hbd9t5TixP', 'Ftg9VsRUir', 'fqD9y04mA5', 'eFV9mGcSIr', 'Lt39Z1h15V', 'qYT9kP7eUK', 'qs59QS0hsc', 'SVG9aGcyYK', 'caZ9gM9nwf', 'QG59F1ddmS'
Source: 0.2.Quotation.exe.7030000.5.raw.unpack, qbSm9MtWo11E4ypis0.cs	High entropy of concatenated method names: 'dVVUSlwZoZ', 'bsVUYHOkmy', 'wnqU6sDYHL', 'EZIU0NWYxA', 'LxrUq4UVNq', 'vedUN6PZbn', 'euZUhvunZh', 'c2nUGRQMSN', 'gFHU8mGZ9R', 'usjUA5rf3P'
Source: 0.2.Quotation.exe.7030000.5.raw.unpack, gZIVuhwH2sDyGhBf2T.cs	High entropy of concatenated method names: 'UXIPebSm9M', 'ao1Pl1E4yp', 'S3PPpCKoE8', 'ksdPBMcndU', 'TFQP7ZpUM2', 'CZAPJ4mGuA', 'ELCK49outP95EuAndw', 'Dk9tPQh8bGckLZiclZ', 'DJbPPgeKmx', 'y3mPbloElp'
Source: 0.2.Quotation.exe.7030000.5.raw.unpack, qndUxBDY3ogZg0FQZp.cs	High entropy of concatenated method names: 'oJxR2SZP06', 'Lt4RrF4LrU', 'ACEjux3KN6', 'KCgjZHEsd4', 'Duojkd2kIP', 'SafjvmtEXF', 'Wl9jQaW3Ia', 'Vr8janvueG', 'oIBjXlSgHJ', 'Wgnjg8Z9VY'
Source: 0.2.Quotation.exe.7030000.5.raw.unpack, drDY5ZQrw3vhx4aQZR.cs	High entropy of concatenated method names: 'yREe3cYLw4', 'hvjejJk53v', 'gnde1pkGso', 'svM1A0V5t6', 'hYh1zKG28C', 'IvUeWkq6gy', 'YOHePTkOvJ', 'mTPeEe3XKT', 'EWPebtBrir', 'AfHewuTqBF'
Source: 0.2.Quotation.exe.7030000.5.raw.unpack, d4juCvPPrFAZegDkUm9.cs	High entropy of concatenated method names: 'No1TA8Nkng', 'Eh5TzHUieR', 'KByMWbicr1', 'fxYMPIhF3a', 'kpkMEMsKE2', 'l2mMbt5s9S', 'gSNMwKptx6', 'KZsMxpZ1J2', 'vu4M3MaELD', 'zQBMU9vjeE'
Source: 0.2.Quotation.exe.7030000.5.raw.unpack, XwkPab82C4rmQwj4SM.cs	High entropy of concatenated method names: 'COasy71vsy', 'VQcsm9bSGL', 'ewJsuc6ZBP', 'JUlsZsSDG2', 'ulDskx6PX9', 'antsvu9j6j', 'l6VsQiO38P', 'XbesamAdR7', 'qUhsXNDMDX', 'MgdsgQPgbH'
Source: 0.2.Quotation.exe.7030000.5.raw.unpack, gcAprN0nZcnXjvNU8V.cs	High entropy of concatenated method names: 'AE4cp87LEJ', 'p7JcBERQLr', 'ToString', 'YoTc3XTCNV', 'HHVcU0Boqo', 'fYMcjXIiXY', 'PAGcRGdGEN', 'PeFc1IWT1r', 'l3XceAr2a7', 'DdAclLUk9s'
Source: 0.2.Quotation.exe.7030000.5.raw.unpack, q7rKqClR0VtgmyiZ9k.cs	High entropy of concatenated method names: 'zMTbxux9kK', 'iipb34elVV', 'qBObU1Wkbi', 'VfkbjVIpa1', 'krobRJybqk', 'N7Xb1JvRYX', 'H1Lbevo2gV', 'wJNblv5k4p', 'wIXbODbGyD', 'Vc0bpxqgGB'
Source: 0.2.Quotation.exe.7030000.5.raw.unpack, pWyTVjjcwexi4ap9s2.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'dMkE85vCLa', 'IyYEArJ2q0', 'LYbEzmdpVK', 'ssHbW8vnsg', 'vm3bPsAJrZ', 'vxKbEkj2C2', 'cyKbbHiDU7', 'uV6TpWFU6sGV4in6lV'
Source: 0.2.Quotation.exe.7030000.5.raw.unpack, eLYjcVXuYhV6E8deAn.cs	High entropy of concatenated method names: 'w0LeL0pxG3', 'xb3e4yZqCt', 'Rnie5Eaip9', 'SUUenSZVaQ', 'luXe2xJsHK', 'rxmedVxpyu', 'FIxerGL356', 'dReetwikmg', 'uoReVAggTV', 'KUBeDviRci'
Source: 0.2.Quotation.exe.7030000.5.raw.unpack, guEVSASdoLol375CAS.cs	High entropy of concatenated method names: 'eeA7gFOjp3', 'MLO7KsK7cQ', 'JnG7S7JT7D', 'xj07YPHUhL', 'T447mMHUBb', 'Qvj7u7mhHD', 'wfL7ZtFXRN', 'BXl7k0XGZG', 'pvV7v4l55u', 'AU07Qy1o9v'
Source: 0.2.Quotation.exe.7030000.5.raw.unpack, Do17lLN0gRl6wqyP3e.cs	High entropy of concatenated method names: 'PwEcGDuklp', 'H0TcApEMJ5', 'p7mIWwUU2x', 'jqhIPTcdWX', 'vTrcFgpqcp', 'xsgcKh1y61', 'L5EcfvyjpQ', 'zpWcS72rcI', 'GUycYw34ei', 'QP6c6o6fBF'
Source: 0.2.Quotation.exe.7030000.5.raw.unpack, hUXaNrzH028t79s0PM.cs	High entropy of concatenated method names: 'wuXTdenNuX', 'qmYTt4nQwg', 'pjMTVKqaDq', 'ug2TyY8coB', 'z5qTmbZDR5', 'zjKTZq9lMP', 'sCATkptJaB', 'hnbTiCju5w', 'KtqTL3wEqO', 'HN6T4ZKVDN'
Source: 0.2.Quotation.exe.7030000.5.raw.unpack, hDS4SUhLeuyAG6OPcG.cs	High entropy of concatenated method names: 'mJ2s71etko', 'C6ZscjG7cC', 'Cw6ssAVRoo', 'bktsMyQhXU', 'ttisCDKMcc', 'z92siaQffW', 'Dispose', 'taOI3KE5th', 'aCQIU5wJV1', 'N2rIjtu8yk'
Source: 0.2.Quotation.exe.7030000.5.raw.unpack, guGbQYV3PCKoE8lsdM.cs	High entropy of concatenated method names: 'y5XjnZo4FU', 'WHOjdLohLq', 'ujJjt9HbTs', 'QwsjV94FfN', 'M0hj7G10NG', 'ajpjJYABi8', 'qw3jcPMJ5o', 'AiCjIBfXy1', 'W0fjsKPPsi', 'qTNjTidWDj'
Source: 0.2.Quotation.exe.7030000.5.raw.unpack, gM2dZAy4mGuA9acxVN.cs	High entropy of concatenated method names: 'qq21xXMy4L', 'nfG1Uxa63M', 'vtZ1RSV66B', 'XHq1eERaYt', 'CQM1lR3eIw', 'kPTRqZDESD', 'Q1LRNWanQJ', 'RSKRhndRuo', 'afkRG0uN19', 'ArRR82S7o9'
Source: 0.2.Quotation.exe.7030000.5.raw.unpack, FSlDIAULWsOZyBgUio.cs	High entropy of concatenated method names: 'Dispose', 'HyAP8G6OPc', 'IqtEmcLrtZ', 'nO75QThCV5', 'Ws3PANnHOK', 'VFZPzveAR2', 'ProcessDialogKey', 'tn8EWwkPab', 'AC4EPrmQwj', 'ySMEEEAGV2'
Source: 0.2.Quotation.exe.7030000.5.raw.unpack, cUob9L68Orw83r4y3n.cs	High entropy of concatenated method names: 'ToString', 'icoJF5X14L', 'iLIJmujCmo', 'bRkJu7oZpT', 'zqCJZucAQn', 'y26Jk6fovo', 'Mj4Jv1QppV', 'YRwJQoqlOw', 'zREJaciKQc', 'HqyJX1rAbg'
Source: 0.2.Quotation.exe.7030000.5.raw.unpack, GAqMo6PwXhEnGrnB70N.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tJtosfnAKH', 'YDkoTyVWXi', 'AyYoMShc1C', 'M3Joo7YoVB', 'YBpoCE5dNe', 'NW6oHvggUc', 'GxxoiXlRNg'
Source: 0.2.Quotation.exe.7030000.5.raw.unpack, tQpX2TPWhXV3G3CHo8C.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NKpTFwsFGE', 'IYdTKuwBsL', 'WfHTfCxFTg', 'OQYTSsGdht', 'C2sTYxPIpg', 'xPlT6anqyn', 'qRTT0I88CA'
Source: 0.2.Quotation.exe.7030000.5.raw.unpack, nY5xMTEfYsiMCnJwR5.cs	High entropy of concatenated method names: 'gct5EyJXw', 'u3dntln4y', 'DG4dih589', 'arurpHey5', 'qbKVV1hbc', 'jgIDjiwnc', 'icarqX3RrlbWwNLZXq', 'jV5XLTQPC6tFW96SNf', 'RTbIOVSgK', 'lSpTJED7d'
Source: 0.2.Quotation.exe.7030000.5.raw.unpack, bAGV2ZANSMi8EFRhWH.cs	High entropy of concatenated method names: 'afsTjrZawp', 'LwXTRkiaOh', 'i7IT1t5XQM', 'MPnTe9OPl9', 'LUBTsHIujg', 'fb6TlcXb7q', 'Next', 'Next', 'Next', 'NextBytes'

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\msfeedssync.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\msfeedssync.exe	API/Special instruction interceptor: Address: 7FFDB442D7E4
Source: C:\Windows\SysWOW64\msfeedssync.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\msfeedssync.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\msfeedssync.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\msfeedssync.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\msfeedssync.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\msfeedssync.exe	API/Special instruction interceptor: Address: 7FFDB442DA44

Source: C:\Users\user\Desktop\Quotation.exe	Memory allocated: 2550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Memory allocated: 2730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Memory allocated: 2590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Memory allocated: AA70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Memory allocated: BA70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Memory allocated: BD10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Memory allocated: CD10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Memory allocated: D240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Memory allocated: E240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Memory allocated: F240000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5746	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1391	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Window / User API: threadDelayed 3855	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Window / User API: threadDelayed 6117	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\msfeedssync.exe	API coverage: 2.6 %

Source: C:\Users\user\Desktop\Quotation.exe TID: 1492	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6404	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5012	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe TID: 1268	Thread sleep count: 3855 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe TID: 1268	Thread sleep time: -7710000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe TID: 1268	Thread sleep count: 6117 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe TID: 1268	Thread sleep time: -12234000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe TID: 4788	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe TID: 4788	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe TID: 4788	Thread sleep time: -54000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe TID: 4788	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe TID: 4788	Thread sleep time: -37000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\msfeedssync.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msfeedssync.exe	Last function: Thread delayed

Source: 1euF2H00K.11.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: msfeedssync.exe, 0000000B.00000002.4609390563.00000000075B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tVMware20,11696487552
Source: msfeedssync.exe, 0000000B.00000002.4609390563.00000000075B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CDYNVMware20,116l
Source: 1euF2H00K.11.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: 1euF2H00K.11.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: 1euF2H00K.11.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: 1euF2H00K.11.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: 1euF2H00K.11.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: 1euF2H00K.11.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: 1euF2H00K.11.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 1euF2H00K.11.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 1euF2H00K.11.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: 1euF2H00K.11.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: Quotation.exe, 00000000.00000002.2137675104.000000000097D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\]
Source: 1euF2H00K.11.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: msfeedssync.exe, 0000000B.00000002.4600877846.0000000002732000.00000004.00000020.00020000.00000000.sdmp, giRzMM68LdwnHolLIsDhfg.exe, 0000000C.00000002.4604340384.0000000000AA9000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000002.2684621240.000001E2CEF2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 1euF2H00K.11.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 1euF2H00K.11.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 1euF2H00K.11.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 1euF2H00K.11.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 1euF2H00K.11.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: Quotation.exe, 00000000.00000002.2137675104.000000000097D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 1euF2H00K.11.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 1euF2H00K.11.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 1euF2H00K.11.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: 1euF2H00K.11.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 1euF2H00K.11.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 1euF2H00K.11.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 1euF2H00K.11.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 1euF2H00K.11.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 1euF2H00K.11.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 1euF2H00K.11.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 1euF2H00K.11.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 1euF2H00K.11.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: 1euF2H00K.11.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 1euF2H00K.11.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\Quotation.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtResumeThread: Direct from: 0x773836AC	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtMapViewOfSection: Direct from: 0x77382D1C	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtWriteVirtualMemory: Direct from: 0x77382E3C	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtProtectVirtualMemory: Direct from: 0x77382F9C	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtSetInformationThread: Direct from: 0x773763F9	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtCreateMutant: Direct from: 0x773835CC	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtNotifyChangeKey: Direct from: 0x77383C2C	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtSetInformationProcess: Direct from: 0x77382C5C	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtCreateUserProcess: Direct from: 0x7738371C	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtQueryInformationProcess: Direct from: 0x77382C26	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtResumeThread: Direct from: 0x77382FBC	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtWriteVirtualMemory: Direct from: 0x7738490C	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtAllocateVirtualMemory: Direct from: 0x77383C9C	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtReadFile: Direct from: 0x77382ADC	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtAllocateVirtualMemory: Direct from: 0x77382BFC	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtDelayExecution: Direct from: 0x77382DDC	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtQuerySystemInformation: Direct from: 0x77382DFC	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtOpenSection: Direct from: 0x77382E0C	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtQueryVolumeInformationFile: Direct from: 0x77382F2C	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtQuerySystemInformation: Direct from: 0x773848CC	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtReadVirtualMemory: Direct from: 0x77382E8C	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtCreateKey: Direct from: 0x77382C6C	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtAllocateVirtualMemory: Direct from: 0x773848EC	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtQueryAttributesFile: Direct from: 0x77382E6C	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtSetInformationThread: Direct from: 0x77382B4C	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtTerminateThread: Direct from: 0x77382FCC	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtQueryInformationToken: Direct from: 0x77382CAC	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtOpenKeyEx: Direct from: 0x77382B9C	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtAllocateVirtualMemory: Direct from: 0x77382BEC	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtDeviceIoControlFile: Direct from: 0x77382AEC	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtCreateFile: Direct from: 0x77382FEC	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtOpenFile: Direct from: 0x77382DCC	Jump to behavior
Source: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe	NtProtectVirtualMemory: Direct from: 0x77377B2E	Jump to behavior

Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: NULL target: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msfeedssync.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: NULL target: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: NULL target: C:\Program Files (x86)\eKbbLxAoOFVpwhdIZJtzvxFQWMPRHXGleBunjPXHkCIfuDCqMjJGMDldfzRpoxxMobpHrBMQR\giRzMM68LdwnHolLIsDhfg.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Quotation.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Quotation.exe

Source: giRzMM68LdwnHolLIsDhfg.exe, 0000000A.00000000.2305433973.0000000000FB0000.00000002.00000001.00040000.00000000.sdmp, giRzMM68LdwnHolLIsDhfg.exe, 0000000A.00000002.4604456568.0000000000FB1000.00000002.00000001.00040000.00000000.sdmp, giRzMM68LdwnHolLIsDhfg.exe, 0000000C.00000000.2459847090.0000000001010000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: giRzMM68LdwnHolLIsDhfg.exe, 0000000A.00000000.2305433973.0000000000FB0000.00000002.00000001.00040000.00000000.sdmp, giRzMM68LdwnHolLIsDhfg.exe, 0000000A.00000002.4604456568.0000000000FB1000.00000002.00000001.00040000.00000000.sdmp, giRzMM68LdwnHolLIsDhfg.exe, 0000000C.00000000.2459847090.0000000001010000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: giRzMM68LdwnHolLIsDhfg.exe, 0000000A.00000000.2305433973.0000000000FB0000.00000002.00000001.00040000.00000000.sdmp, giRzMM68LdwnHolLIsDhfg.exe, 0000000A.00000002.4604456568.0000000000FB1000.00000002.00000001.00040000.00000000.sdmp, giRzMM68LdwnHolLIsDhfg.exe, 0000000C.00000000.2459847090.0000000001010000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: giRzMM68LdwnHolLIsDhfg.exe, 0000000A.00000000.2305433973.0000000000FB0000.00000002.00000001.00040000.00000000.sdmp, giRzMM68LdwnHolLIsDhfg.exe, 0000000A.00000002.4604456568.0000000000FB1000.00000002.00000001.00040000.00000000.sdmp, giRzMM68LdwnHolLIsDhfg.exe, 0000000C.00000000.2459847090.0000000001010000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Users\user\Desktop\Quotation.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\msfeedssync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\msfeedssync.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	412 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	412 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Timestomp	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement