Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QUOTATION REQUEST.exe

Overview

General Information

Sample name:QUOTATION REQUEST.exe
Analysis ID:1618000
MD5:3f90cde69480a683fc09ba8c9b576cc4
SHA1:eb1f9d6c6e018bc9b5d519c76955af92f160bbf9
SHA256:57356dbebce9198acc6eb6c6d00d66e6bc1ed21a99988fc3bb473f83f5e8f939
Tags:exeuser-lowmal3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • QUOTATION REQUEST.exe (PID: 5588 cmdline: "C:\Users\user\Desktop\QUOTATION REQUEST.exe" MD5: 3F90CDE69480A683FC09BA8C9B576CC4)
    • powershell.exe (PID: 64 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION REQUEST.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3160 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7196 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 5200 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CBdbnantdvVSl" /XML "C:\Users\user\AppData\Local\Temp\tmp6C58.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 4156 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • t9nPMqWgjgvh1b7pdo.exe (PID: 4920 cmdline: "C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\GZKeskRYjW7.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • expand.exe (PID: 7696 cmdline: "C:\Windows\SysWOW64\expand.exe" MD5: 544B0DBFF3F393BCE8BB9D815F532D51)
          • t9nPMqWgjgvh1b7pdo.exe (PID: 6096 cmdline: "C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\6Fc8sgAAv0ZXHp.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 3160 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • CBdbnantdvVSl.exe (PID: 2324 cmdline: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exe MD5: 3F90CDE69480A683FC09BA8C9B576CC4)
    • schtasks.exe (PID: 7556 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CBdbnantdvVSl" /XML "C:\Users\user\AppData\Local\Temp\tmp8B5A.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7616 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000015.00000002.4865412130.0000000000830000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000A.00000002.2723717849.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000015.00000002.4862844200.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000015.00000002.4865277895.00000000007E0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000000A.00000002.2724639659.0000000001350000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              10.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION REQUEST.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION REQUEST.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION REQUEST.exe", ParentImage: C:\Users\user\Desktop\QUOTATION REQUEST.exe, ParentProcessId: 5588, ParentProcessName: QUOTATION REQUEST.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION REQUEST.exe", ProcessId: 64, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION REQUEST.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION REQUEST.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION REQUEST.exe", ParentImage: C:\Users\user\Desktop\QUOTATION REQUEST.exe, ParentProcessId: 5588, ParentProcessName: QUOTATION REQUEST.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION REQUEST.exe", ProcessId: 64, ProcessName: powershell.exe
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CBdbnantdvVSl" /XML "C:\Users\user\AppData\Local\Temp\tmp8B5A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CBdbnantdvVSl" /XML "C:\Users\user\AppData\Local\Temp\tmp8B5A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exe, ParentImage: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exe, ParentProcessId: 2324, ParentProcessName: CBdbnantdvVSl.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CBdbnantdvVSl" /XML "C:\Users\user\AppData\Local\Temp\tmp8B5A.tmp", ProcessId: 7556, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CBdbnantdvVSl" /XML "C:\Users\user\AppData\Local\Temp\tmp6C58.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CBdbnantdvVSl" /XML "C:\Users\user\AppData\Local\Temp\tmp6C58.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION REQUEST.exe", ParentImage: C:\Users\user\Desktop\QUOTATION REQUEST.exe, ParentProcessId: 5588, ParentProcessName: QUOTATION REQUEST.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CBdbnantdvVSl" /XML "C:\Users\user\AppData\Local\Temp\tmp6C58.tmp", ProcessId: 5200, ProcessName: schtasks.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION REQUEST.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION REQUEST.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION REQUEST.exe", ParentImage: C:\Users\user\Desktop\QUOTATION REQUEST.exe, ParentProcessId: 5588, ParentProcessName: QUOTATION REQUEST.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION REQUEST.exe", ProcessId: 64, ProcessName: powershell.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Scheduled temp file as task from temp location
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CBdbnantdvVSl" /XML "C:\Users\user\AppData\Local\Temp\tmp6C58.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CBdbnantdvVSl" /XML "C:\Users\user\AppData\Local\Temp\tmp6C58.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATION REQUEST.exe", ParentImage: C:\Users\user\Desktop\QUOTATION REQUEST.exe, ParentProcessId: 5588, ParentProcessName: QUOTATION REQUEST.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CBdbnantdvVSl" /XML "C:\Users\user\AppData\Local\Temp\tmp6C58.tmp", ProcessId: 5200, ProcessName: schtasks.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-18T14:59:43.616372+010020507451Malware Command and Control Activity Detected192.168.2.6500725.83.145.16780TCP
                2025-02-18T15:00:52.038468+010020507451Malware Command and Control Activity Detected192.168.2.65000681.88.63.4680TCP
                2025-02-18T15:01:15.447512+010020507451Malware Command and Control Activity Detected192.168.2.65001957.129.59.2780TCP
                2025-02-18T15:01:28.842626+010020507451Malware Command and Control Activity Detected192.168.2.650027185.125.27.3280TCP
                2025-02-18T15:01:42.256822+010020507451Malware Command and Control Activity Detected192.168.2.650031185.173.109.8380TCP
                2025-02-18T15:01:55.912935+010020507451Malware Command and Control Activity Detected192.168.2.650035199.115.118.780TCP
                2025-02-18T15:02:09.993806+010020507451Malware Command and Control Activity Detected192.168.2.65003946.30.215.15280TCP
                2025-02-18T15:02:31.846441+010020507451Malware Command and Control Activity Detected192.168.2.650043104.21.80.180TCP
                2025-02-18T15:02:45.412366+010020507451Malware Command and Control Activity Detected192.168.2.65004869.57.163.22780TCP
                2025-02-18T15:02:59.040672+010020507451Malware Command and Control Activity Detected192.168.2.650052188.114.97.380TCP
                2025-02-18T15:03:12.487815+010020507451Malware Command and Control Activity Detected192.168.2.650056199.59.243.22880TCP
                2025-02-18T15:03:25.817082+010020507451Malware Command and Control Activity Detected192.168.2.650060172.67.200.14880TCP
                2025-02-18T15:03:40.577874+010020507451Malware Command and Control Activity Detected192.168.2.650064156.237.132.25180TCP
                2025-02-18T15:03:54.731117+010020507451Malware Command and Control Activity Detected192.168.2.650068192.186.58.3180TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-18T15:01:07.733309+010028554641A Network Trojan was detected192.168.2.65001657.129.59.2780TCP
                2025-02-18T15:01:10.366120+010028554641A Network Trojan was detected192.168.2.65001757.129.59.2780TCP
                2025-02-18T15:01:12.909949+010028554641A Network Trojan was detected192.168.2.65001857.129.59.2780TCP
                2025-02-18T15:01:21.182865+010028554641A Network Trojan was detected192.168.2.650020185.125.27.3280TCP
                2025-02-18T15:01:23.751414+010028554641A Network Trojan was detected192.168.2.650021185.125.27.3280TCP
                2025-02-18T15:01:26.294914+010028554641A Network Trojan was detected192.168.2.650025185.125.27.3280TCP
                2025-02-18T15:01:34.577652+010028554641A Network Trojan was detected192.168.2.650028185.173.109.8380TCP
                2025-02-18T15:01:37.138101+010028554641A Network Trojan was detected192.168.2.650029185.173.109.8380TCP
                2025-02-18T15:01:39.681539+010028554641A Network Trojan was detected192.168.2.650030185.173.109.8380TCP
                2025-02-18T15:01:47.942798+010028554641A Network Trojan was detected192.168.2.650032199.115.118.780TCP
                2025-02-18T15:01:50.761137+010028554641A Network Trojan was detected192.168.2.650033199.115.118.780TCP
                2025-02-18T15:01:53.327013+010028554641A Network Trojan was detected192.168.2.650034199.115.118.780TCP
                2025-02-18T15:02:01.622482+010028554641A Network Trojan was detected192.168.2.65003646.30.215.15280TCP
                2025-02-18T15:02:04.187657+010028554641A Network Trojan was detected192.168.2.65003746.30.215.15280TCP
                2025-02-18T15:02:07.209540+010028554641A Network Trojan was detected192.168.2.65003846.30.215.15280TCP
                2025-02-18T15:02:24.157122+010028554641A Network Trojan was detected192.168.2.650040104.21.80.180TCP
                2025-02-18T15:02:26.764361+010028554641A Network Trojan was detected192.168.2.650041104.21.80.180TCP
                2025-02-18T15:02:29.288797+010028554641A Network Trojan was detected192.168.2.650042104.21.80.180TCP
                2025-02-18T15:02:37.730639+010028554641A Network Trojan was detected192.168.2.65004569.57.163.22780TCP
                2025-02-18T15:02:40.317007+010028554641A Network Trojan was detected192.168.2.65004669.57.163.22780TCP
                2025-02-18T15:02:42.864351+010028554641A Network Trojan was detected192.168.2.65004769.57.163.22780TCP
                2025-02-18T15:02:51.404292+010028554641A Network Trojan was detected192.168.2.650049188.114.97.380TCP
                2025-02-18T15:02:53.929404+010028554641A Network Trojan was detected192.168.2.650050188.114.97.380TCP
                2025-02-18T15:02:56.502426+010028554641A Network Trojan was detected192.168.2.650051188.114.97.380TCP
                2025-02-18T15:03:04.732474+010028554641A Network Trojan was detected192.168.2.650053199.59.243.22880TCP
                2025-02-18T15:03:07.338425+010028554641A Network Trojan was detected192.168.2.650054199.59.243.22880TCP
                2025-02-18T15:03:09.927881+010028554641A Network Trojan was detected192.168.2.650055199.59.243.22880TCP
                2025-02-18T15:03:18.189330+010028554641A Network Trojan was detected192.168.2.650057172.67.200.14880TCP
                2025-02-18T15:03:20.742844+010028554641A Network Trojan was detected192.168.2.650058172.67.200.14880TCP
                2025-02-18T15:03:23.277910+010028554641A Network Trojan was detected192.168.2.650059172.67.200.14880TCP
                2025-02-18T15:03:32.798914+010028554641A Network Trojan was detected192.168.2.650061156.237.132.25180TCP
                2025-02-18T15:03:35.323294+010028554641A Network Trojan was detected192.168.2.650062156.237.132.25180TCP
                2025-02-18T15:03:38.063140+010028554641A Network Trojan was detected192.168.2.650063156.237.132.25180TCP
                2025-02-18T15:03:46.984313+010028554641A Network Trojan was detected192.168.2.650065192.186.58.3180TCP
                2025-02-18T15:03:49.513234+010028554641A Network Trojan was detected192.168.2.650066192.186.58.3180TCP
                2025-02-18T15:03:52.040984+010028554641A Network Trojan was detected192.168.2.650067192.186.58.3180TCP
                2025-02-18T15:04:02.430974+010028554641A Network Trojan was detected192.168.2.6500695.83.145.16780TCP
                2025-02-18T15:04:05.053536+010028554641A Network Trojan was detected192.168.2.6500705.83.145.16780TCP
                2025-02-18T15:04:07.600733+010028554641A Network Trojan was detected192.168.2.6500715.83.145.16780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeReversingLabs: Detection: 37%
                Multi AV Scanner detection for submitted file
                Source: QUOTATION REQUEST.exeReversingLabs: Detection: 37%
                Source: QUOTATION REQUEST.exeVirustotal: Detection: 30%Perma Link
                Yara detected FormBook
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000015.00000002.4865412130.0000000000830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2723717849.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.4862844200.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.4865277895.00000000007E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2724639659.0000000001350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.4864904721.0000000004F90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2726669936.00000000040B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: QUOTATION REQUEST.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: QUOTATION REQUEST.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: expand.pdb source: RegSvcs.exe, 0000000A.00000002.2724346403.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000014.00000003.2780679255.00000000009A4000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: YkQz.pdbSHA256.y source: QUOTATION REQUEST.exe, CBdbnantdvVSl.exe.1.dr
                Source: Binary string: RegSvcs.pdb, source: expand.exe, 00000015.00000002.4868259437.0000000004B4C000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4863161881.0000000000624000.00000004.00000020.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.00000000033BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.3029724778.000000003916C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000A.00000002.2724848854.00000000013B0000.00000040.00001000.00020000.00000000.sdmp, expand.exe, 00000015.00000003.2726197411.000000000436C000.00000004.00000020.00020000.00000000.sdmp, expand.exe, 00000015.00000003.2724014577.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, expand.exe, 00000015.00000002.4866126981.0000000004520000.00000040.00001000.00020000.00000000.sdmp, expand.exe, 00000015.00000002.4866126981.00000000046BE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000A.00000002.2724848854.00000000013B0000.00000040.00001000.00020000.00000000.sdmp, expand.exe, 00000015.00000003.2726197411.000000000436C000.00000004.00000020.00020000.00000000.sdmp, expand.exe, 00000015.00000003.2724014577.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, expand.exe, 00000015.00000002.4866126981.0000000004520000.00000040.00001000.00020000.00000000.sdmp, expand.exe, 00000015.00000002.4866126981.00000000046BE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: YkQz.pdb source: QUOTATION REQUEST.exe, CBdbnantdvVSl.exe.1.dr
                Source: Binary string: RegSvcs.pdb source: expand.exe, 00000015.00000002.4868259437.0000000004B4C000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4863161881.0000000000624000.00000004.00000020.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.00000000033BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.3029724778.000000003916C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: expand.pdbGCTL source: RegSvcs.exe, 0000000A.00000002.2724346403.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000014.00000003.2780679255.00000000009A4000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\AdobeJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\AcrobatJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULLJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULLJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULLJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbxJump to behavior

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50006 -> 81.88.63.46:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50031 -> 185.173.109.83:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50033 -> 199.115.118.7:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50029 -> 185.173.109.83:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50020 -> 185.125.27.32:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50039 -> 46.30.215.152:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50067 -> 192.186.58.31:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50055 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50045 -> 69.57.163.227:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50053 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50054 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50060 -> 172.67.200.148:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50058 -> 172.67.200.148:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50018 -> 57.129.59.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50036 -> 46.30.215.152:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50027 -> 185.125.27.32:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50070 -> 5.83.145.167:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50049 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50016 -> 57.129.59.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50061 -> 156.237.132.251:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50040 -> 104.21.80.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50065 -> 192.186.58.31:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50030 -> 185.173.109.83:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50021 -> 185.125.27.32:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50028 -> 185.173.109.83:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50052 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50017 -> 57.129.59.27:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50068 -> 192.186.58.31:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50038 -> 46.30.215.152:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50051 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50059 -> 172.67.200.148:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50048 -> 69.57.163.227:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50046 -> 69.57.163.227:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50034 -> 199.115.118.7:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50066 -> 192.186.58.31:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50050 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50057 -> 172.67.200.148:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50035 -> 199.115.118.7:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50069 -> 5.83.145.167:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50063 -> 156.237.132.251:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50056 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50062 -> 156.237.132.251:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50032 -> 199.115.118.7:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50042 -> 104.21.80.1:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50019 -> 57.129.59.27:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50071 -> 5.83.145.167:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50064 -> 156.237.132.251:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50047 -> 69.57.163.227:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50025 -> 185.125.27.32:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50043 -> 104.21.80.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50037 -> 46.30.215.152:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50041 -> 104.21.80.1:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50072 -> 5.83.145.167:80
                Source: Joe Sandbox ViewIP Address: 46.30.215.152 46.30.215.152
                Source: Joe Sandbox ViewIP Address: 156.237.132.251 156.237.132.251
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /087f/?jbYt=8l_XGJ1xLdkT&Aj=/+VApexTt9HOM++SPmwEwIPEf0/T4DuR+3H+x2bofqLK9hQM6vFBwOGgAi+X2fqxwQ1ou54V0To7YzjBsLnKYp2AIHkmZl9IgNZd9DMY5t5xoChvcv9+gf+rEoxU16Ny66L5TaA= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.svapo-discount.netConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
                Source: global trafficHTTP traffic detected: GET /e5yq/?Aj=qOrZstQLFDjY35neNf89MDJ9nf2L1rigJ8RKiFMCPEpMfwSIp+9fX8hV8WV1bGk5WTdqofzLYsp5dIdRWJOxu/TyvJuF3KgHrd5m055Sh1aJOViNkomZRQcArE7f5tAZ5SJ9JLg=&jbYt=8l_XGJ1xLdkT HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.cloud-kuprof2.clickConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
                Source: global trafficHTTP traffic detected: GET /ofh9/?jbYt=8l_XGJ1xLdkT&Aj=I/AIQBt91SjjmW7MqYl1w6/tzeoCsDhHrPjx2aa3mfwI96xGBmPDj2/DwTy54di9LqgvRJSdMBi+4aDHnMP/p5g9Kf4SZeCcsmw9o67zer5rkCSAqihUlDGRUovHZWtvQ9fBa+E= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.us-urbanservices.netConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
                Source: global trafficHTTP traffic detected: GET /kgly/?Aj=kHDPjHSCTDWze2VjxphhduEZIQIJ/nqIRy913+LiUFBZ8mPBixNUQSiJEIiDfqrU3isfO7fPRYrN7NcK+TCjMfHqBneQRuGn8o14eruMAAI2sSIxG4aIeXk5C/qDZuaPWT6rpjk=&jbYt=8l_XGJ1xLdkT HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.mercadoacheaqui.shopConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
                Source: global trafficHTTP traffic detected: GET /ini7/?jbYt=8l_XGJ1xLdkT&Aj=/V2dyBCQIymRdW2WVvojE9BQWqeFiEFGHoD/v1zIccSKXBD/u3m45o6n66wne4dGny1GEU0lVgybrccvYzwubF0GN3Jwcu8r7159UiNMoO+MAjyY2dxxV4zopwbcTliZVKCQJaI= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.stellaritemvault.shopConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
                Source: global trafficHTTP traffic detected: GET /a03a/?Aj=gbpm5i4mjdRTpsD4ukyQUpuBIESGcKsn7tndTt/1ptPJXhelYHvIT1+xODcd4J5R/UoIEMhQotvXyQcGtLddcY0o1O22shAiN9Og8N16U6t9eQYaVT/U3h1GMQyc+iTj2kMtpdI=&jbYt=8l_XGJ1xLdkT HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.happywines.onlineConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
                Source: global trafficHTTP traffic detected: GET /t3l4/?Aj=CqVVwb5DlZToVuajgBlcv5JZbje7vALA0dR9MIf9fL3xEv5xNjwQwR2wua7EvEEUK9CYQvrPGqXpozJhpuTX66lw4cYUB3BCKW09p9h7UQYN9bkUB1Jq5vtlByzA31L0/rJG3tc=&jbYt=8l_XGJ1xLdkT HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.shlomi.appConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
                Source: global trafficHTTP traffic detected: GET /3nup/?Aj=rNM/wfGF14FuuluZ9P+qZNcbi4LmAErtgTiJjwj3M/Lm0YrEjUDt6p3+e6U9/DwvX9G7HUuqFaHLejiZVT9fYXCRGpHKL3/EwEY3GFfEr2eCqJTQdVhSAOkAQG0hTnSuOR/YlH8=&jbYt=8l_XGJ1xLdkT HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.primeibes.liveConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
                Source: global trafficHTTP traffic detected: GET /fxnj/?Aj=45DZWeiZa1ODYTtYvhRQnIg4OhUyGWrzV9s5mfr3FiPg/2r7aObd3rRaXNXIBqZao+bAnByotP/DyAd3Ub73flFh+hW9OPW96QbZzYmH+Kivzp5ZMCHcNzvFeS8dkTNxUXFE7Q4=&jbYt=8l_XGJ1xLdkT HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.timeinsardinia.infoConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
                Source: global trafficHTTP traffic detected: GET /jhy6/?jbYt=8l_XGJ1xLdkT&Aj=r3p6owiIh2ORZTDKkqg/cv+1RL/6kjNU1I0QmbdNDMZxDSfHmNEQkytjyV6hp+eE5B+UZNRsSifc+xSLDJDUGVDhrMEAblZzcYQANbwIVngHkqtl8C6kbFCTn4m2HWNDCg37WYg= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.epdemexi.latConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
                Source: global trafficHTTP traffic detected: GET /kaxq/?Aj=k5L6+sXwp1twjCX87icDLzKZj1l/chIoaKporpdbXy3geJrdOKcHCbRSO7udiXi3ZfVDoDxsTYJ2hvQZYkSpYfb9wRwu76J2slExC7S2ZOLbStmFwpeosmvPUFJ8cGqHmlFWjAc=&jbYt=8l_XGJ1xLdkT HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.rtphajar4d.artConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
                Source: global trafficHTTP traffic detected: GET /39j7/?jbYt=8l_XGJ1xLdkT&Aj=irqk8Ruy0NHuclgOyk5OSiGd3IwnhCa0QV4gt0w89tt228L+yHV3xfQ+cTMSAEzqpMnZS5AKj3b8dAcHexFsKI/QV9FXc7wD/u5s2ZrL4vpZc+eiBxwK7JIHYe/LmSyvuQb82I4= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.charge33.worldConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
                Source: global trafficHTTP traffic detected: GET /rpa8/?Aj=aaL5v5cJ0iOT+oy3w72qzyvAGNED1eAs/Ive+7H31bsM9C22tfF5jf7OJH1svFJzXvgYIuSI0fA9TYsgi9T5W1xk2zpv/CK84mDoY6VoBETfiwrYwNK/fuK9lMHH6/eFzaZFn4U=&jbYt=8l_XGJ1xLdkT HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.choujiezhibo.netConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
                Source: global trafficHTTP traffic detected: GET /54c9/?Aj=2xrBThhS8fGNSn1z20+0vMX8+PpYCPaUdMjP4m6JfkgeXHJdNi5QkP1gNum+786tmq5d3W1cCWFHQvBkoKcFGfwwH8/DGaWsdmMBqT5n9O+c/Ds7hW3uto19fzStAJxgQ/t91gg=&jbYt=8l_XGJ1xLdkT HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.tsd2.netConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)
                Source: global trafficDNS traffic detected: DNS query: www.svapo-discount.net
                Source: global trafficDNS traffic detected: DNS query: www.cloud-kuprof2.click
                Source: global trafficDNS traffic detected: DNS query: www.us-urbanservices.net
                Source: global trafficDNS traffic detected: DNS query: www.mercadoacheaqui.shop
                Source: global trafficDNS traffic detected: DNS query: www.stellaritemvault.shop
                Source: global trafficDNS traffic detected: DNS query: www.happywines.online
                Source: global trafficDNS traffic detected: DNS query: www.avisos-bbva.info
                Source: global trafficDNS traffic detected: DNS query: www.shlomi.app
                Source: global trafficDNS traffic detected: DNS query: www.primeibes.live
                Source: global trafficDNS traffic detected: DNS query: www.timeinsardinia.info
                Source: global trafficDNS traffic detected: DNS query: www.epdemexi.lat
                Source: global trafficDNS traffic detected: DNS query: www.rtphajar4d.art
                Source: global trafficDNS traffic detected: DNS query: www.charge33.world
                Source: global trafficDNS traffic detected: DNS query: www.choujiezhibo.net
                Source: global trafficDNS traffic detected: DNS query: www.tsd2.net
                Source: unknownHTTP traffic detected: POST /e5yq/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-usHost: www.cloud-kuprof2.clickOrigin: http://www.cloud-kuprof2.clickReferer: http://www.cloud-kuprof2.click/e5yq/Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedContent-Length: 207Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ENUS)Data Raw: 41 6a 3d 6e 4d 44 35 76 64 63 46 4b 52 50 79 70 70 72 45 42 39 34 37 4b 31 31 64 68 63 79 36 7a 71 4b 46 44 36 59 33 33 42 56 44 42 55 31 6a 58 56 6d 4b 32 38 68 4f 53 5a 6f 77 38 51 64 7a 56 48 74 6e 54 48 52 6d 75 36 58 49 4e 2b 31 44 4e 63 42 77 55 37 36 2f 79 50 54 57 6d 35 6d 49 71 49 38 53 36 64 73 35 7a 4a 78 55 36 31 65 50 42 43 66 67 6c 38 69 34 4a 42 49 6b 6a 77 44 37 73 4e 4d 55 6c 67 4d 45 4e 66 53 30 39 48 4a 39 70 4f 4c 49 50 47 56 2f 75 69 65 68 34 57 4d 77 52 65 2f 63 32 6c 76 50 6c 75 4c 30 69 33 4d 69 4e 38 36 6e 42 32 6d 30 56 4c 4a 70 7a 78 62 4a 74 6b 77 43 4a 47 69 4f 55 4d 68 48 68 30 61 48 Data Ascii: Aj=nMD5vdcFKRPypprEB947K11dhcy6zqKFD6Y33BVDBU1jXVmK28hOSZow8QdzVHtnTHRmu6XIN+1DNcBwU76/yPTWm5mIqI8S6ds5zJxU61ePBCfgl8i4JBIkjwD7sNMUlgMENfS09HJ9pOLIPGV/uieh4WMwRe/c2lvPluL0i3MiN86nB2m0VLJpzxbJtkwCJGiOUMhHh0aH
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 14:00:50 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 30 38 37 66 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /087f/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 14:00:50 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 30 38 37 66 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /087f/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 14:00:50 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 30 38 37 66 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /087f/ was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.2Date: Tue, 18 Feb 2025 14:01:07 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 62 31 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 c1 0a c2 30 10 44 ef 82 ff b0 7e 40 1a 5b 8a a7 90 8b 54 f0 a0 17 bf 20 75 d7 26 90 6e 24 46 b0 7f 6f aa 2d 88 67 8f 1e 77 f6 cd 30 8c b2 a9 f7 7a b9 50 96 0c 6a 95 5c f2 a4 eb 75 0d c7 90 60 17 ee 8c 4a be 45 25 5f 48 46 db 80 c3 68 39 13 27 8a 5a d9 f2 db 91 15 25 a7 f7 98 9d a1 e9 e2 ce f1 43 96 45 b5 29 aa 4f 44 ce a1 72 2e b4 12 02 0c 5c 0d a2 e3 0e 52 00 74 37 d3 7a 82 c3 69 df 80 61 84 ad 8d a1 27 b8 44 47 8c 7e 00 8a 31 c4 ec e8 08 84 18 0b fe 23 7e b9 c5 13 fc 4c ac 1f 2b 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b10D~@[T u&n$Fo-gw0zPj\u`JE%_HFh9'Z%CE)ODr.\Rt7zia'DG~1#~L+0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.2Date: Tue, 18 Feb 2025 14:01:10 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 62 31 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 c1 0a c2 30 10 44 ef 82 ff b0 7e 40 1a 5b 8a a7 90 8b 54 f0 a0 17 bf 20 75 d7 26 90 6e 24 46 b0 7f 6f aa 2d 88 67 8f 1e 77 f6 cd 30 8c b2 a9 f7 7a b9 50 96 0c 6a 95 5c f2 a4 eb 75 0d c7 90 60 17 ee 8c 4a be 45 25 5f 48 46 db 80 c3 68 39 13 27 8a 5a d9 f2 db 91 15 25 a7 f7 98 9d a1 e9 e2 ce f1 43 96 45 b5 29 aa 4f 44 ce a1 72 2e b4 12 02 0c 5c 0d a2 e3 0e 52 00 74 37 d3 7a 82 c3 69 df 80 61 84 ad 8d a1 27 b8 44 47 8c 7e 00 8a 31 c4 ec e8 08 84 18 0b fe 23 7e b9 c5 13 fc 4c ac 1f 2b 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b10D~@[T u&n$Fo-gw0zPj\u`JE%_HFh9'Z%CE)ODr.\Rt7zia'DG~1#~L+0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.2Date: Tue, 18 Feb 2025 14:01:12 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 62 31 0d 0a 1f 8b 08 00 00 00 00 00 04 03 ed 90 c1 0a c2 30 10 44 ef 82 ff b0 7e 40 1a 5b 8a a7 90 8b 54 f0 a0 17 bf 20 75 d7 26 90 6e 24 46 b0 7f 6f aa 2d 88 67 8f 1e 77 f6 cd 30 8c b2 a9 f7 7a b9 50 96 0c 6a 95 5c f2 a4 eb 75 0d c7 90 60 17 ee 8c 4a be 45 25 5f 48 46 db 80 c3 68 39 13 27 8a 5a d9 f2 db 91 15 25 a7 f7 98 9d a1 e9 e2 ce f1 43 96 45 b5 29 aa 4f 44 ce a1 72 2e b4 12 02 0c 5c 0d a2 e3 0e 52 00 74 37 d3 7a 82 c3 69 df 80 61 84 ad 8d a1 27 b8 44 47 8c 7e 00 8a 31 c4 ec e8 08 84 18 0b fe 23 7e b9 c5 13 fc 4c ac 1f 2b 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b10D~@[T u&n$Fo-gw0zPj\u`JE%_HFh9'Z%CE)ODr.\Rt7zia'DG~1#~L+0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.2Date: Tue, 18 Feb 2025 14:01:15 GMTContent-Type: text/htmlContent-Length: 555Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.26.2</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 503 Service Unavailabledate: Tue, 18 Feb 2025 14:01:21 GMTserver: Apacheupgrade: h2connection: Upgradelast-modified: Tue, 26 Nov 2024 17:03:01 GMTetag: "111c-627d3d260e1f6-gzip"accept-ranges: bytesvary: Accept-Encodingcontent-encoding: gzipcontent-length: 1574content-type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 c5 58 eb 6e db 36 14 fe df a7 e0 34 14 6b 00 4b 96 ed 64 49 24 db db b0 ae c0 7e 14 6d d1 0e db b0 0d 05 25 1d 49 5c 28 51 23 e9 d8 ae e0 07 ca 73 e4 c5 76 a8 8b 4d 5f 92 14 e8 8f 22 b0 65 91 87 3c b7 ef 7c 3c cc f4 9b 97 6f 7e fe f0 e7 db 5f 48 ae 0b 3e 7f 36 35 0f c2 69 99 cd 9c 54 3a 66 00 68 82 8f 02 34 25 71 4e a5 02 3d 73 7e fb f0 ca bd 32 b3 9a 69 0e f3 f7 4c 03 81 92 14 94 95 1a 4a 5a c6 30 1d b6 53 dd ca 92 16 30 73 12 50 b1 64 95 66 a2 74 48 2c 8c 2c 6e e6 ec 0b 65 50 82 a4 5a 48 4b 24 17 4a b3 32 73 2b 9a 81 1b 2d 18 4f 40 1e 2c bb 65 b0 ac 84 d4 d6 aa 25 4b 74 3e 4b e0 96 c5 e0 36 2f 03 c2 4a a6 19 e5 ae 8a 29 87 d9 e8 60 13 91 05 0b c9 6d c5 5a 57 c1 70 58 8e 47 5c ff 1b 15 ab b5 f2 2a 09 46 97 c7 ca 54 14 b4 64 f4 c6 5b 42 a4 30 04 43 6b cc b5 62 e1 99 a0 1e 6b e2 c2 d8 60 29 4b 0f 7d 42 21 bd ae 6c 91 4e d3 09 39 13 6d 4b f0 44 4a 8e 17 7d 56 3e 4c 4c aa 84 6a 48 3e 6a 56 d8 3a 46 97 93 f1 f7 e7 fe c5 55 13 46 ce ca 1b 22 81 cf 1c a5 d7 1c 54 0e 80 c9 c8 25 a4 6d 18 15 c6 91 2a 84 8f f2 14 66 17 33 69 87 30 16 c5 30 c5 8d 55 f3 ed d2 25 28 51 c0 f0 dc 9b 78 fe 30 56 fb c3 5e c1 4a 0f 07 3f 57 6d b3 b1 97 09 91 71 a0 15 53 8d 36 5c ff 43 4a 0b c6 d7 b3 37 15 46 ea 3d 2d 9b 0d 9b 6d e6 cf 4c ce 06 91 48 d6 75 0e 2c cb 75 30 f2 fd e7 61 45 93 04 81 18 f8 61 41 65 c6 ca c0 df 78 06 94 75 25 30 2f 18 c7 00 4d a1 9a dd 42 98 30 55 71 ba 0e 34 8d 38 84 cd b7 8b ef 62 a1 83 94 ad 20 09 1b 44 b6 db da 2a d0 21 70 bb 81 52 c8 82 f2 50 c3 0a 7d e7 2c 2b 83 18 23 0f 32 6c a2 d1 5a 1f 6c ad 1f 10 85 df ae 02 c9 d2 56 42 b1 4f 10 8c bc 11 14 61 2c b8 90 c1 b7 69 9a 86 11 8d 6f 32 29 16 65 e2 f6 a3 be f9 b3 27 9a 95 b1 b8 45 5d d6 e8 d6 cb 0b ff 39 c1 8f 3d 27 a1 02 6a 4c ee 7e d9 73 54 6b 1a e7 05 da de fa be c9 47 83 7c 3c c8 27 83 fc 7c 90 5f d4 b6 cf 23 6f d2 1a bf b4 63 b0 f1 a2 6c ab de d5 a2 aa 1f 32 cb df 17 2d 58 92 70 78 50 1a 3f fb f2 91 d0 5a 14 0f ca 9b 14 b5 29 0f 22 48 85 84 ba 2b 87 c0 71 c2 ad 24 8d 94 e0 0b 8d 69 17 15 62 85 43 aa f1 d1 6e 8d 3f 64 e3 98 1f a6 8c 63 32 03 ca ab 9c be 10 15 8d 99 5e cf ce fd b3 d0 2d 94 db 4d 3a 95 14 19 4b 82 97 7f fc 5a a0 d6 0f 12 53 8c 7a 0b ef 35 8b a5 50 22 d5 de 4f cd fa 37 bb f5 4e d8 6d 16 f8 de f9 86 15 59 5d d0 95 6b e1 ad fd 49 17 5a fc 7d dd 83 cf bc 6d e8 80 06 a6 a2 ea 16 18 ac cc 11 4c fa b4 a1 57 17 5f 66 28 ae b7 0d bd ba d8 d0 20 37 88 43 1b 52 11 2f 14 3e 69 6c 6a a9 3e a9 1f 3d f9 32 03 cc 06 3b 0b 46 21 22 2e ba 61 da d5 66 65 97 48 ce 89 37 51 04 a8 02 97 95 2e 56 6f f8 f8 f4 66 c1 07 82 d7 7d f5 b3 b2 c1 76 84 64 7f 63 d7 b1 81 44 b8 cb 4a 03 43 83 24 a4 6b 90 4f b1 89 1b 03 e7 36 7f 60 d0 34 c3 d3 a4 db bc c5 fc 96 ac b0 f
                Source: global trafficHTTP traffic detected: HTTP/1.1 503 Service Unavailabledate: Tue, 18 Feb 2025 14:01:23 GMTserver: Apacheupgrade: h2connection: Upgradelast-modified: Tue, 26 Nov 2024 17:03:01 GMTetag: "111c-627d3d260e1f6-gzip"accept-ranges: bytesvary: Accept-Encodingcontent-encoding: gzipcontent-length: 1574content-type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 c5 58 eb 6e db 36 14 fe df a7 e0 34 14 6b 00 4b 96 ed 64 49 24 db db b0 ae c0 7e 14 6d d1 0e db b0 0d 05 25 1d 49 5c 28 51 23 e9 d8 ae e0 07 ca 73 e4 c5 76 a8 8b 4d 5f 92 14 e8 8f 22 b0 65 91 87 3c b7 ef 7c 3c cc f4 9b 97 6f 7e fe f0 e7 db 5f 48 ae 0b 3e 7f 36 35 0f c2 69 99 cd 9c 54 3a 66 00 68 82 8f 02 34 25 71 4e a5 02 3d 73 7e fb f0 ca bd 32 b3 9a 69 0e f3 f7 4c 03 81 92 14 94 95 1a 4a 5a c6 30 1d b6 53 dd ca 92 16 30 73 12 50 b1 64 95 66 a2 74 48 2c 8c 2c 6e e6 ec 0b 65 50 82 a4 5a 48 4b 24 17 4a b3 32 73 2b 9a 81 1b 2d 18 4f 40 1e 2c bb 65 b0 ac 84 d4 d6 aa 25 4b 74 3e 4b e0 96 c5 e0 36 2f 03 c2 4a a6 19 e5 ae 8a 29 87 d9 e8 60 13 91 05 0b c9 6d c5 5a 57 c1 70 58 8e 47 5c ff 1b 15 ab b5 f2 2a 09 46 97 c7 ca 54 14 b4 64 f4 c6 5b 42 a4 30 04 43 6b cc b5 62 e1 99 a0 1e 6b e2 c2 d8 60 29 4b 0f 7d 42 21 bd ae 6c 91 4e d3 09 39 13 6d 4b f0 44 4a 8e 17 7d 56 3e 4c 4c aa 84 6a 48 3e 6a 56 d8 3a 46 97 93 f1 f7 e7 fe c5 55 13 46 ce ca 1b 22 81 cf 1c a5 d7 1c 54 0e 80 c9 c8 25 a4 6d 18 15 c6 91 2a 84 8f f2 14 66 17 33 69 87 30 16 c5 30 c5 8d 55 f3 ed d2 25 28 51 c0 f0 dc 9b 78 fe 30 56 fb c3 5e c1 4a 0f 07 3f 57 6d b3 b1 97 09 91 71 a0 15 53 8d 36 5c ff 43 4a 0b c6 d7 b3 37 15 46 ea 3d 2d 9b 0d 9b 6d e6 cf 4c ce 06 91 48 d6 75 0e 2c cb 75 30 f2 fd e7 61 45 93 04 81 18 f8 61 41 65 c6 ca c0 df 78 06 94 75 25 30 2f 18 c7 00 4d a1 9a dd 42 98 30 55 71 ba 0e 34 8d 38 84 cd b7 8b ef 62 a1 83 94 ad 20 09 1b 44 b6 db da 2a d0 21 70 bb 81 52 c8 82 f2 50 c3 0a 7d e7 2c 2b 83 18 23 0f 32 6c a2 d1 5a 1f 6c ad 1f 10 85 df ae 02 c9 d2 56 42 b1 4f 10 8c bc 11 14 61 2c b8 90 c1 b7 69 9a 86 11 8d 6f 32 29 16 65 e2 f6 a3 be f9 b3 27 9a 95 b1 b8 45 5d d6 e8 d6 cb 0b ff 39 c1 8f 3d 27 a1 02 6a 4c ee 7e d9 73 54 6b 1a e7 05 da de fa be c9 47 83 7c 3c c8 27 83 fc 7c 90 5f d4 b6 cf 23 6f d2 1a bf b4 63 b0 f1 a2 6c ab de d5 a2 aa 1f 32 cb df 17 2d 58 92 70 78 50 1a 3f fb f2 91 d0 5a 14 0f ca 9b 14 b5 29 0f 22 48 85 84 ba 2b 87 c0 71 c2 ad 24 8d 94 e0 0b 8d 69 17 15 62 85 43 aa f1 d1 6e 8d 3f 64 e3 98 1f a6 8c 63 32 03 ca ab 9c be 10 15 8d 99 5e cf ce fd b3 d0 2d 94 db 4d 3a 95 14 19 4b 82 97 7f fc 5a a0 d6 0f 12 53 8c 7a 0b ef 35 8b a5 50 22 d5 de 4f cd fa 37 bb f5 4e d8 6d 16 f8 de f9 86 15 59 5d d0 95 6b e1 ad fd 49 17 5a fc 7d dd 83 cf bc 6d e8 80 06 a6 a2 ea 16 18 ac cc 11 4c fa b4 a1 57 17 5f 66 28 ae b7 0d bd ba d8 d0 20 37 88 43 1b 52 11 2f 14 3e 69 6c 6a a9 3e a9 1f 3d f9 32 03 cc 06 3b 0b 46 21 22 2e ba 61 da d5 66 65 97 48 ce 89 37 51 04 a8 02 97 95 2e 56 6f f8 f8 f4 66 c1 07 82 d7 7d f5 b3 b2 c1 76 84 64 7f 63 d7 b1 81 44 b8 cb 4a 03 43 83 24 a4 6b 90 4f b1 89 1b 03 e7 36 7f 60 d0 34 c3 d3 a4 db bc c5 fc 96 ac b0 f
                Source: global trafficHTTP traffic detected: HTTP/1.1 503 Service Unavailabledate: Tue, 18 Feb 2025 14:01:26 GMTserver: Apacheupgrade: h2connection: Upgradelast-modified: Tue, 26 Nov 2024 17:03:01 GMTetag: "111c-627d3d260e1f6-gzip"accept-ranges: bytesvary: Accept-Encodingcontent-encoding: gzipcontent-length: 1574content-type: text/htmlData Raw: 1f 8b 08 00 00 00 00 00 00 03 c5 58 eb 6e db 36 14 fe df a7 e0 34 14 6b 00 4b 96 ed 64 49 24 db db b0 ae c0 7e 14 6d d1 0e db b0 0d 05 25 1d 49 5c 28 51 23 e9 d8 ae e0 07 ca 73 e4 c5 76 a8 8b 4d 5f 92 14 e8 8f 22 b0 65 91 87 3c b7 ef 7c 3c cc f4 9b 97 6f 7e fe f0 e7 db 5f 48 ae 0b 3e 7f 36 35 0f c2 69 99 cd 9c 54 3a 66 00 68 82 8f 02 34 25 71 4e a5 02 3d 73 7e fb f0 ca bd 32 b3 9a 69 0e f3 f7 4c 03 81 92 14 94 95 1a 4a 5a c6 30 1d b6 53 dd ca 92 16 30 73 12 50 b1 64 95 66 a2 74 48 2c 8c 2c 6e e6 ec 0b 65 50 82 a4 5a 48 4b 24 17 4a b3 32 73 2b 9a 81 1b 2d 18 4f 40 1e 2c bb 65 b0 ac 84 d4 d6 aa 25 4b 74 3e 4b e0 96 c5 e0 36 2f 03 c2 4a a6 19 e5 ae 8a 29 87 d9 e8 60 13 91 05 0b c9 6d c5 5a 57 c1 70 58 8e 47 5c ff 1b 15 ab b5 f2 2a 09 46 97 c7 ca 54 14 b4 64 f4 c6 5b 42 a4 30 04 43 6b cc b5 62 e1 99 a0 1e 6b e2 c2 d8 60 29 4b 0f 7d 42 21 bd ae 6c 91 4e d3 09 39 13 6d 4b f0 44 4a 8e 17 7d 56 3e 4c 4c aa 84 6a 48 3e 6a 56 d8 3a 46 97 93 f1 f7 e7 fe c5 55 13 46 ce ca 1b 22 81 cf 1c a5 d7 1c 54 0e 80 c9 c8 25 a4 6d 18 15 c6 91 2a 84 8f f2 14 66 17 33 69 87 30 16 c5 30 c5 8d 55 f3 ed d2 25 28 51 c0 f0 dc 9b 78 fe 30 56 fb c3 5e c1 4a 0f 07 3f 57 6d b3 b1 97 09 91 71 a0 15 53 8d 36 5c ff 43 4a 0b c6 d7 b3 37 15 46 ea 3d 2d 9b 0d 9b 6d e6 cf 4c ce 06 91 48 d6 75 0e 2c cb 75 30 f2 fd e7 61 45 93 04 81 18 f8 61 41 65 c6 ca c0 df 78 06 94 75 25 30 2f 18 c7 00 4d a1 9a dd 42 98 30 55 71 ba 0e 34 8d 38 84 cd b7 8b ef 62 a1 83 94 ad 20 09 1b 44 b6 db da 2a d0 21 70 bb 81 52 c8 82 f2 50 c3 0a 7d e7 2c 2b 83 18 23 0f 32 6c a2 d1 5a 1f 6c ad 1f 10 85 df ae 02 c9 d2 56 42 b1 4f 10 8c bc 11 14 61 2c b8 90 c1 b7 69 9a 86 11 8d 6f 32 29 16 65 e2 f6 a3 be f9 b3 27 9a 95 b1 b8 45 5d d6 e8 d6 cb 0b ff 39 c1 8f 3d 27 a1 02 6a 4c ee 7e d9 73 54 6b 1a e7 05 da de fa be c9 47 83 7c 3c c8 27 83 fc 7c 90 5f d4 b6 cf 23 6f d2 1a bf b4 63 b0 f1 a2 6c ab de d5 a2 aa 1f 32 cb df 17 2d 58 92 70 78 50 1a 3f fb f2 91 d0 5a 14 0f ca 9b 14 b5 29 0f 22 48 85 84 ba 2b 87 c0 71 c2 ad 24 8d 94 e0 0b 8d 69 17 15 62 85 43 aa f1 d1 6e 8d 3f 64 e3 98 1f a6 8c 63 32 03 ca ab 9c be 10 15 8d 99 5e cf ce fd b3 d0 2d 94 db 4d 3a 95 14 19 4b 82 97 7f fc 5a a0 d6 0f 12 53 8c 7a 0b ef 35 8b a5 50 22 d5 de 4f cd fa 37 bb f5 4e d8 6d 16 f8 de f9 86 15 59 5d d0 95 6b e1 ad fd 49 17 5a fc 7d dd 83 cf bc 6d e8 80 06 a6 a2 ea 16 18 ac cc 11 4c fa b4 a1 57 17 5f 66 28 ae b7 0d bd ba d8 d0 20 37 88 43 1b 52 11 2f 14 3e 69 6c 6a a9 3e a9 1f 3d f9 32 03 cc 06 3b 0b 46 21 22 2e ba 61 da d5 66 65 97 48 ce 89 37 51 04 a8 02 97 95 2e 56 6f f8 f8 f4 66 c1 07 82 d7 7d f5 b3 b2 c1 76 84 64 7f 63 d7 b1 81 44 b8 cb 4a 03 43 83 24 a4 6b 90 4f b1 89 1b 03 e7 36 7f 60 d0 34 c3 d3 a4 db bc c5 fc 96 ac b0 f
                Source: global trafficHTTP traffic detected: HTTP/1.1 503 Service Unavailabledate: Tue, 18 Feb 2025 14:01:28 GMTserver: Apacheupgrade: h2connection: Upgradelast-modified: Tue, 26 Nov 2024 17:03:01 GMTetag: "111c-627d3d260e1f6"accept-ranges: bytescontent-length: 4380vary: Accept-Encodingcontent-type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 66 72 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 53 69 74 65 20 65 6e 20 6d 61 69 6e 74 65 6e 61 6e 63 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 68 6f 73 74 69 6e 67 2d 70 61 67 65 2d 62 75 69 6c 64 65 72 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 3a 2f 2f 6e 32 31 6c 74 6a 62 6d 78 79 73 2e 70 72 65 76 69 65 77 2e 69 6e 66 6f 6d 61 6e 69 61 6b 2e 77 65 62 73 69 74 65 2f 2e 69 6e 66 6f 6d 61 6e 69 61 6b 2d 6d 61 69 6e 74 65 6e 61 6e 63 65 2e 68 74 6d 6c 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 66 72 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6f 67 3a 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 73 69 74 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 53 69 74 65 20 65 6e 20 6d 61 69 6e 74 65 6e 61 6e 63 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6f 67 3a 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6f 67 3a 75 70 64 61 74 65 64 5f 74 69 6d 65 22 20 63 6f 6e 74 65 6e 74 3d 22 31 37 33 32 36 34 30 35 38 31 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 73 73 65 74 73 2e 73 74 6f 72 61 67 65 2e 69 6e 66 6f 6d 61 6e 69 61 6b 2e 63 6f 6d 2f 66 6f 6e 74 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2f 34 2e 33 2e 30 2f 63 73 73 2f 66 6f 6e 74 2d 61 77 65 73 6f 6d 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 20 53 61 6e 73 22 3e 0a 3c 73 74 79 6c 65 3e 0a 68 74 6d 6c 2c 62 6f 64 79 7b 68 65 69 67 68 74 3a 31 30 30 25 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 64 69 73 70 6c 61 79 3a 74 61 62 6c 65 3b 74 61 62 6c 65 2d 6c 61 79 6f 75 74 3a 66 69 78 65 64 3b 77 69 64 74 68 3a 31 30 30
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Wed, 18 Jan 2023 19:41:46 GMTetag: "999-63c84b7a-3d7f793868cb3f69;br"accept-ranges: bytescontent-encoding: brvary: Accept-Encodingcontent-length: 912date: Tue, 18 Feb 2025 14:01:30 GMTserver: LiteSpeedplatform: hostingerpanel: hpanelData Raw: 02 33 01 80 1c cb 59 ff 7c 5e d3 7a f6 90 9a d1 13 d5 89 13 81 1c c3 8a f9 f1 73 6a 9b 08 2b df dd 4f 0a 44 aa 73 c4 1f 32 66 47 20 dc 5c e5 88 9c 27 a1 a6 43 5c 9d 2b a5 4a c8 4b 27 5e 48 40 fa 18 94 1a 0a 69 bc ea a6 86 9f 52 17 4a 69 8d ea 0e fc 3d b3 03 04 6f b5 a7 ae ae 84 71 8e 48 4e c5 44 c6 95 21 29 7c 8c 84 24 0e 50 4a 62 99 b8 21 12 32 8b 99 4c cf 45 53 1b 2a 49 7c 35 45 4e c4 54 82 cd 4f cf d9 bc 15 4d 2a 0d f5 c0 25 19 9d d1 68 52 e7 73 e5 40 83 71 72 32 95 2e c9 78 53 be d0 03 d2 36 19 08 4c 4b 7c 43 ea f0 66 29 5e 86 ba 00 e1 b8 a5 ca c6 e8 5b 24 67 f2 16 94 0d ed 26 3d b8 a0 44 ba df 54 7e 7b fd ea 63 ba aa dd 63 60 ce 9b 02 54 94 a8 f3 0d f8 a7 96 6d aa 30 b6 2f a1 cb 43 a5 d2 f7 78 88 dc 0b 98 86 ee 36 b6 ff f6 5b 3f 4d fe 6b 17 d7 16 ab df ec 8b 85 f9 86 40 cf f8 e5 a2 17 87 a8 d8 c9 1b 49 58 b3 99 5c e8 24 dd 19 eb c7 1f 44 b8 69 d6 42 b8 3e e3 41 34 ea d4 0e ba 26 29 4d da bd e5 6e 83 b7 c8 1c 41 ba 17 3d 64 32 e6 d0 48 8a 48 c5 91 9c 0a ad 45 b6 a7 30 d8 b0 57 4d 47 c5 85 75 2b c3 90 37 e6 40 5f 21 59 07 96 73 0e 13 a3 eb a9 9d 18 0d 9a 8f c5 e7 8f 15 2a ce eb 86 66 2c 74 40 5c 0e c0 a3 87 99 a7 20 21 c3 00 88 18 78 b3 6a aa 8c 31 65 c8 5b db 12 03 08 09 02 ba 49 23 12 d4 47 ea 01 5f 58 0d b0 2f 47 80 7e 97 5b cc 53 18 9d 76 9b bc 00 3f 47 90 29 70 cc 07 24 4b 3e 32 2a d2 75 a9 d6 a6 02 08 d5 03 9f e0 04 7d 0b 9f d8 98 fe 22 22 17 ee 1c 61 21 ac ca 4b 70 14 3c 18 43 ef 06 2f e2 c4 08 97 df 21 ef b0 fd 00 80 e5 7e d8 4b ce c5 5c ac 0d 4f ba 1f 2d 1a 6d 22 d3 e8 ee 97 59 e3 49 78 cd 32 b6 1a 05 e1 79 18 c6 bb a9 b7 6d 6a ee 7c 44 43 3b 3f d9 99 4f 26 9a 79 e1 e0 e2 8d b5 b2 57 d6 da 5e 5b 1b 6b 63 28 8d f0 b1 65 86 0f b5 22 41 83 da c3 e8 3d 9a 11 b3 2c 67 8e 21 6b c2 6b fd 73 f4 34 65 52 5f 49 f6 42 5d 46 bf 95 db eb 9f ee b7 7a 91 bb b9 d1 b1 40 d8 cc b1 0a 8e c5 ca e2 bf ba 52 97 c1 70 e8 74 5d ef 54 0a 6f 99 c0 3f aa d5 f4 c4 a4 e7 f0 08 7d 3a 0e f7 a8 c8 85 ed b7 21 8b e2 b0 46 d1 7f 1e c9 9e 2c 64 19 51 0a 85 c7 ff 3b 6a ba 47 41 2e 56 f9 be 11 8e 2f 38 ce b2 64 81 91 d0 db b7 58 62 e3 74 46 19 ff c8 b2 51 c5 01 e0 f9 12 e3 1c 8d 2a 4f fa a4 77 49 23 36 ca 91 7a ba fa db 39 8e 47 39 03 9f bb e3 f3 7d 3e 5b 2d d7 cb ed 66 cb 17 ab 4f a9 43 22 02 29 1b f0 0e ec 60 24 30 62 57 69 f6 20 ab d3 e1 34 e1 60 74 4d 4e 65 1f 90 e8 b3 51 11 53 d3 67 1e c2 6f e7 1f 8b 53 11 87 a5 1e 89 da a4 72 46 d9 4a 6a fc 0f 2c 99 34 f9 a9 94 1a 9d 80 96 d4 6e c9 64 35 63 75 d2 99 a1 03 22 36 97 e7 48 d4 10 27 1e a8 03 ec 34 41 83 78 b0 07 1d d1 36 5d 30 36 90 e1 54 ba e3 d5 2e 1d aa d1 69 34 fa d7 20 78 4e 26 dd 2d 6e d0 31 57 79 1c 39 62 ae 2c bf 02 19 9e d6 9e 41 79 4a 1e d0 00 c6 f1 58 5b e6 c3 e8 a5 c2
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Wed, 18 Jan 2023 19:41:46 GMTetag: "999-63c84b7a-3d7f793868cb3f69;br"accept-ranges: bytescontent-encoding: brvary: Accept-Encodingcontent-length: 912date: Tue, 18 Feb 2025 14:01:32 GMTserver: LiteSpeedplatform: hostingerpanel: hpanelData Raw: 02 33 01 80 1c cb 59 ff 7c 5e d3 7a f6 90 9a d1 13 d5 89 13 81 1c c3 8a f9 f1 73 6a 9b 08 2b df dd 4f 0a 44 aa 73 c4 1f 32 66 47 20 dc 5c e5 88 9c 27 a1 a6 43 5c 9d 2b a5 4a c8 4b 27 5e 48 40 fa 18 94 1a 0a 69 bc ea a6 86 9f 52 17 4a 69 8d ea 0e fc 3d b3 03 04 6f b5 a7 ae ae 84 71 8e 48 4e c5 44 c6 95 21 29 7c 8c 84 24 0e 50 4a 62 99 b8 21 12 32 8b 99 4c cf 45 53 1b 2a 49 7c 35 45 4e c4 54 82 cd 4f cf d9 bc 15 4d 2a 0d f5 c0 25 19 9d d1 68 52 e7 73 e5 40 83 71 72 32 95 2e c9 78 53 be d0 03 d2 36 19 08 4c 4b 7c 43 ea f0 66 29 5e 86 ba 00 e1 b8 a5 ca c6 e8 5b 24 67 f2 16 94 0d ed 26 3d b8 a0 44 ba df 54 7e 7b fd ea 63 ba aa dd 63 60 ce 9b 02 54 94 a8 f3 0d f8 a7 96 6d aa 30 b6 2f a1 cb 43 a5 d2 f7 78 88 dc 0b 98 86 ee 36 b6 ff f6 5b 3f 4d fe 6b 17 d7 16 ab df ec 8b 85 f9 86 40 cf f8 e5 a2 17 87 a8 d8 c9 1b 49 58 b3 99 5c e8 24 dd 19 eb c7 1f 44 b8 69 d6 42 b8 3e e3 41 34 ea d4 0e ba 26 29 4d da bd e5 6e 83 b7 c8 1c 41 ba 17 3d 64 32 e6 d0 48 8a 48 c5 91 9c 0a ad 45 b6 a7 30 d8 b0 57 4d 47 c5 85 75 2b c3 90 37 e6 40 5f 21 59 07 96 73 0e 13 a3 eb a9 9d 18 0d 9a 8f c5 e7 8f 15 2a ce eb 86 66 2c 74 40 5c 0e c0 a3 87 99 a7 20 21 c3 00 88 18 78 b3 6a aa 8c 31 65 c8 5b db 12 03 08 09 02 ba 49 23 12 d4 47 ea 01 5f 58 0d b0 2f 47 80 7e 97 5b cc 53 18 9d 76 9b bc 00 3f 47 90 29 70 cc 07 24 4b 3e 32 2a d2 75 a9 d6 a6 02 08 d5 03 9f e0 04 7d 0b 9f d8 98 fe 22 22 17 ee 1c 61 21 ac ca 4b 70 14 3c 18 43 ef 06 2f e2 c4 08 97 df 21 ef b0 fd 00 80 e5 7e d8 4b ce c5 5c ac 0d 4f ba 1f 2d 1a 6d 22 d3 e8 ee 97 59 e3 49 78 cd 32 b6 1a 05 e1 79 18 c6 bb a9 b7 6d 6a ee 7c 44 43 3b 3f d9 99 4f 26 9a 79 e1 e0 e2 8d b5 b2 57 d6 da 5e 5b 1b 6b 63 28 8d f0 b1 65 86 0f b5 22 41 83 da c3 e8 3d 9a 11 b3 2c 67 8e 21 6b c2 6b fd 73 f4 34 65 52 5f 49 f6 42 5d 46 bf 95 db eb 9f ee b7 7a 91 bb b9 d1 b1 40 d8 cc b1 0a 8e c5 ca e2 bf ba 52 97 c1 70 e8 74 5d ef 54 0a 6f 99 c0 3f aa d5 f4 c4 a4 e7 f0 08 7d 3a 0e f7 a8 c8 85 ed b7 21 8b e2 b0 46 d1 7f 1e c9 9e 2c 64 19 51 0a 85 c7 ff 3b 6a ba 47 41 2e 56 f9 be 11 8e 2f 38 ce b2 64 81 91 d0 db b7 58 62 e3 74 46 19 ff c8 b2 51 c5 01 e0 f9 12 e3 1c 8d 2a 4f fa a4 77 49 23 36 ca 91 7a ba fa db 39 8e 47 39 03 9f bb e3 f3 7d 3e 5b 2d d7 cb ed 66 cb 17 ab 4f a9 43 22 02 29 1b f0 0e ec 60 24 30 62 57 69 f6 20 ab d3 e1 34 e1 60 74 4d 4e 65 1f 90 e8 b3 51 11 53 d3 67 1e c2 6f e7 1f 8b 53 11 87 a5 1e 89 da a4 72 46 d9 4a 6a fc 0f 2c 99 34 f9 a9 94 1a 9d 80 96 d4 6e c9 64 35 63 75 d2 99 a1 03 22 36 97 e7 48 d4 10 27 1e a8 03 ec 34 41 83 78 b0 07 1d d1 36 5d 30 36 90 e1 54 ba e3 d5 2e 1d aa d1 69 34 fa d7 20 78 4e 26 dd 2d 6e d0 31 57 79 1c 39 62 ae 2c bf 02 19 9e d6 9e 41 79 4a 1e d0 00 c6 f1 58 5b e6 c3 e8 a5 c2
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Wed, 18 Jan 2023 19:41:46 GMTetag: "999-63c84b7a-3d7f793868cb3f69;br"accept-ranges: bytescontent-encoding: brvary: Accept-Encodingcontent-length: 912date: Tue, 18 Feb 2025 14:01:35 GMTserver: LiteSpeedplatform: hostingerpanel: hpanelData Raw: 02 33 01 80 1c cb 59 ff 7c 5e d3 7a f6 90 9a d1 13 d5 89 13 81 1c c3 8a f9 f1 73 6a 9b 08 2b df dd 4f 0a 44 aa 73 c4 1f 32 66 47 20 dc 5c e5 88 9c 27 a1 a6 43 5c 9d 2b a5 4a c8 4b 27 5e 48 40 fa 18 94 1a 0a 69 bc ea a6 86 9f 52 17 4a 69 8d ea 0e fc 3d b3 03 04 6f b5 a7 ae ae 84 71 8e 48 4e c5 44 c6 95 21 29 7c 8c 84 24 0e 50 4a 62 99 b8 21 12 32 8b 99 4c cf 45 53 1b 2a 49 7c 35 45 4e c4 54 82 cd 4f cf d9 bc 15 4d 2a 0d f5 c0 25 19 9d d1 68 52 e7 73 e5 40 83 71 72 32 95 2e c9 78 53 be d0 03 d2 36 19 08 4c 4b 7c 43 ea f0 66 29 5e 86 ba 00 e1 b8 a5 ca c6 e8 5b 24 67 f2 16 94 0d ed 26 3d b8 a0 44 ba df 54 7e 7b fd ea 63 ba aa dd 63 60 ce 9b 02 54 94 a8 f3 0d f8 a7 96 6d aa 30 b6 2f a1 cb 43 a5 d2 f7 78 88 dc 0b 98 86 ee 36 b6 ff f6 5b 3f 4d fe 6b 17 d7 16 ab df ec 8b 85 f9 86 40 cf f8 e5 a2 17 87 a8 d8 c9 1b 49 58 b3 99 5c e8 24 dd 19 eb c7 1f 44 b8 69 d6 42 b8 3e e3 41 34 ea d4 0e ba 26 29 4d da bd e5 6e 83 b7 c8 1c 41 ba 17 3d 64 32 e6 d0 48 8a 48 c5 91 9c 0a ad 45 b6 a7 30 d8 b0 57 4d 47 c5 85 75 2b c3 90 37 e6 40 5f 21 59 07 96 73 0e 13 a3 eb a9 9d 18 0d 9a 8f c5 e7 8f 15 2a ce eb 86 66 2c 74 40 5c 0e c0 a3 87 99 a7 20 21 c3 00 88 18 78 b3 6a aa 8c 31 65 c8 5b db 12 03 08 09 02 ba 49 23 12 d4 47 ea 01 5f 58 0d b0 2f 47 80 7e 97 5b cc 53 18 9d 76 9b bc 00 3f 47 90 29 70 cc 07 24 4b 3e 32 2a d2 75 a9 d6 a6 02 08 d5 03 9f e0 04 7d 0b 9f d8 98 fe 22 22 17 ee 1c 61 21 ac ca 4b 70 14 3c 18 43 ef 06 2f e2 c4 08 97 df 21 ef b0 fd 00 80 e5 7e d8 4b ce c5 5c ac 0d 4f ba 1f 2d 1a 6d 22 d3 e8 ee 97 59 e3 49 78 cd 32 b6 1a 05 e1 79 18 c6 bb a9 b7 6d 6a ee 7c 44 43 3b 3f d9 99 4f 26 9a 79 e1 e0 e2 8d b5 b2 57 d6 da 5e 5b 1b 6b 63 28 8d f0 b1 65 86 0f b5 22 41 83 da c3 e8 3d 9a 11 b3 2c 67 8e 21 6b c2 6b fd 73 f4 34 65 52 5f 49 f6 42 5d 46 bf 95 db eb 9f ee b7 7a 91 bb b9 d1 b1 40 d8 cc b1 0a 8e c5 ca e2 bf ba 52 97 c1 70 e8 74 5d ef 54 0a 6f 99 c0 3f aa d5 f4 c4 a4 e7 f0 08 7d 3a 0e f7 a8 c8 85 ed b7 21 8b e2 b0 46 d1 7f 1e c9 9e 2c 64 19 51 0a 85 c7 ff 3b 6a ba 47 41 2e 56 f9 be 11 8e 2f 38 ce b2 64 81 91 d0 db b7 58 62 e3 74 46 19 ff c8 b2 51 c5 01 e0 f9 12 e3 1c 8d 2a 4f fa a4 77 49 23 36 ca 91 7a ba fa db 39 8e 47 39 03 9f bb e3 f3 7d 3e 5b 2d d7 cb ed 66 cb 17 ab 4f a9 43 22 02 29 1b f0 0e ec 60 24 30 62 57 69 f6 20 ab d3 e1 34 e1 60 74 4d 4e 65 1f 90 e8 b3 51 11 53 d3 67 1e c2 6f e7 1f 8b 53 11 87 a5 1e 89 da a4 72 46 d9 4a 6a fc 0f 2c 99 34 f9 a9 94 1a 9d 80 96 d4 6e c9 64 35 63 75 d2 99 a1 03 22 36 97 e7 48 d4 10 27 1e a8 03 ec 34 41 83 78 b0 07 1d d1 36 5d 30 36 90 e1 54 ba e3 d5 2e 1d aa d1 69 34 fa d7 20 78 4e 26 dd 2d 6e d0 31 57 79 1c 39 62 ae 2c bf 02 19 9e d6 9e 41 79 4a 1e d0 00 c6 f1 58 5b e6 c3 e8 a5 c2
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Wed, 18 Jan 2023 19:41:46 GMTetag: "999-63c84b7a-3d7f793868cb3f69;;;"accept-ranges: bytescontent-length: 2457date: Tue, 18 Feb 2025 14:01:37 GMTserver: LiteSpeedplatform: hostingerpanel: hpanelData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 70 72 65 66 69 78 3d 22 63 6f 6e 74 65 6e 74 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 72 73 73 2f 31 2e 30 2f 6d 6f 64 75 6c 65 73 2f 63 6f 6e 74 65 6e 74 2f 20 64 63 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 64 63 2f 74 65 72 6d 73 2f 20 66 6f 61 66 3a 20 68 74 74 70 3a 2f 2f 78 6d 6c 6e 73 2e 63 6f 6d 2f 66 6f 61 66 2f 30 2e 31 2f 20 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 20 72 64 66 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 31 2f 72 64 66 2d 73 63 68 65 6d 61 23 20 73 69 6f 63 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 6e 73 23 20 73 69 6f 63 74 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 74 79 70 65 73 23 20 73 6b 6f 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 34 2f 30 32 2f 73 6b 6f 73 2f 63 6f 72 65 23 20 78 73 64 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 40 63 68 61 72 73 65 74 20 22 55 54 46 2d 38 22 3b 0a 20 20 20 20 20 20 20 20 5b 6e 67 5c 3a 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 64 61 74 61 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 78 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 78 2d 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 68 69 64 65 3a 6e 6f 74 28 2e 6e 67 2d 68 69 64 65 2d 61 6e 69 6d 61 74 65 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 6e 67 5c 3a 66 6f 72 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 69 6d 61 74 65 2d 73 68 69 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 69 73 69 62 69 6c 69 74 79 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 63 68 6f 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 18 Feb 2025 14:01:47 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Fri, 16 Sep 2022 05:35:38 GMTETag: W/"49d-5e8c4bb618b87"Content-Encoding: gzipData Raw: 32 34 62 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ad 53 4d 73 da 30 10 bd e7 57 6c 9d b3 11 86 7c 21 8c 67 52 4c a6 9d 49 52 a6 38 93 f6 28 ec 05 6b 2a cb ae b5 c1 d0 4c ff 7b e5 0f 02 99 b6 e9 a5 f2 c1 d2 ee db f7 9e 34 bb fe bb f0 d3 34 fa 3a 9f 41 4a 99 82 f9 c3 fb db 8f 53 70 5c c6 1e 87 53 c6 c2 28 84 2f 1f a2 bb 5b f0 7a 7d 58 50 29 63 62 6c 76 ef 80 93 12 15 9c b1 aa aa 7a d5 b0 97 97 6b 16 7d 66 db 9a c5 ab cb ba ad 6b 9a 9a 5e 42 89 13 9c f8 8d c8 36 53 da 4c fe 40 e0 8d 46 a3 b6 ce a9 41 5c 09 bd 9e 38 a8 1d 78 d9 05 7e 8a 22 09 4e c0 2e 9f 24 29 0c 1e 71 69 24 21 2c 9e 4c 81 3a c1 c4 67 6d a2 05 65 48 02 6a 2d 17 bf 3f c9 cd c4 99 e6 9a 50 93 1b ed 0a 74 20 6e 4f 13 87 70 4b ac d6 1e 43 9c 8a d2 20 4d 1e a2 1b f7 ca 61 c7 44 5a 64 38 71 12 34 71 29 0b 92 b9 3e 62 88 52 69 a0 ea dc a4 c2 c0 12 51 83 d9 db ea bd 30 19 da 29 04 b2 fa 9d 6c 6c 8c d3 e6 ea b5 cc 93 1d 3c af 2c ad 6b e4 0f e4 de 59 b1 b5 a6 72 95 97 fc f4 b2 59 63 68 d2 2b 91 49 b5 e3 a2 94 c2 da ae a9 5c a1 e4 5a f3 d8 1a c2 72 fc f3 85 33 f5 8e 19 af 8e 19 47 a3 eb cb eb 9b 31 64 a2 5c 4b cd e1 b2 5f 6c a1 5f 7f c7 f5 03 78 6e f1 70 1a ce 2e a6 e7 e1 6b 0b d0 79 38 68 c0 a0 5f 8b 34 81 0a e5 3a 25 6e 6f a6 92 31 28 24 6b ce 35 85 88 a5 5e 73 70 bd 1a b8 97 f7 ce 1b f9 81 fd 1d e9 17 f0 5c c9 84 52 3e 6c 69 7f bf 6b 47 e0 2a 5c 11 17 4f 94 8f bb 40 d9 68 37 91 3d 86 f2 82 c3 b0 be e7 41 21 91 9b ff a2 71 60 14 5c 49 fd ed f0 6e c3 b3 f3 e1 c5 f5 2b c0 46 d6 cd 92 bc 89 11 31 c9 0d be 09 49 f3 0d 96 7f 41 f8 ac 69 37 3b 7c ac 1d 1d bf ee af ae 13 53 2f 58 3c 2c e6 b3 fb 70 16 da bc b7 0f 0f 82 7f 35 b3 45 0f 3a b4 7d b9 43 f3 ce 15 0a 83 cd 50 58 e3 40 a9 6d 74 8c 53 2d 63 a1 6c 79 51 e4 25 41 82 85 28 29 b3 8f da eb 3c 36 1c 3e 6b ad f9 cd 1c 06 27 bf 00 dc 27 15 ee 9d 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 24bSMs0Wl|!gRLIR8(k*L{44:AJSp\S(/[z}XP)cblvzk}fk^B6SL@FA\8x~"N.$)qi$!,L:gmeHj-?Pt nOpKC MaDZd8q4q)>bRiQ0)ll<,kYrYch+I\Zr3G1d\K_l_xnp.ky8h_4:%no1($k5^sp\R>likG*\O@h7=A!q`\In+F1IAi7;|S/X<,p5E:}CPX@mtS-clyQ%A()<6>k''0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 18 Feb 2025 14:01:50 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Fri, 16 Sep 2022 05:35:38 GMTETag: W/"49d-5e8c4bb618b87"Content-Encoding: gzipData Raw: 32 34 62 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ad 53 4d 73 da 30 10 bd e7 57 6c 9d b3 11 86 7c 21 8c 67 52 4c a6 9d 49 52 a6 38 93 f6 28 ec 05 6b 2a cb ae b5 c1 d0 4c ff 7b e5 0f 02 99 b6 e9 a5 f2 c1 d2 ee db f7 9e 34 bb fe bb f0 d3 34 fa 3a 9f 41 4a 99 82 f9 c3 fb db 8f 53 70 5c c6 1e 87 53 c6 c2 28 84 2f 1f a2 bb 5b f0 7a 7d 58 50 29 63 62 6c 76 ef 80 93 12 15 9c b1 aa aa 7a d5 b0 97 97 6b 16 7d 66 db 9a c5 ab cb ba ad 6b 9a 9a 5e 42 89 13 9c f8 8d c8 36 53 da 4c fe 40 e0 8d 46 a3 b6 ce a9 41 5c 09 bd 9e 38 a8 1d 78 d9 05 7e 8a 22 09 4e c0 2e 9f 24 29 0c 1e 71 69 24 21 2c 9e 4c 81 3a c1 c4 67 6d a2 05 65 48 02 6a 2d 17 bf 3f c9 cd c4 99 e6 9a 50 93 1b ed 0a 74 20 6e 4f 13 87 70 4b ac d6 1e 43 9c 8a d2 20 4d 1e a2 1b f7 ca 61 c7 44 5a 64 38 71 12 34 71 29 0b 92 b9 3e 62 88 52 69 a0 ea dc a4 c2 c0 12 51 83 d9 db ea bd 30 19 da 29 04 b2 fa 9d 6c 6c 8c d3 e6 ea b5 cc 93 1d 3c af 2c ad 6b e4 0f e4 de 59 b1 b5 a6 72 95 97 fc f4 b2 59 63 68 d2 2b 91 49 b5 e3 a2 94 c2 da ae a9 5c a1 e4 5a f3 d8 1a c2 72 fc f3 85 33 f5 8e 19 af 8e 19 47 a3 eb cb eb 9b 31 64 a2 5c 4b cd e1 b2 5f 6c a1 5f 7f c7 f5 03 78 6e f1 70 1a ce 2e a6 e7 e1 6b 0b d0 79 38 68 c0 a0 5f 8b 34 81 0a e5 3a 25 6e 6f a6 92 31 28 24 6b ce 35 85 88 a5 5e 73 70 bd 1a b8 97 f7 ce 1b f9 81 fd 1d e9 17 f0 5c c9 84 52 3e 6c 69 7f bf 6b 47 e0 2a 5c 11 17 4f 94 8f bb 40 d9 68 37 91 3d 86 f2 82 c3 b0 be e7 41 21 91 9b ff a2 71 60 14 5c 49 fd ed f0 6e c3 b3 f3 e1 c5 f5 2b c0 46 d6 cd 92 bc 89 11 31 c9 0d be 09 49 f3 0d 96 7f 41 f8 ac 69 37 3b 7c ac 1d 1d bf ee af ae 13 53 2f 58 3c 2c e6 b3 fb 70 16 da bc b7 0f 0f 82 7f 35 b3 45 0f 3a b4 7d b9 43 f3 ce 15 0a 83 cd 50 58 e3 40 a9 6d 74 8c 53 2d 63 a1 6c 79 51 e4 25 41 82 85 28 29 b3 8f da eb 3c 36 1c 3e 6b ad f9 cd 1c 06 27 bf 00 dc 27 15 ee 9d 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 24bSMs0Wl|!gRLIR8(k*L{44:AJSp\S(/[z}XP)cblvzk}fk^B6SL@FA\8x~"N.$)qi$!,L:gmeHj-?Pt nOpKC MaDZd8q4q)>bRiQ0)ll<,kYrYch+I\Zr3G1d\K_l_xnp.ky8h_4:%no1($k5^sp\R>likG*\O@h7=A!q`\In+F1IAi7;|S/X<,p5E:}CPX@mtS-clyQ%A()<6>k''0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 18 Feb 2025 14:01:52 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Fri, 16 Sep 2022 05:35:38 GMTETag: W/"49d-5e8c4bb618b87"Content-Encoding: gzipData Raw: 32 34 62 0d 0a 1f 8b 08 00 00 00 00 00 02 03 ad 53 4d 73 da 30 10 bd e7 57 6c 9d b3 11 86 7c 21 8c 67 52 4c a6 9d 49 52 a6 38 93 f6 28 ec 05 6b 2a cb ae b5 c1 d0 4c ff 7b e5 0f 02 99 b6 e9 a5 f2 c1 d2 ee db f7 9e 34 bb fe bb f0 d3 34 fa 3a 9f 41 4a 99 82 f9 c3 fb db 8f 53 70 5c c6 1e 87 53 c6 c2 28 84 2f 1f a2 bb 5b f0 7a 7d 58 50 29 63 62 6c 76 ef 80 93 12 15 9c b1 aa aa 7a d5 b0 97 97 6b 16 7d 66 db 9a c5 ab cb ba ad 6b 9a 9a 5e 42 89 13 9c f8 8d c8 36 53 da 4c fe 40 e0 8d 46 a3 b6 ce a9 41 5c 09 bd 9e 38 a8 1d 78 d9 05 7e 8a 22 09 4e c0 2e 9f 24 29 0c 1e 71 69 24 21 2c 9e 4c 81 3a c1 c4 67 6d a2 05 65 48 02 6a 2d 17 bf 3f c9 cd c4 99 e6 9a 50 93 1b ed 0a 74 20 6e 4f 13 87 70 4b ac d6 1e 43 9c 8a d2 20 4d 1e a2 1b f7 ca 61 c7 44 5a 64 38 71 12 34 71 29 0b 92 b9 3e 62 88 52 69 a0 ea dc a4 c2 c0 12 51 83 d9 db ea bd 30 19 da 29 04 b2 fa 9d 6c 6c 8c d3 e6 ea b5 cc 93 1d 3c af 2c ad 6b e4 0f e4 de 59 b1 b5 a6 72 95 97 fc f4 b2 59 63 68 d2 2b 91 49 b5 e3 a2 94 c2 da ae a9 5c a1 e4 5a f3 d8 1a c2 72 fc f3 85 33 f5 8e 19 af 8e 19 47 a3 eb cb eb 9b 31 64 a2 5c 4b cd e1 b2 5f 6c a1 5f 7f c7 f5 03 78 6e f1 70 1a ce 2e a6 e7 e1 6b 0b d0 79 38 68 c0 a0 5f 8b 34 81 0a e5 3a 25 6e 6f a6 92 31 28 24 6b ce 35 85 88 a5 5e 73 70 bd 1a b8 97 f7 ce 1b f9 81 fd 1d e9 17 f0 5c c9 84 52 3e 6c 69 7f bf 6b 47 e0 2a 5c 11 17 4f 94 8f bb 40 d9 68 37 91 3d 86 f2 82 c3 b0 be e7 41 21 91 9b ff a2 71 60 14 5c 49 fd ed f0 6e c3 b3 f3 e1 c5 f5 2b c0 46 d6 cd 92 bc 89 11 31 c9 0d be 09 49 f3 0d 96 7f 41 f8 ac 69 37 3b 7c ac 1d 1d bf ee af ae 13 53 2f 58 3c 2c e6 b3 fb 70 16 da bc b7 0f 0f 82 7f 35 b3 45 0f 3a b4 7d b9 43 f3 ce 15 0a 83 cd 50 58 e3 40 a9 6d 74 8c 53 2d 63 a1 6c 79 51 e4 25 41 82 85 28 29 b3 8f da eb 3c 36 1c 3e 6b ad f9 cd 1c 06 27 bf 00 dc 27 15 ee 9d 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 24bSMs0Wl|!gRLIR8(k*L{44:AJSp\S(/[z}XP)cblvzk}fk^B6SL@FA\8x~"N.$)qi$!,L:gmeHj-?Pt nOpKC MaDZd8q4q)>bRiQ0)ll<,kYrYch+I\Zr3G1d\K_l_xnp.ky8h_4:%no1($k5^sp\R>likG*\O@h7=A!q`\In+F1IAi7;|S/X<,p5E:}CPX@mtS-clyQ%A()<6>k''0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 18 Feb 2025 14:01:55 GMTContent-Type: text/html; charset=UTF-8Content-Length: 1181Connection: closeVary: Accept-EncodingLast-Modified: Fri, 16 Sep 2022 05:35:38 GMTETag: "49d-5e8c4bb618b87"Accept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 57 65 62 73 69 74 65 20 53 75 73 70 65 6e 64 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 77 65 62 73 69 74 65 20 68 61 73 20 62 65 65 6e 20 73 75 73 70 65 6e 64 65 64 2e 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 38 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 39 39 41 37 41 46 3b 20 6d 61 72 67 69 6e 3a 20 37 30 70 78 20 30 20 30 20 30 3b 7d 0a 20 20 20 20 20 20 20 20 68 32 20 7b 63 6f 6c 6f 72 3a 20 23 44 45 36 43 35 44 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 31 70 78 3b 20 6d 61 72 67 69 6e 3a 20 31 35 70 78 20 30 20 32 35 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 70 20 7b 77 69 64 74 68 3a 33 32 30 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 20 7d 0a 20 20 20 20 20 20 20 20 64 69 76 20 7b 77 69 64 74 68 3a 33 32 30 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 76 69 73 69 74 65 64 20 7b 63
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 14:02:01 GMTServer: ApacheContent-Length: 196Content-Type: text/html; charset=iso-8859-1X-Varnish: 25503337317Age: 0Via: 1.1 webcache1 (Varnish/trunk)Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 14:02:04 GMTServer: ApacheContent-Length: 196Content-Type: text/html; charset=iso-8859-1X-Varnish: 25479452017Age: 0Via: 1.1 webcache1 (Varnish/trunk)Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 14:02:07 GMTServer: ApacheContent-Length: 196Content-Type: text/html; charset=iso-8859-1X-Varnish: 25276562919Age: 0Via: 1.1 webcache1 (Varnish/trunk)Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 14:02:09 GMTServer: ApacheContent-Length: 196Content-Type: text/html; charset=iso-8859-1X-Varnish: 25160968072Age: 0Via: 1.1 webcache1 (Varnish/trunk)Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 14:02:24 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cWgkqol9VOWhPMwTSinEnL1fqZhuy6awXQWZdzoeGDR9LyTHRohBPBUMw%2ByoJrxYf62iJoxUaW7mZcaO3m1j6NuDPhAdL7kZU5icPzmuEXmzSzqSrcTBGp5STqY%2Bx2DCEQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913e8dfadbdf8c0f-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2256&min_rtt=2256&rtt_var=1128&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=731&delivery_rate=0&cwnd=231&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f5Tn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(Y<;0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 14:02:26 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fnD25%2BREKM763HtD0gOew7WTZjiBqz%2F%2FWjKCdxtr8xpkvYqJq5y105ubfP5GDmRph9yEke4GamiGLjeY4GP7x5UXg5PeeVfvMh%2BsL0EFECpuI2yHCTIxwOcF7vW9aXX7Kw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913e8e0abe850cbc-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1523&min_rtt=1523&rtt_var=761&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=755&delivery_rate=0&cwnd=196&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: eaTn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(bY<;0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 14:02:29 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7DrCcoJuO1lUVpV98uBl5JGlGiJ8VvKJSmWWGzE2c%2Fz%2Fuf9eSoU6GogANWxbyxHuPvf59YlHiu%2BjCaUeWVgGv6%2FBYB%2FfiT8UY2h0K%2BR0rgcKOboBKPIUbWRRRpf2GUzYmw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913e8e1ac8e543f7-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1814&min_rtt=1814&rtt_var=907&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1768&delivery_rate=0&cwnd=215&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 54 90 c1 6e c2 30 10 44 ef f9 8a 29 e7 96 85 8a a3 65 a9 25 41 20 a5 14 55 e1 d0 a3 c1 5b 6c 29 d8 d4 d9 14 e5 ef ab 98 4a 6d af b3 6f 76 67 56 dd 95 af cb e6 7d 57 61 dd bc d4 d8 ed 9f eb cd 12 93 07 a2 4d d5 ac 88 ca a6 bc 4d 1e a7 33 a2 6a 3b d1 85 72 72 6e b5 72 6c ac 2e 94 78 69 59 2f 66 0b 6c a3 60 15 fb 60 15 dd c4 42 51 86 d4 21 da 61 f4 cd f5 1f c6 cd 75 a1 2e ba 71 8c c4 9f 3d 77 c2 16 fb b7 1a 57 d3 21 44 c1 c7 c8 21 06 88 f3 1d 3a 4e 5f 9c a6 8a 2e d9 f6 64 ad 17 1f 83 69 db e1 1e 06 ff 02 14 9c 52 4c 79 11 87 63 ec 83 70 62 8b ab f3 2d 43 d2 e0 c3 09 12 d1 77 0c 13 50 8d 70 19 8f fd 99 83 8c ba 33 c1 8e e0 6f b2 9f b3 94 8b 28 ca 0f f8 06 00 00 ff ff e3 02 00 59 3c e4 fe 3b 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f5Tn0D)e%A U[l)JmovgV}WaMM3j;rrnrl.xiY/fl``BQ!au.q=wW!D!:N_.diRLycpb-CwPp3o(Y<;0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 14:02:31 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qud66IT7RNlE1A%2F1%2FVN%2BSpr8ko7UJ2HrYqNMWu5biAVUzFbWPCagogkbgKQHsa%2FilWOJ4YVhBrHQvRwdlAHWLhuRa0bJ34zHeUKBShw6QuL648V7hGxuvAfHmwURzsJfOA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913e8e2aba3141d3-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1651&min_rtt=1651&rtt_var=825&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=480&delivery_rate=0&cwnd=155&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 14:02:37 GMTServer: ApacheContent-Length: 815Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 50 6f 70 70 69 6e 73 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 2c 20 54 68 65 20 50 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 63 61 6e 27 74 20 62 65 20 66 6f 75 6e 64 21 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 53 65 61 72 63 68 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 09 3c 61 20 68 72 65 66 3d 22 2f 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 72 72 6f 77 22 3e 3c 2f 73 70 61 6e 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Poppins:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/404.css" /></
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 14:02:40 GMTServer: ApacheContent-Length: 815Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 50 6f 70 70 69 6e 73 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 2c 20 54 68 65 20 50 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 63 61 6e 27 74 20 62 65 20 66 6f 75 6e 64 21 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 53 65 61 72 63 68 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 09 3c 61 20 68 72 65 66 3d 22 2f 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 72 72 6f 77 22 3e 3c 2f 73 70 61 6e 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Poppins:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/404.css" /></
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 14:02:42 GMTServer: ApacheContent-Length: 815Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 50 6f 70 70 69 6e 73 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 2c 20 54 68 65 20 50 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 63 61 6e 27 74 20 62 65 20 66 6f 75 6e 64 21 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 53 65 61 72 63 68 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 09 3c 61 20 68 72 65 66 3d 22 2f 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 72 72 6f 77 22 3e 3c 2f 73 70 61 6e 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Poppins:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/404.css" /></
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 14:02:45 GMTServer: ApacheContent-Length: 815Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 50 6f 70 70 69 6e 73 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 30 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 4f 6f 70 73 2c 20 54 68 65 20 50 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 63 61 6e 27 74 20 62 65 20 66 6f 75 6e 64 21 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 53 65 61 72 63 68 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 09 3c 61 20 68 72 65 66 3d 22 2f 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 72 72 6f 77 22 3e 3c 2f 73 70 61 6e 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Poppins:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 14:03:18 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JXNKn5idlL%2BhdmJmaNLb1jTNZbUDrD%2FjkLmwCfRsrMkDuhRfi9zxkdNUEqTt0Xj0vmrgWFY3DzKt7Dy%2FuiprNCNs7HL9tNPdKcxU5IPUnFANHO3TxSK46iM7BkBTigcvSkEQ9Lo%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913e8f4d2f2d41e7-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1743&min_rtt=1743&rtt_var=871&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=743&delivery_rate=0&cwnd=205&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a 31 32 66 37 0d 0a cc 5a 59 97 a3 4a 72 7e bf bf 42 ae 39 b6 67 0e 5d cd be d5 ad 6a 1b 10 12 48 02 01 12 92 d0 cb 3d 90 24 8b 58 c5 2e f9 cc 0f f2 df f0 2f f3 51 55 2f d5 55 52 77 df 19 3f 38 eb 41 64 66 44 64 64 2c 5f 50 99 fc f6 db 6f 8f ff 32 5e 4a 6b c7 90 47 51 93 a5 9f 7e 7b 7c f9 19 8d 46 a3 c7 08 ba fe e7 c7 0c 36 ee 28 6a 9a f2 1e 1e db b8 7b ba 93 8a bc 81 79 73 df 9c 4a 78 37 02 2f bd a7 bb 06 0e 0d 7a 11 f1 fb 08 44 6e 55 c3 e6 a9 6d 82 7b ee ee a6 1c 17 44 f0 fe c2 5f 15 e9 2b 41 79 71 0f 2e 53 37 19 8d ca 0d 33 f7 cf 70 c8 43 19 57 b0 7e c5 82 7d 47 9b bb 19 7c ba eb 62 d8 97 45 d5 bc 22 eb 63 bf 89 9e 7c d8 c5 00 de 3f 77 3e 8c e2 3c 6e 62 37 bd af 81 9b c2 27 fc e3 57 51 4d dc a4 f0 13 85 51 23 bd 68 46 93 a2 cd fd 47 f4 65 f0 85 a0 6e 4e 29 1c 5d ec f6 d9 5c a0 ae 3f 33 5f 9a 57 f8 a7 d1 7f 7d ed 5e 5a 50 e4 cd 7d e0 66 71 7a 7a 18 09 55 ec a6 1f 46 0a 4c 3b d8 c4 c0 fd 30 aa dd bc be af 61 15 07 bf bf 67 ab e3 33 7c 18 e1 54 39 7c 3f 99 c6 39 bc 8f 60 1c 46 cd c3 08 ff 48 11 1c cd Data Ascii: f12f7ZYJr~B9g]jH=$X./QU/URw?8AdfDdd,_Po2^JkGQ~{|F6(j{ysJx7/zDnUm{D_+Ayq.S73pCW~}G|bE"c|?w><nb7'WQMQ#hFGenN)]\?3_W}^ZP}fqzzUFL;0ag3|T9|?9`FH
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 14:03:20 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Mjl9wos%2F5Pmb%2F1JQmJPCMMrK589FUHj58Ny4JOhdR4ahiORD3k7ktUwJTfJMHH8uLtM6E17LloVrZ5sZ6EDFkSSkWn3HMcX94fIBQDZyEcjmIp%2B54PXTfsSG%2FyrMjjlED3LVg38%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913e8f5d1af07c8d-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2184&min_rtt=2184&rtt_var=1092&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=767&delivery_rate=0&cwnd=190&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 30 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a 59 97 a3 4a 72 7e bf bf 02 d7 1c db 33 87 ae 66 df ea 56 b5 0d 08 01 92 40 80 84 24 f4 72 0f 4b b2 88 55 ec 92 cf fc 20 ff 0d ff 32 1f 55 f5 52 5d 25 75 f7 9d f1 83 b3 1e 44 66 46 44 46 c6 f2 05 95 c9 6f bf fd f6 f8 2f 93 a5 b8 76 0c 09 8a db 3c fb f4 db e3 cb 0f 04 41 d0 63 0c dc e0 f3 63 0e 5a 17 8a db b6 ba 07 c7 2e e9 9f ee c4 b2 68 41 d1 de b7 a7 0a dc 41 fe 4b ef e9 ae 05 63 8b 5c 44 fc 0e f9 b1 5b 37 a0 7d ea da f0 9e bd bb 29 c7 f5 63 70 7f e1 af cb ec 95 a0 a2 bc f7 2f 53 37 19 8d da 8d 72 f7 cf 70 48 63 95 d4 a0 79 c5 82 7e 47 5b b8 39 78 ba eb 13 30 54 65 dd be 22 1b 92 a0 8d 9f 02 d0 27 3e b8 7f ee 7c 80 92 22 69 13 37 bb 6f 7c 37 03 4f d8 c7 af a2 da a4 cd c0 27 12 25 21 bd 6c a1 69 d9 15 c1 23 f2 32 f8 42 d0 b4 a7 0c 40 17 bb 7d 36 97 df 34 9f 99 2f cd 2b 83 13 f4 5f 5f bb 97 16 96 45 7b 1f ba 79 92 9d 1e 20 be 4e dc ec 03 a4 80 ac 07 6d e2 bb 1f a0 c6 2d 9a fb 06 d4 49 f8 fb 7b b6 26 39 83 07 08 23 ab f1 fb c9 2c 29 c0 7d 0c 92 28 6e 1f 20 ec 23 89 b3 14 83 91 38 f7 3d 95 e7 fa 69 Data Ascii: 1304ZYJr~3fV@$rKU 2UR]%uDfFDFo/v<AccZ.hAAKc\D[7})cp/S7rpHcy~G[9x0Te"'>|"i7o|7O'%!li#2B@}64/+__E{y Nm-I{&9#,)}(n #8=i
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 14:03:23 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qtBdMx19Is833O5JtSqoJFmo3VbMhervXWO1bffKb06Y7UpQmvvVtaRS4F7CHrpCCcybKay2DcxUnj5aCkwoL21HUkOfx5kd9pCeN3Oh5tWz0KWLyI5CGNv8Ir17DGRTT8yvo6o%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913e8f6d0d3241c1-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1657&min_rtt=1657&rtt_var=828&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1780&delivery_rate=0&cwnd=207&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 30 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a 59 97 a3 4a 72 7e bf bf 02 d7 1c db 33 87 ae 66 df ea 56 b5 0d 08 01 92 40 80 84 24 f4 72 0f 4b b2 88 55 ec 92 cf fc 20 ff 0d ff 32 1f 55 f5 52 5d 25 75 f7 9d f1 83 b3 1e 44 66 46 44 46 c6 f2 05 95 c9 6f bf fd f6 f8 2f 93 a5 b8 76 0c 09 8a db 3c fb f4 db e3 cb 0f 04 41 d0 63 0c dc e0 f3 63 0e 5a 17 8a db b6 ba 07 c7 2e e9 9f ee c4 b2 68 41 d1 de b7 a7 0a dc 41 fe 4b ef e9 ae 05 63 8b 5c 44 fc 0e f9 b1 5b 37 a0 7d ea da f0 9e bd bb 29 c7 f5 63 70 7f e1 af cb ec 95 a0 a2 bc f7 2f 53 37 19 8d da 8d 72 f7 cf 70 48 63 95 d4 a0 79 c5 82 7e 47 5b b8 39 78 ba eb 13 30 54 65 dd be 22 1b 92 a0 8d 9f 02 d0 27 3e b8 7f ee 7c 80 92 22 69 13 37 bb 6f 7c 37 03 4f d8 c7 af a2 da a4 cd c0 27 12 25 21 bd 6c a1 69 d9 15 c1 23 f2 32 f8 42 d0 b4 a7 0c 40 17 bb 7d 36 97 df 34 9f 99 2f cd 2b 83 13 f4 5f 5f bb 97 16 96 45 7b 1f ba 79 92 9d 1e 20 be 4e dc ec 03 a4 80 ac 07 6d e2 bb 1f a0 c6 2d 9a fb 06 d4 49 f8 fb 7b b6 26 39 83 07 08 23 ab f1 fb c9 2c 29 c0 7d 0c 92 28 6e 1f 20 ec 23 89 b3 14 83 91 38 f7 3d 95 e7 fa 69 54 5f f6 70 ef 97 59 59 Data Ascii: 1305ZYJr~3fV@$rKU 2UR]%uDfFDFo/v<AccZ.hAAKc\D[7})cp/S7rpHcy~G[9x0Te"'>|"i7o|7O'%!li#2B@}64/+__E{y Nm-I{&9#,)}(n #8=iT_pYY
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 18 Feb 2025 14:03:25 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0cf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VlLipCprEwxTFs4nUJuaIRxWcvBIMOvLrc1uVsRbaziPdFGi964XZFQOoJYDhpqH0treT2axpcgQSVVd04Z%2BefOjacTxkY2lqB%2FDnVp29D3cb8pKhDonKZVJIo3Y8hz23NC46m0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 913e8f7d1af96a57-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1692&min_rtt=1692&rtt_var=846&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=484&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 18 Feb 2025 14:03:32 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 18 Feb 2025 14:03:35 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 18 Feb 2025 14:03:37 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 18 Feb 2025 14:03:40 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: expand.exe, 00000015.00000002.4868259437.000000000607A000.00000004.10000000.00040000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.00000000048EA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
                Source: expand.exe, 00000015.00000002.4868259437.0000000005258000.00000004.10000000.00040000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000003AC8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://n21ltjbmxys.preview.infomaniak.website/.infomaniak-maintenance.html
                Source: QUOTATION REQUEST.exe, 00000001.00000002.2445358879.0000000002871000.00000004.00000800.00020000.00000000.sdmp, QUOTATION REQUEST.exe, 00000001.00000002.2445358879.0000000002AF8000.00000004.00000800.00020000.00000000.sdmp, CBdbnantdvVSl.exe, 0000000B.00000002.2637347150.0000000003282000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.2023kuanmeiyingzhibo.com
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.aazhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.aguardiente.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.aihuzhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.aijiuzhibo.com
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.aipazhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.aituzhibo.com
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.americanstar.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.anxinzhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.athousandwords.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.automester.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.babyzhibo.com
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.baomiaozhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.beian.gov.cn/portal/registerSystemInfo?recordcode=311426683748
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.biomac.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.blogauto.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.brainathlete.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.bubblewash.net/binding
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.cadsupport.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.caobizhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.caoliuzhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.carrossier.net
                Source: t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chengxinzhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chicka.net
                Source: t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/rpa8/
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/css/appsdetail.6f4104a5611f3a6cc38f23add3
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/css/pcmodule.edd4638c5c3b3039832390269d40
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/adblock.fe363a40.js
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/aggregatedentry.fe363a40.js
                Source: t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/appsdetail.fe363a40.js
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/bl.js
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/broadcast.js
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/common.fe363a40.js
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/footer.fe363a40.js
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/footerbar.fe363a40.js
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/header.fe363a40.js
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/index.umd.js
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/js.js
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/nc.js
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/pcmodule.fe363a40.js
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/pullup.js
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/realNameAuth.js
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/replyItem.fe363a40.js
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/js/tracker.fe363a40.js
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/picture/anva-zilv.png
                Source: t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/picture/default_avatar.jpg
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/picture/qr-4_httpswww.wandoujia.comqr.png
                Source: t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.choujiezhibo.net/template/news/wandoujia/static/picture/qr-5_httpswww.wandoujia.comqr.png
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chouyinzhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chunlangzhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.chunyanzhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.cryptico.net/binding
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.cuiluanzhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.cyberpolice.cn
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.djpaul.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.doudouzhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.douquzhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.douzhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.duoxiuzhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.expovirtual.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.fengxiuzhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.finesttravel.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.firstdial.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.gesichtspflege.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.humanhouse.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.huoyazhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.huoyingzhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.inmoto.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.investimo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.juwe.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.kingdomcity.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.leatherfactory.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lianaizhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.liansezhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.linglingzhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.liuhuazhibo.com
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.liuyuezhibo.com
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.liuyuezhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.losbravos.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.lovevintage.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mamaizhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.manchengzhibo.com
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.meijiuzhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.meikazhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mengxinzhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.miaosuzhibo.com
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mijianzhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mituzhibo.com
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.moidom.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.momozhibo.net
                Source: t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.monitorit.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mydowntown.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.mynewshub.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.nuoxiazhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.oshwal.net/binding
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.qinglizhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.qingsezhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.qiushuizhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.ridebox.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.riscon.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.sarfa.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.seyingzhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.sleepmaster.net/binding
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.solarfreedom.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.startshere.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.summergames.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.taoezhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.testoprime.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.thecakelady.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.thecherrytree.net
                Source: t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.tinygiant.net
                Source: t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4863778560.0000000001459000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.tsd2.net
                Source: t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4863778560.0000000001459000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.tsd2.net/54c9/
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.twistedlemon.net/binding
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.wangyouzhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.winegard.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.wuhaozhibo.com
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.wunvzhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xiaohezhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xingmengzhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xiyezhibo.com
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xuetuzhibo.com
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.xuetuzhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yanyuzhibo.com
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yemizhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yeyezhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yeyingzhibo.com
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yeyouzhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yimeizhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yingyingzhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yingzhuzhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yinhezhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.youqizhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yourreality.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yuechengzhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yueliangzhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yuguozhibo.com
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yundingzhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yunmengzhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.yunmengzhibo.net/binding
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zisezhibo.net
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.zootech.net
                Source: expand.exe, 00000015.00000003.2922456109.00000000075CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: expand.exe, 00000015.00000002.4868259437.0000000005258000.00000004.10000000.00040000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000003AC8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://assets.storage.infomaniak.com/fonts/font-awesome/4.3.0/css/font-awesome.min.css
                Source: expand.exe, 00000015.00000002.4868259437.0000000005258000.00000004.10000000.00040000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000003AC8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://assets.storage.infomaniak.website/images/background/unsplash/lqQlmcPt9Qg-large.jpg
                Source: t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000003AC8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://assets.storage.infomaniak.website/images/background/unsplash/lqQlmcPt9Qg-medium.jpg
                Source: expand.exe, 00000015.00000002.4868259437.0000000005258000.00000004.10000000.00040000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000003AC8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://assets.storage.infomaniak.website/images/background/unsplash/lqQlmcPt9Qg-small.jpg
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://beian.miit.gov.cn/#/Integrated/index
                Source: expand.exe, 00000015.00000003.2922456109.00000000075CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: expand.exe, 00000015.00000003.2922456109.00000000075CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: expand.exe, 00000015.00000003.2922456109.00000000075CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: expand.exe, 00000015.00000003.2922456109.00000000075CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: expand.exe, 00000015.00000003.2922456109.00000000075CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: expand.exe, 00000015.00000003.2922456109.00000000075CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: expand.exe, 00000015.00000002.4868259437.0000000005258000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4868259437.00000000053EA000.00000004.10000000.00040000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000003AC8000.00000004.00000001.00040000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000003C5A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
                Source: expand.exe, 00000015.00000002.4868259437.0000000005BC4000.00000004.10000000.00040000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004434000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Poppins:400
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://img.ucdl.pp.uc.cn/upload_files/wdj_web/public/img/favicon.ico
                Source: expand.exe, 00000015.00000002.4863161881.0000000000641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: expand.exe, 00000015.00000003.2916153732.00000000075AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: expand.exe, 00000015.00000002.4863161881.0000000000641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
                Source: expand.exe, 00000015.00000002.4863161881.0000000000641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: expand.exe, 00000015.00000002.4863161881.0000000000641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033r)
                Source: expand.exe, 00000015.00000002.4863161881.0000000000641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: expand.exe, 00000015.00000002.4863161881.0000000000641000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: expand.exe, 00000015.00000002.4868259437.00000000053EA000.00000004.10000000.00040000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000003C5A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://push.zhanzhang.baidu.com/push.js
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://ucan.25pp.com/Wandoujia_wandoujia_qrbinded.apk
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://white.anva.org.cn/
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.12377.cn/
                Source: expand.exe, 00000015.00000003.2922456109.00000000075CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: expand.exe, 00000015.00000002.4868259437.00000000053EA000.00000004.10000000.00040000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000003C5A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
                Source: expand.exe, 00000015.00000002.4868259437.0000000005EE8000.00000004.10000000.00040000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004758000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: expand.exe, 00000015.00000003.2922456109.00000000075CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: expand.exe, 00000015.00000002.4868259437.0000000005258000.00000004.10000000.00040000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000003AC8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.infomaniak.com/fr/hebergement
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js
                Source: expand.exe, 00000015.00000002.4868259437.000000000639E000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4869993243.0000000007320000.00000004.00000800.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.0000000004C0E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://zzlz.gsxt.gov.cn/

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000015.00000002.4865412130.0000000000830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2723717849.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.4862844200.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.4865277895.00000000007E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2724639659.0000000001350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.4864904721.0000000004F90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2726669936.00000000040B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                .NET source code contains very large strings
                Source: QUOTATION REQUEST.exe, frmLogin.csLong String: Length: 169248
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: QUOTATION REQUEST.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0042CA53 NtClose,10_2_0042CA53
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422B60 NtClose,LdrInitializeThunk,10_2_01422B60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422DF0 NtQuerySystemInformation,LdrInitializeThunk,10_2_01422DF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422C70 NtFreeVirtualMemory,LdrInitializeThunk,10_2_01422C70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014235C0 NtCreateMutant,LdrInitializeThunk,10_2_014235C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01424340 NtSetContextThread,10_2_01424340
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01424650 NtSuspendThread,10_2_01424650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422BE0 NtQueryValueKey,10_2_01422BE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422BF0 NtAllocateVirtualMemory,10_2_01422BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422B80 NtQueryInformationFile,10_2_01422B80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422BA0 NtEnumerateValueKey,10_2_01422BA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422AD0 NtReadFile,10_2_01422AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422AF0 NtWriteFile,10_2_01422AF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422AB0 NtWaitForSingleObject,10_2_01422AB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422D00 NtSetInformationFile,10_2_01422D00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422D10 NtMapViewOfSection,10_2_01422D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422D30 NtUnmapViewOfSection,10_2_01422D30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422DD0 NtDelayExecution,10_2_01422DD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422DB0 NtEnumerateKey,10_2_01422DB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422C60 NtCreateKey,10_2_01422C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422C00 NtQueryInformationProcess,10_2_01422C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422CC0 NtQueryVirtualMemory,10_2_01422CC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422CF0 NtOpenProcess,10_2_01422CF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422CA0 NtQueryInformationToken,10_2_01422CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422F60 NtCreateProcessEx,10_2_01422F60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422F30 NtCreateSection,10_2_01422F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422FE0 NtCreateFile,10_2_01422FE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422F90 NtProtectVirtualMemory,10_2_01422F90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422FA0 NtQuerySection,10_2_01422FA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422FB0 NtResumeThread,10_2_01422FB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422E30 NtWriteVirtualMemory,10_2_01422E30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422EE0 NtQueueApcThread,10_2_01422EE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422E80 NtReadVirtualMemory,10_2_01422E80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422EA0 NtAdjustPrivilegesToken,10_2_01422EA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01423010 NtOpenDirectoryObject,10_2_01423010
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01423090 NtSetValueKey,10_2_01423090
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014239B0 NtGetContextThread,10_2_014239B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01423D70 NtOpenThread,10_2_01423D70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01423D10 NtOpenProcessToken,10_2_01423D10
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 1_2_027FD4241_2_027FD424
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 1_2_06C3ED501_2_06C3ED50
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 1_2_06C3ED401_2_06C3ED40
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 1_2_06C501301_2_06C50130
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 1_2_06C526E01_2_06C526E0
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 1_2_06C5C7101_2_06C5C710
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 1_2_06C5C2C81_2_06C5C2C8
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 1_2_06C5C2D81_2_06C5C2D8
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 1_2_06C501201_2_06C50120
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 1_2_06C54E881_2_06C54E88
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 1_2_06C5BEA01_2_06C5BEA0
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 1_2_06C54E781_2_06C54E78
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 1_2_06C53C171_2_06C53C17
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 1_2_06C53C281_2_06C53C28
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 1_2_06C58AC01_2_06C58AC0
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 1_2_06C5BA681_2_06C5BA68
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 1_2_06C54B991_2_06C54B99
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 1_2_06C54BA81_2_06C54BA8
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeCode function: 1_2_06C5DB181_2_06C5DB18
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004188F310_2_004188F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0041009C10_2_0041009C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004100A310_2_004100A3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0042F0B310_2_0042F0B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040218C10_2_0040218C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040219010_2_00402190
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004102C310_2_004102C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00416AF310_2_00416AF3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040E2A310_2_0040E2A3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040E3E710_2_0040E3E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040E3F310_2_0040E3F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00402FF010_2_00402FF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0147815810_2_01478158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E010010_2_013E0100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148A11810_2_0148A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014A81CC10_2_014A81CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014B01AA10_2_014B01AA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014A41A210_2_014A41A2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148200010_2_01482000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014AA35210_2_014AA352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014B03E610_2_014B03E6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013FE3F010_2_013FE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0149027410_2_01490274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014702C010_2_014702C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F053510_2_013F0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014B059110_2_014B0591
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014A244610_2_014A2446
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0149442010_2_01494420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0149E4F610_2_0149E4F6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141475010_2_01414750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F077010_2_013F0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013EC7C010_2_013EC7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140C6E010_2_0140C6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140696210_2_01406962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F29A010_2_013F29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014BA9A610_2_014BA9A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013FA84010_2_013FA840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F284010_2_013F2840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013D68B810_2_013D68B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141E8F010_2_0141E8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014AAB4010_2_014AAB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014A6BD710_2_014A6BD7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013EEA8010_2_013EEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013FAD0010_2_013FAD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148CD1F10_2_0148CD1F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013EADE010_2_013EADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01408DBF10_2_01408DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F0C0010_2_013F0C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E0CF210_2_013E0CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01490CB510_2_01490CB5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01464F4010_2_01464F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01432F2810_2_01432F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01410F3010_2_01410F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01492F3010_2_01492F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013FCFE010_2_013FCFE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0146EFA010_2_0146EFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E2FC810_2_013E2FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F0E5910_2_013F0E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014AEE2610_2_014AEE26
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014AEEDB10_2_014AEEDB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01402E9010_2_01402E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014ACE9310_2_014ACE93
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014BB16B10_2_014BB16B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0142516C10_2_0142516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013DF17210_2_013DF172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013FB1B010_2_013FB1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0149F0CC10_2_0149F0CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014A70E910_2_014A70E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014AF0E010_2_014AF0E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F70C010_2_013F70C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014A132D10_2_014A132D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013DD34C10_2_013DD34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0143739A10_2_0143739A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140B2C010_2_0140B2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F52A010_2_013F52A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014912ED10_2_014912ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014A757110_2_014A7571
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148D5B010_2_0148D5B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E146010_2_013E1460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014AF43F10_2_014AF43F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014AF7B010_2_014AF7B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014A16CC10_2_014A16CC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140B95010_2_0140B950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148591010_2_01485910
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F995010_2_013F9950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0145D80010_2_0145D800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F38E010_2_013F38E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014AFB7610_2_014AFB76
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01465BF010_2_01465BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0142DBF910_2_0142DBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140FB8010_2_0140FB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014AFA4910_2_014AFA49
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014A7A4610_2_014A7A46
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01463A6C10_2_01463A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0149DAC610_2_0149DAC6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01435AA010_2_01435AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148DAAC10_2_0148DAAC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01491AA310_2_01491AA3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014A1D5A10_2_014A1D5A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014A7D7310_2_014A7D73
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F3D4010_2_013F3D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140FDC010_2_0140FDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01469C3210_2_01469C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014AFCF210_2_014AFCF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014AFF0910_2_014AFF09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F1F9210_2_013F1F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014AFFB110_2_014AFFB1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F9EB010_2_013F9EB0
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeCode function: 11_2_0179E5CA11_2_0179E5CA
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeCode function: 11_2_0179D42411_2_0179D424
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeCode function: 11_2_0580000711_2_05800007
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeCode function: 11_2_0580004011_2_05800040
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeCode function: 11_2_05E3C40811_2_05E3C408
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeCode function: 11_2_05E326E011_2_05E326E0
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeCode function: 11_2_05E3012011_2_05E30120
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeCode function: 11_2_05E3013011_2_05E30130
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeCode function: 11_2_05E3DC4811_2_05E3DC48
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeCode function: 11_2_05E33C2811_2_05E33C28
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeCode function: 11_2_05E33C1711_2_05E33C17
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeCode function: 11_2_05E3BFD011_2_05E3BFD0
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeCode function: 11_2_05E34E8811_2_05E34E88
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeCode function: 11_2_05E34E7811_2_05E34E78
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeCode function: 11_2_05E3C84011_2_05E3C840
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeCode function: 11_2_05E34BA811_2_05E34BA8
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeCode function: 11_2_05E34B9911_2_05E34B99
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeCode function: 11_2_05E3BB9811_2_05E3BB98
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeCode function: 11_2_05E38AC011_2_05E38AC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018A010019_2_018A0100
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018F600019_2_018F6000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_019302C019_2_019302C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018B053519_2_018B0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018AC7C019_2_018AC7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018D475019_2_018D4750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018B077019_2_018B0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018CC6E019_2_018CC6E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018B29A019_2_018B29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018C696219_2_018C6962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018E889019_2_018E8890
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018968B819_2_018968B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018DE8F019_2_018DE8F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018B284019_2_018B2840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018BA84019_2_018BA840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018AEA8019_2_018AEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018C8DBF19_2_018C8DBF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018B8DC019_2_018B8DC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018AADE019_2_018AADE0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018BAD0019_2_018BAD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018BED7A19_2_018BED7A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018A0CF219_2_018A0CF2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018B0C0019_2_018B0C00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_0192EFA019_2_0192EFA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018A2FC819_2_018A2FC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018F2F2819_2_018F2F28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018D0F3019_2_018D0F30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_01924F4019_2_01924F40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018C2E9019_2_018C2E90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018B0E5919_2_018B0E59
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018BB1B019_2_018BB1B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018E516C19_2_018E516C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_0189F17219_2_0189F172
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018B33F319_2_018B33F3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_0189D34C19_2_0189D34C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018B52A019_2_018B52A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018CB2C019_2_018CB2C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018CD2F019_2_018CD2F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018B349719_2_018B3497
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018F74E019_2_018F74E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018A146019_2_018A1460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018BB73019_2_018BB730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018B599019_2_018B5990
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018B995019_2_018B9950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018CB95019_2_018CB950
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018B38E019_2_018B38E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_0191D80019_2_0191D800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018CFB8019_2_018CFB80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_01925BF019_2_01925BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018EDBF919_2_018EDBF9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_01923A6C19_2_01923A6C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018CFDC019_2_018CFDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018B3D4019_2_018B3D40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_01929C3219_2_01929C32
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018C9C2019_2_018C9C20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018B1F9219_2_018B1F92
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018B9EB019_2_018B9EB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01425130 appears 58 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0191EA12 appears 37 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 018F7E54 appears 97 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0146F290 appears 105 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01437E54 appears 102 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 013DB970 appears 280 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0145EA12 appears 86 times
                Source: QUOTATION REQUEST.exe, 00000001.00000002.2446803832.000000000392D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs QUOTATION REQUEST.exe
                Source: QUOTATION REQUEST.exe, 00000001.00000000.2375418170.00000000003C2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameYkQz.exeH vs QUOTATION REQUEST.exe
                Source: QUOTATION REQUEST.exe, 00000001.00000002.2433288702.000000000095E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs QUOTATION REQUEST.exe
                Source: QUOTATION REQUEST.exe, 00000001.00000002.2452338001.0000000008820000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs QUOTATION REQUEST.exe
                Source: QUOTATION REQUEST.exe, 00000001.00000002.2450455401.00000000053B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs QUOTATION REQUEST.exe
                Source: QUOTATION REQUEST.exeBinary or memory string: OriginalFilenameYkQz.exeH vs QUOTATION REQUEST.exe
                Source: QUOTATION REQUEST.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 1.2.QUOTATION REQUEST.exe.437d270.2.raw.unpack, YsSwNkWoPiJOuJybXU.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 1.2.QUOTATION REQUEST.exe.437d270.2.raw.unpack, YsSwNkWoPiJOuJybXU.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 1.2.QUOTATION REQUEST.exe.8820000.4.raw.unpack, YsSwNkWoPiJOuJybXU.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 1.2.QUOTATION REQUEST.exe.8820000.4.raw.unpack, YsSwNkWoPiJOuJybXU.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 1.2.QUOTATION REQUEST.exe.4407c90.0.raw.unpack, CdyaBUGrIJfKcV25Xf.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 1.2.QUOTATION REQUEST.exe.4407c90.0.raw.unpack, CdyaBUGrIJfKcV25Xf.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 1.2.QUOTATION REQUEST.exe.4407c90.0.raw.unpack, CdyaBUGrIJfKcV25Xf.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 1.2.QUOTATION REQUEST.exe.8820000.4.raw.unpack, CdyaBUGrIJfKcV25Xf.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 1.2.QUOTATION REQUEST.exe.8820000.4.raw.unpack, CdyaBUGrIJfKcV25Xf.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 1.2.QUOTATION REQUEST.exe.8820000.4.raw.unpack, CdyaBUGrIJfKcV25Xf.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: 1.2.QUOTATION REQUEST.exe.4407c90.0.raw.unpack, YsSwNkWoPiJOuJybXU.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 1.2.QUOTATION REQUEST.exe.4407c90.0.raw.unpack, YsSwNkWoPiJOuJybXU.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 1.2.QUOTATION REQUEST.exe.437d270.2.raw.unpack, CdyaBUGrIJfKcV25Xf.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                Source: 1.2.QUOTATION REQUEST.exe.437d270.2.raw.unpack, CdyaBUGrIJfKcV25Xf.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 1.2.QUOTATION REQUEST.exe.437d270.2.raw.unpack, CdyaBUGrIJfKcV25Xf.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/16@15/14
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile created: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7568:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2736:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeMutant created: \Sessions\1\BaseNamedObjects\CJgdLkeijkZVyZY
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5248:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1548:120:WilError_03
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile created: C:\Users\user\AppData\Local\Temp\tmp6C58.tmpJump to behavior
                Source: QUOTATION REQUEST.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: QUOTATION REQUEST.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: QUOTATION REQUEST.exe, 00000001.00000000.2375418170.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, CBdbnantdvVSl.exe.1.drBinary or memory string: SELECT TOP 200 o.onum [Order ID],c.companyShortName [Client name], o.odate [Order date],o.supplydate [Date of delivery],o.ototal [Total price],o.odesc [Order description],o.paymentStatus [Mode of payment],o.orderStatus [Status] FROM order_list o JOIN order_detail od ON o.odate = od.odate JOIN clients c ON od.cnum=c.cnum WHERE o.odesc LIKE @Status1 AND o.orderStatus LIKE @Status2 GROUP BY o.odate,o.onum,c.companyShortName,o.supplydate,o.ototal,o.odesc,o.paymentStatus,o.orderStatus ORDER BY o.supplydate ;
                Source: QUOTATION REQUEST.exe, 00000001.00000000.2375418170.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, CBdbnantdvVSl.exe.1.drBinary or memory string: SELECT * FROM order_list WHERE (CAST(supplydate AS DATE) BETWEEN @From AND @To) AND orderStatus LIKE '%Completed%';
                Source: QUOTATION REQUEST.exe, 00000001.00000000.2375418170.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, CBdbnantdvVSl.exe.1.drBinary or memory string: SELECT COUNT(*) FROM order_list WHERE (CAST(supplydate AS DATE) BETWEEN @From AND @To) AND orderStatus LIKE '%Completed%';
                Source: QUOTATION REQUEST.exe, 00000001.00000000.2375418170.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, CBdbnantdvVSl.exe.1.drBinary or memory string: SELECT TOP 200 o.onum [Order ID],c.companyShortName [Client name], o.odate [Order date],o.supplydate [Date of delivery],o.ototal [Total price],o.odesc [Order description],o.paymentStatus [Mode of payment],o.orderStatus [Status] FROM order_list o JOIN order_detail od ON o.odate = od.odate JOIN clients c ON od.cnum=c.cnum WHERE o.supplydate BETWEEN @startDate AND @endDate GROUP BY o.odate,o.onum,c.companyShortName,o.supplydate,o.ototal,o.odesc,o.paymentStatus,o.orderStatus ORDER BY o.onum desc;
                Source: QUOTATION REQUEST.exe, 00000001.00000000.2375418170.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, CBdbnantdvVSl.exe.1.drBinary or memory string: UPDATE order_list SET supplydate=@DeferDate,odesc = odesc+@Add WHERE onum=@OID;
                Source: QUOTATION REQUEST.exe, 00000001.00000000.2375418170.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, CBdbnantdvVSl.exe.1.drBinary or memory string: SELECT p.pNum [Product ID],pc.categoriesName Category,p.productsName [Product name],p.productsSeedStock [Seed stock],p.produceDays [Estimated Production Period] FROM products p LEFT JOIN products_categories pc ON p.categoriesNum = pc.categoriesNum;
                Source: QUOTATION REQUEST.exe, 00000001.00000000.2375418170.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, CBdbnantdvVSl.exe.1.drBinary or memory string: UPDATE order_list SET orderStatus=@Cancel,supplydate=@DateFinish WHERE onum=@OID;
                Source: QUOTATION REQUEST.exe, 00000001.00000000.2375418170.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, CBdbnantdvVSl.exe.1.drBinary or memory string: UPDATE staff SET sname=@NewName,sbirth=@NewBirth,ssex=@NewSex,sphone=@NewPhone,sEmail=@NewEmail,sresignation=@NewFire,saddressContact=@NewAddressC,saddressDomicile=@NewAddressD,ssal=@NewSal,stitle=@NewTitle,sInChargeProject=@NewInCharge WHERE snum=@SearchId;
                Source: QUOTATION REQUEST.exe, 00000001.00000000.2375418170.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, CBdbnantdvVSl.exe.1.drBinary or memory string: SELECT TOP 200 od.pname [Product Name],s.container [Container (oz)],s.pweight [Product Weight],s.pprice Price,od.pamount Amount,s.packageDescription [Package Description] FROM order_detail od JOIN order_list o ON od.odate = o.odate JOIN specifications s ON od.specificationsNum=s.specificationsNum WHERE od.odate = @SearchDate;
                Source: QUOTATION REQUEST.exe, 00000001.00000000.2375418170.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, CBdbnantdvVSl.exe.1.drBinary or memory string: INSERT INTO specifications VALUES (@PContainer,@PWeight,@PDesc,@PPrice,@PID);ISuccessfully added. Rows changed:{0}
                Source: QUOTATION REQUEST.exe, 00000001.00000000.2375418170.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, CBdbnantdvVSl.exe.1.drBinary or memory string: SELECT TOP 200 od.pname [Product Name],s.container [Container (oz)],s.pweight [Product Weight],s.pprice Price,od.pamount Amount,s.packageDescription [Package Description] FROM order_detail od JOIN order_list o ON od.odate = o.odate JOIN specifications s ON od.specificationsNum=s.specificationsNum WHERE od.odate=@Search;
                Source: expand.exe, 00000015.00000003.2917395391.0000000000680000.00000004.00000020.00020000.00000000.sdmp, expand.exe, 00000015.00000002.4863161881.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, expand.exe, 00000015.00000002.4863161881.00000000006D0000.00000004.00000020.00020000.00000000.sdmp, expand.exe, 00000015.00000003.2917866716.00000000006A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: QUOTATION REQUEST.exe, 00000001.00000000.2375418170.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, CBdbnantdvVSl.exe.1.drBinary or memory string: SELECT TOP 200 * FROM products WHERE productsSeedStock != 0 ORDER BY productsName;pNum
                Source: QUOTATION REQUEST.exe, 00000001.00000000.2375418170.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, CBdbnantdvVSl.exe.1.drBinary or memory string: SELECT companyShortName FROM clients ORDER BY companyShortName;!companyShortName
                Source: QUOTATION REQUEST.exe, 00000001.00000000.2375418170.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, CBdbnantdvVSl.exe.1.drBinary or memory string: UPDATE products_categories SET categoriesName=@NewCategory WHERE categoriesNum=@CategoryId;
                Source: QUOTATION REQUEST.exe, 00000001.00000000.2375418170.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, CBdbnantdvVSl.exe.1.drBinary or memory string: SELECT pNum ID,productsName [Products Name],productsSeedStock [Seed stock] FROM products WHERE productsSeedStock <=5;
                Source: QUOTATION REQUEST.exeReversingLabs: Detection: 37%
                Source: QUOTATION REQUEST.exeVirustotal: Detection: 30%
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile read: C:\Users\user\Desktop\QUOTATION REQUEST.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\QUOTATION REQUEST.exe "C:\Users\user\Desktop\QUOTATION REQUEST.exe"
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION REQUEST.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CBdbnantdvVSl" /XML "C:\Users\user\AppData\Local\Temp\tmp6C58.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exe C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CBdbnantdvVSl" /XML "C:\Users\user\AppData\Local\Temp\tmp8B5A.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeProcess created: C:\Windows\SysWOW64\expand.exe "C:\Windows\SysWOW64\expand.exe"
                Source: C:\Windows\SysWOW64\expand.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION REQUEST.exe"Jump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exe"Jump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CBdbnantdvVSl" /XML "C:\Users\user\AppData\Local\Temp\tmp6C58.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CBdbnantdvVSl" /XML "C:\Users\user\AppData\Local\Temp\tmp8B5A.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeProcess created: C:\Windows\SysWOW64\expand.exe "C:\Windows\SysWOW64\expand.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\expand.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: cabinet.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: wininet.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: uxtheme.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: ieframe.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: iertutil.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: netapi32.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: winhttp.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: wkscli.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: windows.storage.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: wldp.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: profapi.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: secur32.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: mlang.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: propsys.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: winsqlite3.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: vaultcli.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: wintypes.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: dpapi.dll
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: cryptbase.dll
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeSection loaded: wininet.dll
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeSection loaded: mswsock.dll
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeSection loaded: dnsapi.dll
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeSection loaded: iphlpapi.dll
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeSection loaded: fwpuclnt.dll
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\SysWOW64\expand.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
                Source: QUOTATION REQUEST.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: QUOTATION REQUEST.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: QUOTATION REQUEST.exeStatic file information: File size 1213952 > 1048576
                Source: QUOTATION REQUEST.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x127c00
                Source: QUOTATION REQUEST.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: QUOTATION REQUEST.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: expand.pdb source: RegSvcs.exe, 0000000A.00000002.2724346403.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000014.00000003.2780679255.00000000009A4000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: YkQz.pdbSHA256.y source: QUOTATION REQUEST.exe, CBdbnantdvVSl.exe.1.dr
                Source: Binary string: RegSvcs.pdb, source: expand.exe, 00000015.00000002.4868259437.0000000004B4C000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4863161881.0000000000624000.00000004.00000020.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.00000000033BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.3029724778.000000003916C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000A.00000002.2724848854.00000000013B0000.00000040.00001000.00020000.00000000.sdmp, expand.exe, 00000015.00000003.2726197411.000000000436C000.00000004.00000020.00020000.00000000.sdmp, expand.exe, 00000015.00000003.2724014577.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, expand.exe, 00000015.00000002.4866126981.0000000004520000.00000040.00001000.00020000.00000000.sdmp, expand.exe, 00000015.00000002.4866126981.00000000046BE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000A.00000002.2724848854.00000000013B0000.00000040.00001000.00020000.00000000.sdmp, expand.exe, 00000015.00000003.2726197411.000000000436C000.00000004.00000020.00020000.00000000.sdmp, expand.exe, 00000015.00000003.2724014577.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp, expand.exe, 00000015.00000002.4866126981.0000000004520000.00000040.00001000.00020000.00000000.sdmp, expand.exe, 00000015.00000002.4866126981.00000000046BE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: YkQz.pdb source: QUOTATION REQUEST.exe, CBdbnantdvVSl.exe.1.dr
                Source: Binary string: RegSvcs.pdb source: expand.exe, 00000015.00000002.4868259437.0000000004B4C000.00000004.10000000.00040000.00000000.sdmp, expand.exe, 00000015.00000002.4863161881.0000000000624000.00000004.00000020.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4865967852.00000000033BC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.3029724778.000000003916C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: expand.pdbGCTL source: RegSvcs.exe, 0000000A.00000002.2724346403.0000000000E88000.00000004.00000020.00020000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000014.00000003.2780679255.00000000009A4000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: QUOTATION REQUEST.exe, frmLogin.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                Source: 1.2.QUOTATION REQUEST.exe.437d270.2.raw.unpack, CdyaBUGrIJfKcV25Xf.cs.Net Code: moGxn10VWi System.Reflection.Assembly.Load(byte[])
                Source: 1.2.QUOTATION REQUEST.exe.4407c90.0.raw.unpack, CdyaBUGrIJfKcV25Xf.cs.Net Code: moGxn10VWi System.Reflection.Assembly.Load(byte[])
                Source: 1.2.QUOTATION REQUEST.exe.8820000.4.raw.unpack, CdyaBUGrIJfKcV25Xf.cs.Net Code: moGxn10VWi System.Reflection.Assembly.Load(byte[])
                Source: 1.2.QUOTATION REQUEST.exe.53b0000.3.raw.unpack, RK.cs.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])
                Source: QUOTATION REQUEST.exeStatic PE information: 0xB171AAD3 [Sat May 3 05:02:11 2064 UTC]
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00403270 push eax; ret 10_2_00403272
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040D346 push FFFFFF94h; ret 10_2_0040D34A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040D411 pushfd ; ret 10_2_0040D417
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_004125BD pushad ; iretd 10_2_004125C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00415EA8 push D7BC1123h; iretd 10_2_00415EAE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00413F1B pushfd ; ret 10_2_00413F1C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040D734 push edi; retf 10_2_0040D757
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0040BFEA push ds; iretd 10_2_0040BFEB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E09AD push ecx; mov dword ptr [esp], ecx10_2_013E09B6
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeCode function: 11_2_0580C741 push dword ptr [eax+edx-75h]; iretd 11_2_0580C762
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeCode function: 11_2_058384A7 push eax; mov dword ptr [esp], edx11_2_058384BC
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeCode function: 11_2_0583128D push esp; retf 11_2_0583128E
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeCode function: 11_2_05831275 push esp; retf 11_2_05831276
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018EC54F push 8B018767h; ret 19_2_018EC554
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018EC54D pushfd ; ret 19_2_018EC54E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018A09AD push ecx; mov dword ptr [esp], ecx19_2_018A09B6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018EC9D7 push edi; ret 19_2_018EC9D9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_01871368 push eax; iretd 19_2_01871369
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_01871FEC push eax; iretd 19_2_01871FED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 19_2_018F7E99 push ecx; ret 19_2_018F7EAC
                Source: QUOTATION REQUEST.exeStatic PE information: section name: .text entropy: 6.817105115538071
                Source: CBdbnantdvVSl.exe.1.drStatic PE information: section name: .text entropy: 6.817105115538071
                Source: 1.2.QUOTATION REQUEST.exe.437d270.2.raw.unpack, kE6nEcmoFAfZTpVXxnK.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WXGulCPfOF', 'SXZugM0nZY', 'ekKuiWGpek', 'GYou7Jw3yZ', 'fviu6OKAta', 'EqWuCkBymr', 'wVNuI8PYfL'
                Source: 1.2.QUOTATION REQUEST.exe.437d270.2.raw.unpack, j4gssQmx2yPD3HZJZxi.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Gb3K3VrUd9', 'gUWKu8EoDf', 'JWXKrjYOGT', 'drUKKfywZY', 'N19KVHgiBC', 'AjeKX9hZeO', 'NQsKsk3aBs'
                Source: 1.2.QUOTATION REQUEST.exe.437d270.2.raw.unpack, pRuPvnwqk5krbyPgnd.csHigh entropy of concatenated method names: 'CAiUCY0Bhe', 'JUbUIus6E3', 'obWUArJ9fC', 'ToString', 'vLDUyDaoTN', 'hJmUfLWcYd', 'yj5AhQ7HqjK2VPSYnHl', 'NtKqDj72KCrhwd6ZEyA', 'CcubeA7pgBk0lXjtZml'
                Source: 1.2.QUOTATION REQUEST.exe.437d270.2.raw.unpack, LaDk4LdVIyEU3ovses.csHigh entropy of concatenated method names: 'HGy5E85uvv', 'L8Z5HiAC71', 'WVG4TLk58t', 'WDK4BCKOFJ', 'lsw48ZuAbe', 'IJe4wAkMX4', 'J0q4ZXjBai', 'IsB4Q8dpSI', 'Jbt4qM7mQ8', 'Btt4hVFK0y'
                Source: 1.2.QUOTATION REQUEST.exe.437d270.2.raw.unpack, N1oGhs4lG1noZPisn4.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'zlC9PT3dMy', 'A6W92kNQYe', 'FTd9zYGLVq', 'jmbFowsb8r', 'UbHFmcae7P', 'BDsF9LcIjd', 'F2HFF80rFF', 'R9Akhgq7gbLKFbZcMQB'
                Source: 1.2.QUOTATION REQUEST.exe.437d270.2.raw.unpack, aYWFWvP2n4XP3LJ49U.csHigh entropy of concatenated method names: 'tyy3O9mj23', 'uaZ3ScI5Dd', 'oyd3TFZwKl', 'Ccc3BLjMGF', 'jwi388DBG2', 'KaH3w1dibT', 'KId3ZuEkfo', 'oP93QCgRFE', 'pbv3q44rHt', 'EmU3hC8WB8'
                Source: 1.2.QUOTATION REQUEST.exe.437d270.2.raw.unpack, YsSwNkWoPiJOuJybXU.csHigh entropy of concatenated method names: 'meap7nEM3E', 'F0op6ehWay', 'cPDpCvjPA8', 'RbhpIRtMqD', 'KOkpA4kOZZ', 'LeXpyD130g', 'DrNpfT9twv', 'XaupRRmHTD', 'M7spPgf3ae', 'uqRp2SsEar'
                Source: 1.2.QUOTATION REQUEST.exe.437d270.2.raw.unpack, ch5QPMtGFTNmQNBhOX.csHigh entropy of concatenated method names: 'ruZ4NkXajM', 'IGN4eHgm8E', 'oFo4WGDSKv', 'F5V4tA6wWK', 'uPX4Yay1Kl', 'q8h4DaVOwh', 'Ueo4cJfYq0', 'Dd54MfcH8L', 'Nc543OrrZV', 'dvY4uA1b4n'
                Source: 1.2.QUOTATION REQUEST.exe.437d270.2.raw.unpack, MpRBJBzFeIPNvFtGrt.csHigh entropy of concatenated method names: 'RvBuednhfL', 'daduWwLn2p', 'NyUutODQr1', 'zDBuObENs5', 'JGNuSA3nG5', 'zYvuBRGCT9', 'd7Ru8Ypwoj', 'VQXusWmKOx', 'Y8ruv6fk1m', 'eBAuLTo8XF'
                Source: 1.2.QUOTATION REQUEST.exe.437d270.2.raw.unpack, YVeVKjfMxibpnofVm0.csHigh entropy of concatenated method names: 'H7K3YACuFu', 'nSo3cGInHD', 'Hh833H9L4F', 'bNA3rs6Ls1', 'net3VGdrxc', 'Cpu3sSOMT4', 'Dispose', 'eiuM1uuNyN', 'sCUMpld8iJ', 'jBpM4xy4Jc'
                Source: 1.2.QUOTATION REQUEST.exe.437d270.2.raw.unpack, uea7iRCvJhnYCIC4xk.csHigh entropy of concatenated method names: 'ToString', 'd1aDlxWdaP', 'D3CDS17okB', 'borDTAULuM', 'cMsDBG3FQx', 'OAuD8O0nwC', 'KWQDwNguUA', 'GlmDZU60ic', 'bREDQoN8BQ', 'JNhDqxmxZw'
                Source: 1.2.QUOTATION REQUEST.exe.437d270.2.raw.unpack, RXf4TCxiiaJ0eib63Z.csHigh entropy of concatenated method names: 'b32mJsSwNk', 'aPimGJOuJy', 'qGFmbTNmQN', 'IhOmjXZaDk', 'avsmYesswV', 'XmvmDgQ3SE', 'c0xHetAgcfI27sUelL', 'z8jbCyEdqr0sBQbrKF', 'itJmm2Vrul', 'IW2mFCdshs'
                Source: 1.2.QUOTATION REQUEST.exe.437d270.2.raw.unpack, q1NvDvIvw30NCn9uN7.csHigh entropy of concatenated method names: 'SnecbVYJIm', 'Yaocj2TlSe', 'ToString', 'IDjc14UPCR', 'XbDcpGyPU6', 'dVUc4ImMOx', 'gKgc5udCNT', 'rbycUE3qwy', 'Lt0cJTnlQm', 'qW6cGWCq54'
                Source: 1.2.QUOTATION REQUEST.exe.437d270.2.raw.unpack, EeP0sh9n0RLy26G0M4.csHigh entropy of concatenated method names: 'BjnnqL7Pb', 'eSVNuM8jA', 'BeVefNhBB', 'Wj7HgU8Uo', 'fCqt6raG5', 'NnKdH6CWW', 'bXlyOkPrBpYNwaVvCD', 'opLZcotuBjg0bmjGBY', 'CYCMGLUmV', 'u8quOLSfs'
                Source: 1.2.QUOTATION REQUEST.exe.437d270.2.raw.unpack, qCrwflyOXlWauUTPa4.csHigh entropy of concatenated method names: 'lJycRsZcfg', 'MaPc22jMl1', 'tlDMoyhCck', 'OAkMmZ5XUR', 's9yclmb2nA', 'FBmcgZpC2O', 'BckciZkVK2', 'rNWc7krgi1', 'yWZc6dJpVG', 'WQscColT6W'
                Source: 1.2.QUOTATION REQUEST.exe.437d270.2.raw.unpack, IKUU4UZ3xGnrJlUuNd.csHigh entropy of concatenated method names: 'w7fJ1gc00l', 'obIJ43q9ly', 'a6tJUZ81jT', 'yfGU2YgfLV', 'PR7Uz7jbPa', 'mVlJoOXpcf', 'XycJmtKcTL', 'ACbJ90916t', 'u8SJFWbYLU', 'ybbJxWDc6h'
                Source: 1.2.QUOTATION REQUEST.exe.437d270.2.raw.unpack, rbQGaEpjZvr7IvK8vx.csHigh entropy of concatenated method names: 'Dispose', 'QbpmPnofVm', 'pEG9SOJ18j', 'hus2RbSkL7', 'evWm2HwnL5', 'nI5mzotsKU', 'ProcessDialogKey', 'MRo9oYWFWv', 'Yn49mXP3LJ', 'h9U99ACYep'
                Source: 1.2.QUOTATION REQUEST.exe.437d270.2.raw.unpack, UCYepL2PZ1MR7d97Ze.csHigh entropy of concatenated method names: 'h1yu4wCCaa', 'QaAu5JhTo6', 'VgquUmykW0', 'AGruJs1NEW', 'dRnu3lgxSZ', 'qrFuGYYN9c', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 1.2.QUOTATION REQUEST.exe.437d270.2.raw.unpack, XkrqG8SgVpRHPvU5LY.csHigh entropy of concatenated method names: 'vSByeL7UTy3SQv4wfOa', 'XqdtvM7dsGXrRaWFNjo', 'yaRUM98TYe', 'CIcU30hVr1', 'dIYUu3ryQ1', 'tH4qmF7RjD68CiJfv5q', 'OCmqvn7cYTP4p4SsEuf'
                Source: 1.2.QUOTATION REQUEST.exe.437d270.2.raw.unpack, Bw2WJAmmbiiaGBFmVDM.csHigh entropy of concatenated method names: 'W73u2OH3Fy', 'ztouzxjr0b', 'Cy8roZjHgr', 'kMHrm8J035', 'SmQr93gu2R', 'QcGrFsi3OH', 'jHkrxYpDWe', 'Dr8r00Ye6t', 'KoPr13We5R', 'sYqrpgvtGo'
                Source: 1.2.QUOTATION REQUEST.exe.437d270.2.raw.unpack, CdyaBUGrIJfKcV25Xf.csHigh entropy of concatenated method names: 'IdZF0vp3gT', 'zf5F1QDoMu', 'POGFpKiJdC', 'DreF47Fw1d', 'LSLF5qmTF4', 'WdoFUQWEfX', 'z7wFJlnXEx', 'WIyFG99pih', 'VtPFkF9QCX', 'VG7Fb3xoNO'
                Source: 1.2.QUOTATION REQUEST.exe.437d270.2.raw.unpack, VYdBcuqttIetJybMgn.csHigh entropy of concatenated method names: 'vivJvJAaTN', 'EcfJL8hdY2', 'FASJn6tGnQ', 'DoDJNaQ2Lw', 'j2KJExXR11', 'PKCJevrVxr', 'bufJHWLcuk', 'U4BJW1xiYf', 'FAqJtdKJyL', 'zZTJdV9gc2'
                Source: 1.2.QUOTATION REQUEST.exe.437d270.2.raw.unpack, xwVPmvOgQ3SEghexgw.csHigh entropy of concatenated method names: 'uA3U0SRYNx', 'tN1UpO78w1', 'cmvU5rHGiR', 'y87UJ7pf5w', 'posUGK1IOP', 'vMV5A4XCce', 'lE45yqch1L', 'Y4n5fbejEM', 'C855RSC3um', 'E5Y5PU11Z7'
                Source: 1.2.QUOTATION REQUEST.exe.437d270.2.raw.unpack, dy8pZqiUFMdUkoQAde.csHigh entropy of concatenated method names: 'xpTaWiGNMV', 'pbhatnhj2M', 'VBiaOnmOdA', 'H4gaSCkEvy', 'fuXaBumkwj', 'EfWa86rbdk', 'B1naZnEIO7', 'bRBaQvI1pa', 'lwVah6X3SC', 'VoialI4TIQ'
                Source: 1.2.QUOTATION REQUEST.exe.4407c90.0.raw.unpack, kE6nEcmoFAfZTpVXxnK.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WXGulCPfOF', 'SXZugM0nZY', 'ekKuiWGpek', 'GYou7Jw3yZ', 'fviu6OKAta', 'EqWuCkBymr', 'wVNuI8PYfL'
                Source: 1.2.QUOTATION REQUEST.exe.4407c90.0.raw.unpack, j4gssQmx2yPD3HZJZxi.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Gb3K3VrUd9', 'gUWKu8EoDf', 'JWXKrjYOGT', 'drUKKfywZY', 'N19KVHgiBC', 'AjeKX9hZeO', 'NQsKsk3aBs'
                Source: 1.2.QUOTATION REQUEST.exe.4407c90.0.raw.unpack, pRuPvnwqk5krbyPgnd.csHigh entropy of concatenated method names: 'CAiUCY0Bhe', 'JUbUIus6E3', 'obWUArJ9fC', 'ToString', 'vLDUyDaoTN', 'hJmUfLWcYd', 'yj5AhQ7HqjK2VPSYnHl', 'NtKqDj72KCrhwd6ZEyA', 'CcubeA7pgBk0lXjtZml'
                Source: 1.2.QUOTATION REQUEST.exe.4407c90.0.raw.unpack, LaDk4LdVIyEU3ovses.csHigh entropy of concatenated method names: 'HGy5E85uvv', 'L8Z5HiAC71', 'WVG4TLk58t', 'WDK4BCKOFJ', 'lsw48ZuAbe', 'IJe4wAkMX4', 'J0q4ZXjBai', 'IsB4Q8dpSI', 'Jbt4qM7mQ8', 'Btt4hVFK0y'
                Source: 1.2.QUOTATION REQUEST.exe.4407c90.0.raw.unpack, N1oGhs4lG1noZPisn4.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'zlC9PT3dMy', 'A6W92kNQYe', 'FTd9zYGLVq', 'jmbFowsb8r', 'UbHFmcae7P', 'BDsF9LcIjd', 'F2HFF80rFF', 'R9Akhgq7gbLKFbZcMQB'
                Source: 1.2.QUOTATION REQUEST.exe.4407c90.0.raw.unpack, aYWFWvP2n4XP3LJ49U.csHigh entropy of concatenated method names: 'tyy3O9mj23', 'uaZ3ScI5Dd', 'oyd3TFZwKl', 'Ccc3BLjMGF', 'jwi388DBG2', 'KaH3w1dibT', 'KId3ZuEkfo', 'oP93QCgRFE', 'pbv3q44rHt', 'EmU3hC8WB8'
                Source: 1.2.QUOTATION REQUEST.exe.4407c90.0.raw.unpack, YsSwNkWoPiJOuJybXU.csHigh entropy of concatenated method names: 'meap7nEM3E', 'F0op6ehWay', 'cPDpCvjPA8', 'RbhpIRtMqD', 'KOkpA4kOZZ', 'LeXpyD130g', 'DrNpfT9twv', 'XaupRRmHTD', 'M7spPgf3ae', 'uqRp2SsEar'
                Source: 1.2.QUOTATION REQUEST.exe.4407c90.0.raw.unpack, ch5QPMtGFTNmQNBhOX.csHigh entropy of concatenated method names: 'ruZ4NkXajM', 'IGN4eHgm8E', 'oFo4WGDSKv', 'F5V4tA6wWK', 'uPX4Yay1Kl', 'q8h4DaVOwh', 'Ueo4cJfYq0', 'Dd54MfcH8L', 'Nc543OrrZV', 'dvY4uA1b4n'
                Source: 1.2.QUOTATION REQUEST.exe.4407c90.0.raw.unpack, MpRBJBzFeIPNvFtGrt.csHigh entropy of concatenated method names: 'RvBuednhfL', 'daduWwLn2p', 'NyUutODQr1', 'zDBuObENs5', 'JGNuSA3nG5', 'zYvuBRGCT9', 'd7Ru8Ypwoj', 'VQXusWmKOx', 'Y8ruv6fk1m', 'eBAuLTo8XF'
                Source: 1.2.QUOTATION REQUEST.exe.4407c90.0.raw.unpack, YVeVKjfMxibpnofVm0.csHigh entropy of concatenated method names: 'H7K3YACuFu', 'nSo3cGInHD', 'Hh833H9L4F', 'bNA3rs6Ls1', 'net3VGdrxc', 'Cpu3sSOMT4', 'Dispose', 'eiuM1uuNyN', 'sCUMpld8iJ', 'jBpM4xy4Jc'
                Source: 1.2.QUOTATION REQUEST.exe.4407c90.0.raw.unpack, uea7iRCvJhnYCIC4xk.csHigh entropy of concatenated method names: 'ToString', 'd1aDlxWdaP', 'D3CDS17okB', 'borDTAULuM', 'cMsDBG3FQx', 'OAuD8O0nwC', 'KWQDwNguUA', 'GlmDZU60ic', 'bREDQoN8BQ', 'JNhDqxmxZw'
                Source: 1.2.QUOTATION REQUEST.exe.4407c90.0.raw.unpack, RXf4TCxiiaJ0eib63Z.csHigh entropy of concatenated method names: 'b32mJsSwNk', 'aPimGJOuJy', 'qGFmbTNmQN', 'IhOmjXZaDk', 'avsmYesswV', 'XmvmDgQ3SE', 'c0xHetAgcfI27sUelL', 'z8jbCyEdqr0sBQbrKF', 'itJmm2Vrul', 'IW2mFCdshs'
                Source: 1.2.QUOTATION REQUEST.exe.4407c90.0.raw.unpack, q1NvDvIvw30NCn9uN7.csHigh entropy of concatenated method names: 'SnecbVYJIm', 'Yaocj2TlSe', 'ToString', 'IDjc14UPCR', 'XbDcpGyPU6', 'dVUc4ImMOx', 'gKgc5udCNT', 'rbycUE3qwy', 'Lt0cJTnlQm', 'qW6cGWCq54'
                Source: 1.2.QUOTATION REQUEST.exe.4407c90.0.raw.unpack, EeP0sh9n0RLy26G0M4.csHigh entropy of concatenated method names: 'BjnnqL7Pb', 'eSVNuM8jA', 'BeVefNhBB', 'Wj7HgU8Uo', 'fCqt6raG5', 'NnKdH6CWW', 'bXlyOkPrBpYNwaVvCD', 'opLZcotuBjg0bmjGBY', 'CYCMGLUmV', 'u8quOLSfs'
                Source: 1.2.QUOTATION REQUEST.exe.4407c90.0.raw.unpack, qCrwflyOXlWauUTPa4.csHigh entropy of concatenated method names: 'lJycRsZcfg', 'MaPc22jMl1', 'tlDMoyhCck', 'OAkMmZ5XUR', 's9yclmb2nA', 'FBmcgZpC2O', 'BckciZkVK2', 'rNWc7krgi1', 'yWZc6dJpVG', 'WQscColT6W'
                Source: 1.2.QUOTATION REQUEST.exe.4407c90.0.raw.unpack, IKUU4UZ3xGnrJlUuNd.csHigh entropy of concatenated method names: 'w7fJ1gc00l', 'obIJ43q9ly', 'a6tJUZ81jT', 'yfGU2YgfLV', 'PR7Uz7jbPa', 'mVlJoOXpcf', 'XycJmtKcTL', 'ACbJ90916t', 'u8SJFWbYLU', 'ybbJxWDc6h'
                Source: 1.2.QUOTATION REQUEST.exe.4407c90.0.raw.unpack, rbQGaEpjZvr7IvK8vx.csHigh entropy of concatenated method names: 'Dispose', 'QbpmPnofVm', 'pEG9SOJ18j', 'hus2RbSkL7', 'evWm2HwnL5', 'nI5mzotsKU', 'ProcessDialogKey', 'MRo9oYWFWv', 'Yn49mXP3LJ', 'h9U99ACYep'
                Source: 1.2.QUOTATION REQUEST.exe.4407c90.0.raw.unpack, UCYepL2PZ1MR7d97Ze.csHigh entropy of concatenated method names: 'h1yu4wCCaa', 'QaAu5JhTo6', 'VgquUmykW0', 'AGruJs1NEW', 'dRnu3lgxSZ', 'qrFuGYYN9c', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 1.2.QUOTATION REQUEST.exe.4407c90.0.raw.unpack, XkrqG8SgVpRHPvU5LY.csHigh entropy of concatenated method names: 'vSByeL7UTy3SQv4wfOa', 'XqdtvM7dsGXrRaWFNjo', 'yaRUM98TYe', 'CIcU30hVr1', 'dIYUu3ryQ1', 'tH4qmF7RjD68CiJfv5q', 'OCmqvn7cYTP4p4SsEuf'
                Source: 1.2.QUOTATION REQUEST.exe.4407c90.0.raw.unpack, Bw2WJAmmbiiaGBFmVDM.csHigh entropy of concatenated method names: 'W73u2OH3Fy', 'ztouzxjr0b', 'Cy8roZjHgr', 'kMHrm8J035', 'SmQr93gu2R', 'QcGrFsi3OH', 'jHkrxYpDWe', 'Dr8r00Ye6t', 'KoPr13We5R', 'sYqrpgvtGo'
                Source: 1.2.QUOTATION REQUEST.exe.4407c90.0.raw.unpack, CdyaBUGrIJfKcV25Xf.csHigh entropy of concatenated method names: 'IdZF0vp3gT', 'zf5F1QDoMu', 'POGFpKiJdC', 'DreF47Fw1d', 'LSLF5qmTF4', 'WdoFUQWEfX', 'z7wFJlnXEx', 'WIyFG99pih', 'VtPFkF9QCX', 'VG7Fb3xoNO'
                Source: 1.2.QUOTATION REQUEST.exe.4407c90.0.raw.unpack, VYdBcuqttIetJybMgn.csHigh entropy of concatenated method names: 'vivJvJAaTN', 'EcfJL8hdY2', 'FASJn6tGnQ', 'DoDJNaQ2Lw', 'j2KJExXR11', 'PKCJevrVxr', 'bufJHWLcuk', 'U4BJW1xiYf', 'FAqJtdKJyL', 'zZTJdV9gc2'
                Source: 1.2.QUOTATION REQUEST.exe.4407c90.0.raw.unpack, xwVPmvOgQ3SEghexgw.csHigh entropy of concatenated method names: 'uA3U0SRYNx', 'tN1UpO78w1', 'cmvU5rHGiR', 'y87UJ7pf5w', 'posUGK1IOP', 'vMV5A4XCce', 'lE45yqch1L', 'Y4n5fbejEM', 'C855RSC3um', 'E5Y5PU11Z7'
                Source: 1.2.QUOTATION REQUEST.exe.4407c90.0.raw.unpack, dy8pZqiUFMdUkoQAde.csHigh entropy of concatenated method names: 'xpTaWiGNMV', 'pbhatnhj2M', 'VBiaOnmOdA', 'H4gaSCkEvy', 'fuXaBumkwj', 'EfWa86rbdk', 'B1naZnEIO7', 'bRBaQvI1pa', 'lwVah6X3SC', 'VoialI4TIQ'
                Source: 1.2.QUOTATION REQUEST.exe.8820000.4.raw.unpack, kE6nEcmoFAfZTpVXxnK.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WXGulCPfOF', 'SXZugM0nZY', 'ekKuiWGpek', 'GYou7Jw3yZ', 'fviu6OKAta', 'EqWuCkBymr', 'wVNuI8PYfL'
                Source: 1.2.QUOTATION REQUEST.exe.8820000.4.raw.unpack, j4gssQmx2yPD3HZJZxi.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Gb3K3VrUd9', 'gUWKu8EoDf', 'JWXKrjYOGT', 'drUKKfywZY', 'N19KVHgiBC', 'AjeKX9hZeO', 'NQsKsk3aBs'
                Source: 1.2.QUOTATION REQUEST.exe.8820000.4.raw.unpack, pRuPvnwqk5krbyPgnd.csHigh entropy of concatenated method names: 'CAiUCY0Bhe', 'JUbUIus6E3', 'obWUArJ9fC', 'ToString', 'vLDUyDaoTN', 'hJmUfLWcYd', 'yj5AhQ7HqjK2VPSYnHl', 'NtKqDj72KCrhwd6ZEyA', 'CcubeA7pgBk0lXjtZml'
                Source: 1.2.QUOTATION REQUEST.exe.8820000.4.raw.unpack, LaDk4LdVIyEU3ovses.csHigh entropy of concatenated method names: 'HGy5E85uvv', 'L8Z5HiAC71', 'WVG4TLk58t', 'WDK4BCKOFJ', 'lsw48ZuAbe', 'IJe4wAkMX4', 'J0q4ZXjBai', 'IsB4Q8dpSI', 'Jbt4qM7mQ8', 'Btt4hVFK0y'
                Source: 1.2.QUOTATION REQUEST.exe.8820000.4.raw.unpack, N1oGhs4lG1noZPisn4.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'zlC9PT3dMy', 'A6W92kNQYe', 'FTd9zYGLVq', 'jmbFowsb8r', 'UbHFmcae7P', 'BDsF9LcIjd', 'F2HFF80rFF', 'R9Akhgq7gbLKFbZcMQB'
                Source: 1.2.QUOTATION REQUEST.exe.8820000.4.raw.unpack, aYWFWvP2n4XP3LJ49U.csHigh entropy of concatenated method names: 'tyy3O9mj23', 'uaZ3ScI5Dd', 'oyd3TFZwKl', 'Ccc3BLjMGF', 'jwi388DBG2', 'KaH3w1dibT', 'KId3ZuEkfo', 'oP93QCgRFE', 'pbv3q44rHt', 'EmU3hC8WB8'
                Source: 1.2.QUOTATION REQUEST.exe.8820000.4.raw.unpack, YsSwNkWoPiJOuJybXU.csHigh entropy of concatenated method names: 'meap7nEM3E', 'F0op6ehWay', 'cPDpCvjPA8', 'RbhpIRtMqD', 'KOkpA4kOZZ', 'LeXpyD130g', 'DrNpfT9twv', 'XaupRRmHTD', 'M7spPgf3ae', 'uqRp2SsEar'
                Source: 1.2.QUOTATION REQUEST.exe.8820000.4.raw.unpack, ch5QPMtGFTNmQNBhOX.csHigh entropy of concatenated method names: 'ruZ4NkXajM', 'IGN4eHgm8E', 'oFo4WGDSKv', 'F5V4tA6wWK', 'uPX4Yay1Kl', 'q8h4DaVOwh', 'Ueo4cJfYq0', 'Dd54MfcH8L', 'Nc543OrrZV', 'dvY4uA1b4n'
                Source: 1.2.QUOTATION REQUEST.exe.8820000.4.raw.unpack, MpRBJBzFeIPNvFtGrt.csHigh entropy of concatenated method names: 'RvBuednhfL', 'daduWwLn2p', 'NyUutODQr1', 'zDBuObENs5', 'JGNuSA3nG5', 'zYvuBRGCT9', 'd7Ru8Ypwoj', 'VQXusWmKOx', 'Y8ruv6fk1m', 'eBAuLTo8XF'
                Source: 1.2.QUOTATION REQUEST.exe.8820000.4.raw.unpack, YVeVKjfMxibpnofVm0.csHigh entropy of concatenated method names: 'H7K3YACuFu', 'nSo3cGInHD', 'Hh833H9L4F', 'bNA3rs6Ls1', 'net3VGdrxc', 'Cpu3sSOMT4', 'Dispose', 'eiuM1uuNyN', 'sCUMpld8iJ', 'jBpM4xy4Jc'
                Source: 1.2.QUOTATION REQUEST.exe.8820000.4.raw.unpack, uea7iRCvJhnYCIC4xk.csHigh entropy of concatenated method names: 'ToString', 'd1aDlxWdaP', 'D3CDS17okB', 'borDTAULuM', 'cMsDBG3FQx', 'OAuD8O0nwC', 'KWQDwNguUA', 'GlmDZU60ic', 'bREDQoN8BQ', 'JNhDqxmxZw'
                Source: 1.2.QUOTATION REQUEST.exe.8820000.4.raw.unpack, RXf4TCxiiaJ0eib63Z.csHigh entropy of concatenated method names: 'b32mJsSwNk', 'aPimGJOuJy', 'qGFmbTNmQN', 'IhOmjXZaDk', 'avsmYesswV', 'XmvmDgQ3SE', 'c0xHetAgcfI27sUelL', 'z8jbCyEdqr0sBQbrKF', 'itJmm2Vrul', 'IW2mFCdshs'
                Source: 1.2.QUOTATION REQUEST.exe.8820000.4.raw.unpack, q1NvDvIvw30NCn9uN7.csHigh entropy of concatenated method names: 'SnecbVYJIm', 'Yaocj2TlSe', 'ToString', 'IDjc14UPCR', 'XbDcpGyPU6', 'dVUc4ImMOx', 'gKgc5udCNT', 'rbycUE3qwy', 'Lt0cJTnlQm', 'qW6cGWCq54'
                Source: 1.2.QUOTATION REQUEST.exe.8820000.4.raw.unpack, EeP0sh9n0RLy26G0M4.csHigh entropy of concatenated method names: 'BjnnqL7Pb', 'eSVNuM8jA', 'BeVefNhBB', 'Wj7HgU8Uo', 'fCqt6raG5', 'NnKdH6CWW', 'bXlyOkPrBpYNwaVvCD', 'opLZcotuBjg0bmjGBY', 'CYCMGLUmV', 'u8quOLSfs'
                Source: 1.2.QUOTATION REQUEST.exe.8820000.4.raw.unpack, qCrwflyOXlWauUTPa4.csHigh entropy of concatenated method names: 'lJycRsZcfg', 'MaPc22jMl1', 'tlDMoyhCck', 'OAkMmZ5XUR', 's9yclmb2nA', 'FBmcgZpC2O', 'BckciZkVK2', 'rNWc7krgi1', 'yWZc6dJpVG', 'WQscColT6W'
                Source: 1.2.QUOTATION REQUEST.exe.8820000.4.raw.unpack, IKUU4UZ3xGnrJlUuNd.csHigh entropy of concatenated method names: 'w7fJ1gc00l', 'obIJ43q9ly', 'a6tJUZ81jT', 'yfGU2YgfLV', 'PR7Uz7jbPa', 'mVlJoOXpcf', 'XycJmtKcTL', 'ACbJ90916t', 'u8SJFWbYLU', 'ybbJxWDc6h'
                Source: 1.2.QUOTATION REQUEST.exe.8820000.4.raw.unpack, rbQGaEpjZvr7IvK8vx.csHigh entropy of concatenated method names: 'Dispose', 'QbpmPnofVm', 'pEG9SOJ18j', 'hus2RbSkL7', 'evWm2HwnL5', 'nI5mzotsKU', 'ProcessDialogKey', 'MRo9oYWFWv', 'Yn49mXP3LJ', 'h9U99ACYep'
                Source: 1.2.QUOTATION REQUEST.exe.8820000.4.raw.unpack, UCYepL2PZ1MR7d97Ze.csHigh entropy of concatenated method names: 'h1yu4wCCaa', 'QaAu5JhTo6', 'VgquUmykW0', 'AGruJs1NEW', 'dRnu3lgxSZ', 'qrFuGYYN9c', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 1.2.QUOTATION REQUEST.exe.8820000.4.raw.unpack, XkrqG8SgVpRHPvU5LY.csHigh entropy of concatenated method names: 'vSByeL7UTy3SQv4wfOa', 'XqdtvM7dsGXrRaWFNjo', 'yaRUM98TYe', 'CIcU30hVr1', 'dIYUu3ryQ1', 'tH4qmF7RjD68CiJfv5q', 'OCmqvn7cYTP4p4SsEuf'
                Source: 1.2.QUOTATION REQUEST.exe.8820000.4.raw.unpack, Bw2WJAmmbiiaGBFmVDM.csHigh entropy of concatenated method names: 'W73u2OH3Fy', 'ztouzxjr0b', 'Cy8roZjHgr', 'kMHrm8J035', 'SmQr93gu2R', 'QcGrFsi3OH', 'jHkrxYpDWe', 'Dr8r00Ye6t', 'KoPr13We5R', 'sYqrpgvtGo'
                Source: 1.2.QUOTATION REQUEST.exe.8820000.4.raw.unpack, CdyaBUGrIJfKcV25Xf.csHigh entropy of concatenated method names: 'IdZF0vp3gT', 'zf5F1QDoMu', 'POGFpKiJdC', 'DreF47Fw1d', 'LSLF5qmTF4', 'WdoFUQWEfX', 'z7wFJlnXEx', 'WIyFG99pih', 'VtPFkF9QCX', 'VG7Fb3xoNO'
                Source: 1.2.QUOTATION REQUEST.exe.8820000.4.raw.unpack, VYdBcuqttIetJybMgn.csHigh entropy of concatenated method names: 'vivJvJAaTN', 'EcfJL8hdY2', 'FASJn6tGnQ', 'DoDJNaQ2Lw', 'j2KJExXR11', 'PKCJevrVxr', 'bufJHWLcuk', 'U4BJW1xiYf', 'FAqJtdKJyL', 'zZTJdV9gc2'
                Source: 1.2.QUOTATION REQUEST.exe.8820000.4.raw.unpack, xwVPmvOgQ3SEghexgw.csHigh entropy of concatenated method names: 'uA3U0SRYNx', 'tN1UpO78w1', 'cmvU5rHGiR', 'y87UJ7pf5w', 'posUGK1IOP', 'vMV5A4XCce', 'lE45yqch1L', 'Y4n5fbejEM', 'C855RSC3um', 'E5Y5PU11Z7'
                Source: 1.2.QUOTATION REQUEST.exe.8820000.4.raw.unpack, dy8pZqiUFMdUkoQAde.csHigh entropy of concatenated method names: 'xpTaWiGNMV', 'pbhatnhj2M', 'VBiaOnmOdA', 'H4gaSCkEvy', 'fuXaBumkwj', 'EfWa86rbdk', 'B1naZnEIO7', 'bRBaQvI1pa', 'lwVah6X3SC', 'VoialI4TIQ'
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile created: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CBdbnantdvVSl" /XML "C:\Users\user\AppData\Local\Temp\tmp6C58.tmp"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\expand.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\expand.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\expand.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\expand.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\expand.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: QUOTATION REQUEST.exe PID: 5588, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: CBdbnantdvVSl.exe PID: 2324, type: MEMORYSTR
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\expand.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
                Source: C:\Windows\SysWOW64\expand.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
                Source: C:\Windows\SysWOW64\expand.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
                Source: C:\Windows\SysWOW64\expand.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
                Source: C:\Windows\SysWOW64\expand.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
                Source: C:\Windows\SysWOW64\expand.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
                Source: C:\Windows\SysWOW64\expand.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
                Source: C:\Windows\SysWOW64\expand.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeMemory allocated: 2710000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeMemory allocated: 2870000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeMemory allocated: 2710000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeMemory allocated: AD00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeMemory allocated: BD00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeMemory allocated: BFA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeMemory allocated: CFA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeMemory allocated: D4E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeMemory allocated: E4E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeMemory allocated: F4E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeMemory allocated: 1790000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeMemory allocated: 3250000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeMemory allocated: 5250000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeMemory allocated: 8F50000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeMemory allocated: 7630000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeMemory allocated: 9F50000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeMemory allocated: AF50000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeMemory allocated: B4F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeMemory allocated: C4F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0142096E rdtsc 10_2_0142096E
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5421Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7233Jump to behavior
                Source: C:\Windows\SysWOW64\expand.exeWindow / User API: threadDelayed 1772
                Source: C:\Windows\SysWOW64\expand.exeWindow / User API: threadDelayed 8201
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.8 %
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.2 %
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exe TID: 5996Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2024Thread sleep count: 5421 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5936Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2924Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3136Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5396Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exe TID: 7260Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\expand.exe TID: 7960Thread sleep count: 1772 > 30
                Source: C:\Windows\SysWOW64\expand.exe TID: 7960Thread sleep time: -3544000s >= -30000s
                Source: C:\Windows\SysWOW64\expand.exe TID: 7960Thread sleep count: 8201 > 30
                Source: C:\Windows\SysWOW64\expand.exe TID: 7960Thread sleep time: -16402000s >= -30000s
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exe TID: 8020Thread sleep time: -75000s >= -30000s
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exe TID: 8020Thread sleep count: 38 > 30
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exe TID: 8020Thread sleep time: -57000s >= -30000s
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exe TID: 8020Thread sleep count: 42 > 30
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exe TID: 8020Thread sleep time: -42000s >= -30000s
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\expand.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\expand.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\AdobeJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\AcrobatJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULLJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULLJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULLJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbxJump to behavior
                Source: 1658571.21.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                Source: 1658571.21.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                Source: 1658571.21.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                Source: 1658571.21.drBinary or memory string: discord.comVMware20,11696487552f
                Source: 1658571.21.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                Source: t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4864407362.0000000001579000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQ
                Source: 1658571.21.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                Source: 1658571.21.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                Source: 1658571.21.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                Source: 1658571.21.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                Source: 1658571.21.drBinary or memory string: global block list test formVMware20,11696487552
                Source: 1658571.21.drBinary or memory string: tasks.office.comVMware20,11696487552o
                Source: 1658571.21.drBinary or memory string: AMC password management pageVMware20,11696487552
                Source: 1658571.21.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                Source: 1658571.21.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                Source: 1658571.21.drBinary or memory string: dev.azure.comVMware20,11696487552j
                Source: 1658571.21.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                Source: 1658571.21.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                Source: 1658571.21.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                Source: 1658571.21.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                Source: 1658571.21.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                Source: expand.exe, 00000015.00000002.4863161881.0000000000624000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
                Source: 1658571.21.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                Source: 1658571.21.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                Source: 1658571.21.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                Source: 1658571.21.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                Source: 1658571.21.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                Source: 1658571.21.drBinary or memory string: outlook.office.comVMware20,11696487552s
                Source: 1658571.21.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                Source: 1658571.21.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                Source: 1658571.21.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                Source: firefox.exe, 0000001B.00000002.3031191586.000001F6F915D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlluur7P
                Source: 1658571.21.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                Source: 1658571.21.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\expand.exeProcess queried: DebugPort
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0142096E rdtsc 10_2_0142096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00417A83 LdrLoadDll,10_2_00417A83
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01474144 mov eax, dword ptr fs:[00000030h]10_2_01474144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01474144 mov eax, dword ptr fs:[00000030h]10_2_01474144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01474144 mov ecx, dword ptr fs:[00000030h]10_2_01474144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01474144 mov eax, dword ptr fs:[00000030h]10_2_01474144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01474144 mov eax, dword ptr fs:[00000030h]10_2_01474144
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01478158 mov eax, dword ptr fs:[00000030h]10_2_01478158
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148E10E mov eax, dword ptr fs:[00000030h]10_2_0148E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148E10E mov ecx, dword ptr fs:[00000030h]10_2_0148E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148E10E mov eax, dword ptr fs:[00000030h]10_2_0148E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148E10E mov eax, dword ptr fs:[00000030h]10_2_0148E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148E10E mov ecx, dword ptr fs:[00000030h]10_2_0148E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148E10E mov eax, dword ptr fs:[00000030h]10_2_0148E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148E10E mov eax, dword ptr fs:[00000030h]10_2_0148E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148E10E mov ecx, dword ptr fs:[00000030h]10_2_0148E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148E10E mov eax, dword ptr fs:[00000030h]10_2_0148E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148E10E mov ecx, dword ptr fs:[00000030h]10_2_0148E10E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148A118 mov ecx, dword ptr fs:[00000030h]10_2_0148A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148A118 mov eax, dword ptr fs:[00000030h]10_2_0148A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148A118 mov eax, dword ptr fs:[00000030h]10_2_0148A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148A118 mov eax, dword ptr fs:[00000030h]10_2_0148A118
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014A0115 mov eax, dword ptr fs:[00000030h]10_2_014A0115
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01410124 mov eax, dword ptr fs:[00000030h]10_2_01410124
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E6154 mov eax, dword ptr fs:[00000030h]10_2_013E6154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E6154 mov eax, dword ptr fs:[00000030h]10_2_013E6154
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013DC156 mov eax, dword ptr fs:[00000030h]10_2_013DC156
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014A61C3 mov eax, dword ptr fs:[00000030h]10_2_014A61C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014A61C3 mov eax, dword ptr fs:[00000030h]10_2_014A61C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0145E1D0 mov eax, dword ptr fs:[00000030h]10_2_0145E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0145E1D0 mov eax, dword ptr fs:[00000030h]10_2_0145E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0145E1D0 mov ecx, dword ptr fs:[00000030h]10_2_0145E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0145E1D0 mov eax, dword ptr fs:[00000030h]10_2_0145E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0145E1D0 mov eax, dword ptr fs:[00000030h]10_2_0145E1D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013DA197 mov eax, dword ptr fs:[00000030h]10_2_013DA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013DA197 mov eax, dword ptr fs:[00000030h]10_2_013DA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013DA197 mov eax, dword ptr fs:[00000030h]10_2_013DA197
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014B61E5 mov eax, dword ptr fs:[00000030h]10_2_014B61E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014101F8 mov eax, dword ptr fs:[00000030h]10_2_014101F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0149C188 mov eax, dword ptr fs:[00000030h]10_2_0149C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0149C188 mov eax, dword ptr fs:[00000030h]10_2_0149C188
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01420185 mov eax, dword ptr fs:[00000030h]10_2_01420185
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01484180 mov eax, dword ptr fs:[00000030h]10_2_01484180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01484180 mov eax, dword ptr fs:[00000030h]10_2_01484180
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0146019F mov eax, dword ptr fs:[00000030h]10_2_0146019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0146019F mov eax, dword ptr fs:[00000030h]10_2_0146019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0146019F mov eax, dword ptr fs:[00000030h]10_2_0146019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0146019F mov eax, dword ptr fs:[00000030h]10_2_0146019F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01466050 mov eax, dword ptr fs:[00000030h]10_2_01466050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013DA020 mov eax, dword ptr fs:[00000030h]10_2_013DA020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013DC020 mov eax, dword ptr fs:[00000030h]10_2_013DC020
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013FE016 mov eax, dword ptr fs:[00000030h]10_2_013FE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013FE016 mov eax, dword ptr fs:[00000030h]10_2_013FE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013FE016 mov eax, dword ptr fs:[00000030h]10_2_013FE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013FE016 mov eax, dword ptr fs:[00000030h]10_2_013FE016
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140C073 mov eax, dword ptr fs:[00000030h]10_2_0140C073
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01464000 mov ecx, dword ptr fs:[00000030h]10_2_01464000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01482000 mov eax, dword ptr fs:[00000030h]10_2_01482000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01482000 mov eax, dword ptr fs:[00000030h]10_2_01482000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01482000 mov eax, dword ptr fs:[00000030h]10_2_01482000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01482000 mov eax, dword ptr fs:[00000030h]10_2_01482000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01482000 mov eax, dword ptr fs:[00000030h]10_2_01482000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01482000 mov eax, dword ptr fs:[00000030h]10_2_01482000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01482000 mov eax, dword ptr fs:[00000030h]10_2_01482000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01482000 mov eax, dword ptr fs:[00000030h]10_2_01482000
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E2050 mov eax, dword ptr fs:[00000030h]10_2_013E2050
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01476030 mov eax, dword ptr fs:[00000030h]10_2_01476030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014620DE mov eax, dword ptr fs:[00000030h]10_2_014620DE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014660E0 mov eax, dword ptr fs:[00000030h]10_2_014660E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014220F0 mov ecx, dword ptr fs:[00000030h]10_2_014220F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E208A mov eax, dword ptr fs:[00000030h]10_2_013E208A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013DC0F0 mov eax, dword ptr fs:[00000030h]10_2_013DC0F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E80E9 mov eax, dword ptr fs:[00000030h]10_2_013E80E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013DA0E3 mov ecx, dword ptr fs:[00000030h]10_2_013DA0E3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014780A8 mov eax, dword ptr fs:[00000030h]10_2_014780A8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014A60B8 mov eax, dword ptr fs:[00000030h]10_2_014A60B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014A60B8 mov ecx, dword ptr fs:[00000030h]10_2_014A60B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01462349 mov eax, dword ptr fs:[00000030h]10_2_01462349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01462349 mov eax, dword ptr fs:[00000030h]10_2_01462349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01462349 mov eax, dword ptr fs:[00000030h]10_2_01462349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01462349 mov eax, dword ptr fs:[00000030h]10_2_01462349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01462349 mov eax, dword ptr fs:[00000030h]10_2_01462349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01462349 mov eax, dword ptr fs:[00000030h]10_2_01462349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01462349 mov eax, dword ptr fs:[00000030h]10_2_01462349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01462349 mov eax, dword ptr fs:[00000030h]10_2_01462349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01462349 mov eax, dword ptr fs:[00000030h]10_2_01462349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01462349 mov eax, dword ptr fs:[00000030h]10_2_01462349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01462349 mov eax, dword ptr fs:[00000030h]10_2_01462349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01462349 mov eax, dword ptr fs:[00000030h]10_2_01462349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01462349 mov eax, dword ptr fs:[00000030h]10_2_01462349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01462349 mov eax, dword ptr fs:[00000030h]10_2_01462349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01462349 mov eax, dword ptr fs:[00000030h]10_2_01462349
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014AA352 mov eax, dword ptr fs:[00000030h]10_2_014AA352
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01488350 mov ecx, dword ptr fs:[00000030h]10_2_01488350
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0146035C mov eax, dword ptr fs:[00000030h]10_2_0146035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0146035C mov eax, dword ptr fs:[00000030h]10_2_0146035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0146035C mov eax, dword ptr fs:[00000030h]10_2_0146035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0146035C mov ecx, dword ptr fs:[00000030h]10_2_0146035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0146035C mov eax, dword ptr fs:[00000030h]10_2_0146035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0146035C mov eax, dword ptr fs:[00000030h]10_2_0146035C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013DC310 mov ecx, dword ptr fs:[00000030h]10_2_013DC310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148437C mov eax, dword ptr fs:[00000030h]10_2_0148437C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141A30B mov eax, dword ptr fs:[00000030h]10_2_0141A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141A30B mov eax, dword ptr fs:[00000030h]10_2_0141A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141A30B mov eax, dword ptr fs:[00000030h]10_2_0141A30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01400310 mov ecx, dword ptr fs:[00000030h]10_2_01400310
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0149C3CD mov eax, dword ptr fs:[00000030h]10_2_0149C3CD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014663C0 mov eax, dword ptr fs:[00000030h]10_2_014663C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148E3DB mov eax, dword ptr fs:[00000030h]10_2_0148E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148E3DB mov eax, dword ptr fs:[00000030h]10_2_0148E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148E3DB mov ecx, dword ptr fs:[00000030h]10_2_0148E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148E3DB mov eax, dword ptr fs:[00000030h]10_2_0148E3DB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014843D4 mov eax, dword ptr fs:[00000030h]10_2_014843D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014843D4 mov eax, dword ptr fs:[00000030h]10_2_014843D4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013D8397 mov eax, dword ptr fs:[00000030h]10_2_013D8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013D8397 mov eax, dword ptr fs:[00000030h]10_2_013D8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013D8397 mov eax, dword ptr fs:[00000030h]10_2_013D8397
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013DE388 mov eax, dword ptr fs:[00000030h]10_2_013DE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013DE388 mov eax, dword ptr fs:[00000030h]10_2_013DE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013DE388 mov eax, dword ptr fs:[00000030h]10_2_013DE388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014163FF mov eax, dword ptr fs:[00000030h]10_2_014163FF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013FE3F0 mov eax, dword ptr fs:[00000030h]10_2_013FE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013FE3F0 mov eax, dword ptr fs:[00000030h]10_2_013FE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013FE3F0 mov eax, dword ptr fs:[00000030h]10_2_013FE3F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140438F mov eax, dword ptr fs:[00000030h]10_2_0140438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140438F mov eax, dword ptr fs:[00000030h]10_2_0140438F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F03E9 mov eax, dword ptr fs:[00000030h]10_2_013F03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F03E9 mov eax, dword ptr fs:[00000030h]10_2_013F03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F03E9 mov eax, dword ptr fs:[00000030h]10_2_013F03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F03E9 mov eax, dword ptr fs:[00000030h]10_2_013F03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F03E9 mov eax, dword ptr fs:[00000030h]10_2_013F03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F03E9 mov eax, dword ptr fs:[00000030h]10_2_013F03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F03E9 mov eax, dword ptr fs:[00000030h]10_2_013F03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F03E9 mov eax, dword ptr fs:[00000030h]10_2_013F03E9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013EA3C0 mov eax, dword ptr fs:[00000030h]10_2_013EA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013EA3C0 mov eax, dword ptr fs:[00000030h]10_2_013EA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013EA3C0 mov eax, dword ptr fs:[00000030h]10_2_013EA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013EA3C0 mov eax, dword ptr fs:[00000030h]10_2_013EA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013EA3C0 mov eax, dword ptr fs:[00000030h]10_2_013EA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013EA3C0 mov eax, dword ptr fs:[00000030h]10_2_013EA3C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E83C0 mov eax, dword ptr fs:[00000030h]10_2_013E83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E83C0 mov eax, dword ptr fs:[00000030h]10_2_013E83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E83C0 mov eax, dword ptr fs:[00000030h]10_2_013E83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E83C0 mov eax, dword ptr fs:[00000030h]10_2_013E83C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01468243 mov eax, dword ptr fs:[00000030h]10_2_01468243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01468243 mov ecx, dword ptr fs:[00000030h]10_2_01468243
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013D823B mov eax, dword ptr fs:[00000030h]10_2_013D823B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0149A250 mov eax, dword ptr fs:[00000030h]10_2_0149A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0149A250 mov eax, dword ptr fs:[00000030h]10_2_0149A250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01490274 mov eax, dword ptr fs:[00000030h]10_2_01490274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01490274 mov eax, dword ptr fs:[00000030h]10_2_01490274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01490274 mov eax, dword ptr fs:[00000030h]10_2_01490274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01490274 mov eax, dword ptr fs:[00000030h]10_2_01490274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01490274 mov eax, dword ptr fs:[00000030h]10_2_01490274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01490274 mov eax, dword ptr fs:[00000030h]10_2_01490274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01490274 mov eax, dword ptr fs:[00000030h]10_2_01490274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01490274 mov eax, dword ptr fs:[00000030h]10_2_01490274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01490274 mov eax, dword ptr fs:[00000030h]10_2_01490274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01490274 mov eax, dword ptr fs:[00000030h]10_2_01490274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01490274 mov eax, dword ptr fs:[00000030h]10_2_01490274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01490274 mov eax, dword ptr fs:[00000030h]10_2_01490274
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013D826B mov eax, dword ptr fs:[00000030h]10_2_013D826B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E4260 mov eax, dword ptr fs:[00000030h]10_2_013E4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E4260 mov eax, dword ptr fs:[00000030h]10_2_013E4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E4260 mov eax, dword ptr fs:[00000030h]10_2_013E4260
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E6259 mov eax, dword ptr fs:[00000030h]10_2_013E6259
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013DA250 mov eax, dword ptr fs:[00000030h]10_2_013DA250
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01460283 mov eax, dword ptr fs:[00000030h]10_2_01460283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01460283 mov eax, dword ptr fs:[00000030h]10_2_01460283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01460283 mov eax, dword ptr fs:[00000030h]10_2_01460283
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141E284 mov eax, dword ptr fs:[00000030h]10_2_0141E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141E284 mov eax, dword ptr fs:[00000030h]10_2_0141E284
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F02E1 mov eax, dword ptr fs:[00000030h]10_2_013F02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F02E1 mov eax, dword ptr fs:[00000030h]10_2_013F02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F02E1 mov eax, dword ptr fs:[00000030h]10_2_013F02E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014762A0 mov eax, dword ptr fs:[00000030h]10_2_014762A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014762A0 mov ecx, dword ptr fs:[00000030h]10_2_014762A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014762A0 mov eax, dword ptr fs:[00000030h]10_2_014762A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014762A0 mov eax, dword ptr fs:[00000030h]10_2_014762A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014762A0 mov eax, dword ptr fs:[00000030h]10_2_014762A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014762A0 mov eax, dword ptr fs:[00000030h]10_2_014762A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013EA2C3 mov eax, dword ptr fs:[00000030h]10_2_013EA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013EA2C3 mov eax, dword ptr fs:[00000030h]10_2_013EA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013EA2C3 mov eax, dword ptr fs:[00000030h]10_2_013EA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013EA2C3 mov eax, dword ptr fs:[00000030h]10_2_013EA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013EA2C3 mov eax, dword ptr fs:[00000030h]10_2_013EA2C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F0535 mov eax, dword ptr fs:[00000030h]10_2_013F0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F0535 mov eax, dword ptr fs:[00000030h]10_2_013F0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F0535 mov eax, dword ptr fs:[00000030h]10_2_013F0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F0535 mov eax, dword ptr fs:[00000030h]10_2_013F0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F0535 mov eax, dword ptr fs:[00000030h]10_2_013F0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F0535 mov eax, dword ptr fs:[00000030h]10_2_013F0535
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141656A mov eax, dword ptr fs:[00000030h]10_2_0141656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141656A mov eax, dword ptr fs:[00000030h]10_2_0141656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141656A mov eax, dword ptr fs:[00000030h]10_2_0141656A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01476500 mov eax, dword ptr fs:[00000030h]10_2_01476500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014B4500 mov eax, dword ptr fs:[00000030h]10_2_014B4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014B4500 mov eax, dword ptr fs:[00000030h]10_2_014B4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014B4500 mov eax, dword ptr fs:[00000030h]10_2_014B4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014B4500 mov eax, dword ptr fs:[00000030h]10_2_014B4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014B4500 mov eax, dword ptr fs:[00000030h]10_2_014B4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014B4500 mov eax, dword ptr fs:[00000030h]10_2_014B4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014B4500 mov eax, dword ptr fs:[00000030h]10_2_014B4500
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E8550 mov eax, dword ptr fs:[00000030h]10_2_013E8550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E8550 mov eax, dword ptr fs:[00000030h]10_2_013E8550
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140E53E mov eax, dword ptr fs:[00000030h]10_2_0140E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140E53E mov eax, dword ptr fs:[00000030h]10_2_0140E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140E53E mov eax, dword ptr fs:[00000030h]10_2_0140E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140E53E mov eax, dword ptr fs:[00000030h]10_2_0140E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140E53E mov eax, dword ptr fs:[00000030h]10_2_0140E53E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141E5CF mov eax, dword ptr fs:[00000030h]10_2_0141E5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141E5CF mov eax, dword ptr fs:[00000030h]10_2_0141E5CF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141A5D0 mov eax, dword ptr fs:[00000030h]10_2_0141A5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141A5D0 mov eax, dword ptr fs:[00000030h]10_2_0141A5D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140E5E7 mov eax, dword ptr fs:[00000030h]10_2_0140E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140E5E7 mov eax, dword ptr fs:[00000030h]10_2_0140E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140E5E7 mov eax, dword ptr fs:[00000030h]10_2_0140E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140E5E7 mov eax, dword ptr fs:[00000030h]10_2_0140E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140E5E7 mov eax, dword ptr fs:[00000030h]10_2_0140E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140E5E7 mov eax, dword ptr fs:[00000030h]10_2_0140E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140E5E7 mov eax, dword ptr fs:[00000030h]10_2_0140E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140E5E7 mov eax, dword ptr fs:[00000030h]10_2_0140E5E7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141C5ED mov eax, dword ptr fs:[00000030h]10_2_0141C5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141C5ED mov eax, dword ptr fs:[00000030h]10_2_0141C5ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E2582 mov eax, dword ptr fs:[00000030h]10_2_013E2582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E2582 mov ecx, dword ptr fs:[00000030h]10_2_013E2582
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01414588 mov eax, dword ptr fs:[00000030h]10_2_01414588
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141E59C mov eax, dword ptr fs:[00000030h]10_2_0141E59C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E25E0 mov eax, dword ptr fs:[00000030h]10_2_013E25E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014605A7 mov eax, dword ptr fs:[00000030h]10_2_014605A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014605A7 mov eax, dword ptr fs:[00000030h]10_2_014605A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014605A7 mov eax, dword ptr fs:[00000030h]10_2_014605A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E65D0 mov eax, dword ptr fs:[00000030h]10_2_013E65D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014045B1 mov eax, dword ptr fs:[00000030h]10_2_014045B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014045B1 mov eax, dword ptr fs:[00000030h]10_2_014045B1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141E443 mov eax, dword ptr fs:[00000030h]10_2_0141E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141E443 mov eax, dword ptr fs:[00000030h]10_2_0141E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141E443 mov eax, dword ptr fs:[00000030h]10_2_0141E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141E443 mov eax, dword ptr fs:[00000030h]10_2_0141E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141E443 mov eax, dword ptr fs:[00000030h]10_2_0141E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141E443 mov eax, dword ptr fs:[00000030h]10_2_0141E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141E443 mov eax, dword ptr fs:[00000030h]10_2_0141E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141E443 mov eax, dword ptr fs:[00000030h]10_2_0141E443
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140245A mov eax, dword ptr fs:[00000030h]10_2_0140245A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013DC427 mov eax, dword ptr fs:[00000030h]10_2_013DC427
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013DE420 mov eax, dword ptr fs:[00000030h]10_2_013DE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013DE420 mov eax, dword ptr fs:[00000030h]10_2_013DE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013DE420 mov eax, dword ptr fs:[00000030h]10_2_013DE420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0149A456 mov eax, dword ptr fs:[00000030h]10_2_0149A456
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0146C460 mov ecx, dword ptr fs:[00000030h]10_2_0146C460
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140A470 mov eax, dword ptr fs:[00000030h]10_2_0140A470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140A470 mov eax, dword ptr fs:[00000030h]10_2_0140A470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140A470 mov eax, dword ptr fs:[00000030h]10_2_0140A470
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01418402 mov eax, dword ptr fs:[00000030h]10_2_01418402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01418402 mov eax, dword ptr fs:[00000030h]10_2_01418402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01418402 mov eax, dword ptr fs:[00000030h]10_2_01418402
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013D645D mov eax, dword ptr fs:[00000030h]10_2_013D645D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01466420 mov eax, dword ptr fs:[00000030h]10_2_01466420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01466420 mov eax, dword ptr fs:[00000030h]10_2_01466420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01466420 mov eax, dword ptr fs:[00000030h]10_2_01466420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01466420 mov eax, dword ptr fs:[00000030h]10_2_01466420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01466420 mov eax, dword ptr fs:[00000030h]10_2_01466420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01466420 mov eax, dword ptr fs:[00000030h]10_2_01466420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01466420 mov eax, dword ptr fs:[00000030h]10_2_01466420
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141A430 mov eax, dword ptr fs:[00000030h]10_2_0141A430
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E64AB mov eax, dword ptr fs:[00000030h]10_2_013E64AB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0149A49A mov eax, dword ptr fs:[00000030h]10_2_0149A49A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E04E5 mov ecx, dword ptr fs:[00000030h]10_2_013E04E5
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014144B0 mov ecx, dword ptr fs:[00000030h]10_2_014144B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0146A4B0 mov eax, dword ptr fs:[00000030h]10_2_0146A4B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141674D mov esi, dword ptr fs:[00000030h]10_2_0141674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141674D mov eax, dword ptr fs:[00000030h]10_2_0141674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141674D mov eax, dword ptr fs:[00000030h]10_2_0141674D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422750 mov eax, dword ptr fs:[00000030h]10_2_01422750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422750 mov eax, dword ptr fs:[00000030h]10_2_01422750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01464755 mov eax, dword ptr fs:[00000030h]10_2_01464755
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0146E75D mov eax, dword ptr fs:[00000030h]10_2_0146E75D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E0710 mov eax, dword ptr fs:[00000030h]10_2_013E0710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141C700 mov eax, dword ptr fs:[00000030h]10_2_0141C700
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E8770 mov eax, dword ptr fs:[00000030h]10_2_013E8770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F0770 mov eax, dword ptr fs:[00000030h]10_2_013F0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F0770 mov eax, dword ptr fs:[00000030h]10_2_013F0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F0770 mov eax, dword ptr fs:[00000030h]10_2_013F0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F0770 mov eax, dword ptr fs:[00000030h]10_2_013F0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F0770 mov eax, dword ptr fs:[00000030h]10_2_013F0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F0770 mov eax, dword ptr fs:[00000030h]10_2_013F0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F0770 mov eax, dword ptr fs:[00000030h]10_2_013F0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F0770 mov eax, dword ptr fs:[00000030h]10_2_013F0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F0770 mov eax, dword ptr fs:[00000030h]10_2_013F0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F0770 mov eax, dword ptr fs:[00000030h]10_2_013F0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F0770 mov eax, dword ptr fs:[00000030h]10_2_013F0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F0770 mov eax, dword ptr fs:[00000030h]10_2_013F0770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01410710 mov eax, dword ptr fs:[00000030h]10_2_01410710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141C720 mov eax, dword ptr fs:[00000030h]10_2_0141C720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141C720 mov eax, dword ptr fs:[00000030h]10_2_0141C720
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E0750 mov eax, dword ptr fs:[00000030h]10_2_013E0750
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0145C730 mov eax, dword ptr fs:[00000030h]10_2_0145C730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141273C mov eax, dword ptr fs:[00000030h]10_2_0141273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141273C mov ecx, dword ptr fs:[00000030h]10_2_0141273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141273C mov eax, dword ptr fs:[00000030h]10_2_0141273C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014607C3 mov eax, dword ptr fs:[00000030h]10_2_014607C3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E07AF mov eax, dword ptr fs:[00000030h]10_2_013E07AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0146E7E1 mov eax, dword ptr fs:[00000030h]10_2_0146E7E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014027ED mov eax, dword ptr fs:[00000030h]10_2_014027ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014027ED mov eax, dword ptr fs:[00000030h]10_2_014027ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014027ED mov eax, dword ptr fs:[00000030h]10_2_014027ED
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E47FB mov eax, dword ptr fs:[00000030h]10_2_013E47FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E47FB mov eax, dword ptr fs:[00000030h]10_2_013E47FB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148678E mov eax, dword ptr fs:[00000030h]10_2_0148678E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014947A0 mov eax, dword ptr fs:[00000030h]10_2_014947A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013EC7C0 mov eax, dword ptr fs:[00000030h]10_2_013EC7C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E262C mov eax, dword ptr fs:[00000030h]10_2_013E262C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013FE627 mov eax, dword ptr fs:[00000030h]10_2_013FE627
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141A660 mov eax, dword ptr fs:[00000030h]10_2_0141A660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141A660 mov eax, dword ptr fs:[00000030h]10_2_0141A660
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014A866E mov eax, dword ptr fs:[00000030h]10_2_014A866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014A866E mov eax, dword ptr fs:[00000030h]10_2_014A866E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F260B mov eax, dword ptr fs:[00000030h]10_2_013F260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F260B mov eax, dword ptr fs:[00000030h]10_2_013F260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F260B mov eax, dword ptr fs:[00000030h]10_2_013F260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F260B mov eax, dword ptr fs:[00000030h]10_2_013F260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F260B mov eax, dword ptr fs:[00000030h]10_2_013F260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F260B mov eax, dword ptr fs:[00000030h]10_2_013F260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F260B mov eax, dword ptr fs:[00000030h]10_2_013F260B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01412674 mov eax, dword ptr fs:[00000030h]10_2_01412674
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0145E609 mov eax, dword ptr fs:[00000030h]10_2_0145E609
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01422619 mov eax, dword ptr fs:[00000030h]10_2_01422619
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01416620 mov eax, dword ptr fs:[00000030h]10_2_01416620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01418620 mov eax, dword ptr fs:[00000030h]10_2_01418620
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013FC640 mov eax, dword ptr fs:[00000030h]10_2_013FC640
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141A6C7 mov ebx, dword ptr fs:[00000030h]10_2_0141A6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141A6C7 mov eax, dword ptr fs:[00000030h]10_2_0141A6C7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E4690 mov eax, dword ptr fs:[00000030h]10_2_013E4690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E4690 mov eax, dword ptr fs:[00000030h]10_2_013E4690
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0145E6F2 mov eax, dword ptr fs:[00000030h]10_2_0145E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0145E6F2 mov eax, dword ptr fs:[00000030h]10_2_0145E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0145E6F2 mov eax, dword ptr fs:[00000030h]10_2_0145E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0145E6F2 mov eax, dword ptr fs:[00000030h]10_2_0145E6F2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014606F1 mov eax, dword ptr fs:[00000030h]10_2_014606F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014606F1 mov eax, dword ptr fs:[00000030h]10_2_014606F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141C6A6 mov eax, dword ptr fs:[00000030h]10_2_0141C6A6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014166B0 mov eax, dword ptr fs:[00000030h]10_2_014166B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01460946 mov eax, dword ptr fs:[00000030h]10_2_01460946
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01406962 mov eax, dword ptr fs:[00000030h]10_2_01406962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01406962 mov eax, dword ptr fs:[00000030h]10_2_01406962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01406962 mov eax, dword ptr fs:[00000030h]10_2_01406962
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013D8918 mov eax, dword ptr fs:[00000030h]10_2_013D8918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013D8918 mov eax, dword ptr fs:[00000030h]10_2_013D8918
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0142096E mov eax, dword ptr fs:[00000030h]10_2_0142096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0142096E mov edx, dword ptr fs:[00000030h]10_2_0142096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0142096E mov eax, dword ptr fs:[00000030h]10_2_0142096E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01484978 mov eax, dword ptr fs:[00000030h]10_2_01484978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01484978 mov eax, dword ptr fs:[00000030h]10_2_01484978
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0146C97C mov eax, dword ptr fs:[00000030h]10_2_0146C97C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0145E908 mov eax, dword ptr fs:[00000030h]10_2_0145E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0145E908 mov eax, dword ptr fs:[00000030h]10_2_0145E908
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0146C912 mov eax, dword ptr fs:[00000030h]10_2_0146C912
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0146892A mov eax, dword ptr fs:[00000030h]10_2_0146892A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0147892B mov eax, dword ptr fs:[00000030h]10_2_0147892B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014769C0 mov eax, dword ptr fs:[00000030h]10_2_014769C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014149D0 mov eax, dword ptr fs:[00000030h]10_2_014149D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E09AD mov eax, dword ptr fs:[00000030h]10_2_013E09AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E09AD mov eax, dword ptr fs:[00000030h]10_2_013E09AD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014AA9D3 mov eax, dword ptr fs:[00000030h]10_2_014AA9D3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F29A0 mov eax, dword ptr fs:[00000030h]10_2_013F29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F29A0 mov eax, dword ptr fs:[00000030h]10_2_013F29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F29A0 mov eax, dword ptr fs:[00000030h]10_2_013F29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F29A0 mov eax, dword ptr fs:[00000030h]10_2_013F29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F29A0 mov eax, dword ptr fs:[00000030h]10_2_013F29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F29A0 mov eax, dword ptr fs:[00000030h]10_2_013F29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F29A0 mov eax, dword ptr fs:[00000030h]10_2_013F29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F29A0 mov eax, dword ptr fs:[00000030h]10_2_013F29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F29A0 mov eax, dword ptr fs:[00000030h]10_2_013F29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F29A0 mov eax, dword ptr fs:[00000030h]10_2_013F29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F29A0 mov eax, dword ptr fs:[00000030h]10_2_013F29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F29A0 mov eax, dword ptr fs:[00000030h]10_2_013F29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F29A0 mov eax, dword ptr fs:[00000030h]10_2_013F29A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0146E9E0 mov eax, dword ptr fs:[00000030h]10_2_0146E9E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014129F9 mov eax, dword ptr fs:[00000030h]10_2_014129F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014129F9 mov eax, dword ptr fs:[00000030h]10_2_014129F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013EA9D0 mov eax, dword ptr fs:[00000030h]10_2_013EA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013EA9D0 mov eax, dword ptr fs:[00000030h]10_2_013EA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013EA9D0 mov eax, dword ptr fs:[00000030h]10_2_013EA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013EA9D0 mov eax, dword ptr fs:[00000030h]10_2_013EA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013EA9D0 mov eax, dword ptr fs:[00000030h]10_2_013EA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013EA9D0 mov eax, dword ptr fs:[00000030h]10_2_013EA9D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014689B3 mov esi, dword ptr fs:[00000030h]10_2_014689B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014689B3 mov eax, dword ptr fs:[00000030h]10_2_014689B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014689B3 mov eax, dword ptr fs:[00000030h]10_2_014689B3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01410854 mov eax, dword ptr fs:[00000030h]10_2_01410854
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0146E872 mov eax, dword ptr fs:[00000030h]10_2_0146E872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0146E872 mov eax, dword ptr fs:[00000030h]10_2_0146E872
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01476870 mov eax, dword ptr fs:[00000030h]10_2_01476870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01476870 mov eax, dword ptr fs:[00000030h]10_2_01476870
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0146C810 mov eax, dword ptr fs:[00000030h]10_2_0146C810
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E4859 mov eax, dword ptr fs:[00000030h]10_2_013E4859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E4859 mov eax, dword ptr fs:[00000030h]10_2_013E4859
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141A830 mov eax, dword ptr fs:[00000030h]10_2_0141A830
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148483A mov eax, dword ptr fs:[00000030h]10_2_0148483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148483A mov eax, dword ptr fs:[00000030h]10_2_0148483A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01402835 mov eax, dword ptr fs:[00000030h]10_2_01402835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01402835 mov eax, dword ptr fs:[00000030h]10_2_01402835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01402835 mov eax, dword ptr fs:[00000030h]10_2_01402835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01402835 mov ecx, dword ptr fs:[00000030h]10_2_01402835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01402835 mov eax, dword ptr fs:[00000030h]10_2_01402835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01402835 mov eax, dword ptr fs:[00000030h]10_2_01402835
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F2840 mov ecx, dword ptr fs:[00000030h]10_2_013F2840
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140E8C0 mov eax, dword ptr fs:[00000030h]10_2_0140E8C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014AA8E4 mov eax, dword ptr fs:[00000030h]10_2_014AA8E4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141C8F9 mov eax, dword ptr fs:[00000030h]10_2_0141C8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141C8F9 mov eax, dword ptr fs:[00000030h]10_2_0141C8F9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E0887 mov eax, dword ptr fs:[00000030h]10_2_013E0887
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0146C89D mov eax, dword ptr fs:[00000030h]10_2_0146C89D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01494B4B mov eax, dword ptr fs:[00000030h]10_2_01494B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01494B4B mov eax, dword ptr fs:[00000030h]10_2_01494B4B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01476B40 mov eax, dword ptr fs:[00000030h]10_2_01476B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01476B40 mov eax, dword ptr fs:[00000030h]10_2_01476B40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014AAB40 mov eax, dword ptr fs:[00000030h]10_2_014AAB40
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01488B42 mov eax, dword ptr fs:[00000030h]10_2_01488B42
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148EB50 mov eax, dword ptr fs:[00000030h]10_2_0148EB50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013DCB7E mov eax, dword ptr fs:[00000030h]10_2_013DCB7E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0145EB1D mov eax, dword ptr fs:[00000030h]10_2_0145EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0145EB1D mov eax, dword ptr fs:[00000030h]10_2_0145EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0145EB1D mov eax, dword ptr fs:[00000030h]10_2_0145EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0145EB1D mov eax, dword ptr fs:[00000030h]10_2_0145EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0145EB1D mov eax, dword ptr fs:[00000030h]10_2_0145EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0145EB1D mov eax, dword ptr fs:[00000030h]10_2_0145EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0145EB1D mov eax, dword ptr fs:[00000030h]10_2_0145EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0145EB1D mov eax, dword ptr fs:[00000030h]10_2_0145EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0145EB1D mov eax, dword ptr fs:[00000030h]10_2_0145EB1D
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140EB20 mov eax, dword ptr fs:[00000030h]10_2_0140EB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140EB20 mov eax, dword ptr fs:[00000030h]10_2_0140EB20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014A8B28 mov eax, dword ptr fs:[00000030h]10_2_014A8B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014A8B28 mov eax, dword ptr fs:[00000030h]10_2_014A8B28
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F0BBE mov eax, dword ptr fs:[00000030h]10_2_013F0BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F0BBE mov eax, dword ptr fs:[00000030h]10_2_013F0BBE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01400BCB mov eax, dword ptr fs:[00000030h]10_2_01400BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01400BCB mov eax, dword ptr fs:[00000030h]10_2_01400BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01400BCB mov eax, dword ptr fs:[00000030h]10_2_01400BCB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148EBD0 mov eax, dword ptr fs:[00000030h]10_2_0148EBD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0146CBF0 mov eax, dword ptr fs:[00000030h]10_2_0146CBF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140EBFC mov eax, dword ptr fs:[00000030h]10_2_0140EBFC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E8BF0 mov eax, dword ptr fs:[00000030h]10_2_013E8BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E8BF0 mov eax, dword ptr fs:[00000030h]10_2_013E8BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E8BF0 mov eax, dword ptr fs:[00000030h]10_2_013E8BF0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E0BCD mov eax, dword ptr fs:[00000030h]10_2_013E0BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E0BCD mov eax, dword ptr fs:[00000030h]10_2_013E0BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E0BCD mov eax, dword ptr fs:[00000030h]10_2_013E0BCD
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01494BB0 mov eax, dword ptr fs:[00000030h]10_2_01494BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01494BB0 mov eax, dword ptr fs:[00000030h]10_2_01494BB0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0148EA60 mov eax, dword ptr fs:[00000030h]10_2_0148EA60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141CA6F mov eax, dword ptr fs:[00000030h]10_2_0141CA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141CA6F mov eax, dword ptr fs:[00000030h]10_2_0141CA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141CA6F mov eax, dword ptr fs:[00000030h]10_2_0141CA6F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0145CA72 mov eax, dword ptr fs:[00000030h]10_2_0145CA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0145CA72 mov eax, dword ptr fs:[00000030h]10_2_0145CA72
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0146CA11 mov eax, dword ptr fs:[00000030h]10_2_0146CA11
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F0A5B mov eax, dword ptr fs:[00000030h]10_2_013F0A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013F0A5B mov eax, dword ptr fs:[00000030h]10_2_013F0A5B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141CA24 mov eax, dword ptr fs:[00000030h]10_2_0141CA24
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0140EA2E mov eax, dword ptr fs:[00000030h]10_2_0140EA2E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E6A50 mov eax, dword ptr fs:[00000030h]10_2_013E6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E6A50 mov eax, dword ptr fs:[00000030h]10_2_013E6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E6A50 mov eax, dword ptr fs:[00000030h]10_2_013E6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E6A50 mov eax, dword ptr fs:[00000030h]10_2_013E6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E6A50 mov eax, dword ptr fs:[00000030h]10_2_013E6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E6A50 mov eax, dword ptr fs:[00000030h]10_2_013E6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E6A50 mov eax, dword ptr fs:[00000030h]10_2_013E6A50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01404A35 mov eax, dword ptr fs:[00000030h]10_2_01404A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01404A35 mov eax, dword ptr fs:[00000030h]10_2_01404A35
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141CA38 mov eax, dword ptr fs:[00000030h]10_2_0141CA38
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01436ACC mov eax, dword ptr fs:[00000030h]10_2_01436ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01436ACC mov eax, dword ptr fs:[00000030h]10_2_01436ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01436ACC mov eax, dword ptr fs:[00000030h]10_2_01436ACC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01414AD0 mov eax, dword ptr fs:[00000030h]10_2_01414AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01414AD0 mov eax, dword ptr fs:[00000030h]10_2_01414AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E8AA0 mov eax, dword ptr fs:[00000030h]10_2_013E8AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E8AA0 mov eax, dword ptr fs:[00000030h]10_2_013E8AA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141AAEE mov eax, dword ptr fs:[00000030h]10_2_0141AAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0141AAEE mov eax, dword ptr fs:[00000030h]10_2_0141AAEE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013EEA80 mov eax, dword ptr fs:[00000030h]10_2_013EEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013EEA80 mov eax, dword ptr fs:[00000030h]10_2_013EEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013EEA80 mov eax, dword ptr fs:[00000030h]10_2_013EEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013EEA80 mov eax, dword ptr fs:[00000030h]10_2_013EEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013EEA80 mov eax, dword ptr fs:[00000030h]10_2_013EEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013EEA80 mov eax, dword ptr fs:[00000030h]10_2_013EEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013EEA80 mov eax, dword ptr fs:[00000030h]10_2_013EEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013EEA80 mov eax, dword ptr fs:[00000030h]10_2_013EEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013EEA80 mov eax, dword ptr fs:[00000030h]10_2_013EEA80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_014B4A80 mov eax, dword ptr fs:[00000030h]10_2_014B4A80
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01418A90 mov edx, dword ptr fs:[00000030h]10_2_01418A90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01436AA4 mov eax, dword ptr fs:[00000030h]10_2_01436AA4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013E0AD0 mov eax, dword ptr fs:[00000030h]10_2_013E0AD0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01478D6B mov eax, dword ptr fs:[00000030h]10_2_01478D6B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013D6D10 mov eax, dword ptr fs:[00000030h]10_2_013D6D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013D6D10 mov eax, dword ptr fs:[00000030h]10_2_013D6D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013D6D10 mov eax, dword ptr fs:[00000030h]10_2_013D6D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013FAD00 mov eax, dword ptr fs:[00000030h]10_2_013FAD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013FAD00 mov eax, dword ptr fs:[00000030h]10_2_013FAD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_013FAD00 mov eax, dword ptr fs:[00000030h]10_2_013FAD00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01498D10 mov eax, dword ptr fs:[00000030h]10_2_01498D10
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_01498D10 mov eax, dword ptr fs:[00000030h]10_2_01498D10
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION REQUEST.exe"
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exe"
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION REQUEST.exe"Jump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exe"Jump to behavior
                Allocates memory in foreign processes
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtResumeThread: Direct from: 0x773836AC
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtMapViewOfSection: Direct from: 0x77382D1C
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtProtectVirtualMemory: Direct from: 0x77382F9C
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtSetInformationThread: Direct from: 0x773763F9
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtCreateMutant: Direct from: 0x773835CC
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtNotifyChangeKey: Direct from: 0x77383C2C
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtSetInformationProcess: Direct from: 0x77382C5C
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtQueryInformationProcess: Direct from: 0x77382C26
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtAllocateVirtualMemory: Direct from: 0x77383C9C
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtAllocateVirtualMemory: Direct from: 0x77382BFC
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtDelayExecution: Direct from: 0x77382DDC
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtQuerySystemInformation: Direct from: 0x77382DFC
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtOpenSection: Direct from: 0x77382E0C
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtQuerySystemInformation: Direct from: 0x773848CC
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtCreateKey: Direct from: 0x77382C6C
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtClose: Direct from: 0x77382B6C
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtQueryAttributesFile: Direct from: 0x77382E6C
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtSetInformationThread: Direct from: 0x77382B4C
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtTerminateThread: Direct from: 0x77382FCC
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtQueryInformationToken: Direct from: 0x77382CAC
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtOpenKeyEx: Direct from: 0x77382B9C
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtAllocateVirtualMemory: Direct from: 0x77382BEC
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtDeviceIoControlFile: Direct from: 0x77382AEC
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtCreateFile: Direct from: 0x77382FEC
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtOpenFile: Direct from: 0x77382DCC
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeNtTerminateThread: Direct from: 0x77377B2EJump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\expand.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: NULL target: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exe protection: read write
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: NULL target: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exe protection: execute and read and write
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: NULL target: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe protection: read write
                Source: C:\Windows\SysWOW64\expand.exeSection loaded: NULL target: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe protection: execute and read and write
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\expand.exeThread register set: target process: 3160
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\expand.exeThread APC queued: target process: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exe
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: A90008Jump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 106C008Jump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTATION REQUEST.exe"Jump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exe"Jump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CBdbnantdvVSl" /XML "C:\Users\user\AppData\Local\Temp\tmp6C58.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CBdbnantdvVSl" /XML "C:\Users\user\AppData\Local\Temp\tmp8B5A.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                Source: C:\Program Files (x86)\TdRrxCFgJblpcOjeKAFwLhnmJfIIZgPKBAzNirhZNsCMqGhhwMDajD\t9nPMqWgjgvh1b7pdo.exeProcess created: C:\Windows\SysWOW64\expand.exe "C:\Windows\SysWOW64\expand.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\expand.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: t9nPMqWgjgvh1b7pdo.exe, 00000014.00000000.2637231869.0000000001070000.00000002.00000001.00040000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000014.00000002.4863737481.0000000001071000.00000002.00000001.00040000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4864750695.00000000019E1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
                Source: t9nPMqWgjgvh1b7pdo.exe, 00000014.00000000.2637231869.0000000001070000.00000002.00000001.00040000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000014.00000002.4863737481.0000000001071000.00000002.00000001.00040000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4864750695.00000000019E1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: t9nPMqWgjgvh1b7pdo.exe, 00000014.00000000.2637231869.0000000001070000.00000002.00000001.00040000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000014.00000002.4863737481.0000000001071000.00000002.00000001.00040000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4864750695.00000000019E1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: t9nPMqWgjgvh1b7pdo.exe, 00000014.00000000.2637231869.0000000001070000.00000002.00000001.00040000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000014.00000002.4863737481.0000000001071000.00000002.00000001.00040000.00000000.sdmp, t9nPMqWgjgvh1b7pdo.exe, 00000018.00000002.4864750695.00000000019E1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeQueries volume information: C:\Users\user\Desktop\QUOTATION REQUEST.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeQueries volume information: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\CBdbnantdvVSl.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QUOTATION REQUEST.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000015.00000002.4865412130.0000000000830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2723717849.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.4862844200.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.4865277895.00000000007E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2724639659.0000000001350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.4864904721.0000000004F90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2726669936.00000000040B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\expand.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                Source: C:\Windows\SysWOW64\expand.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\expand.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
                Source: C:\Windows\SysWOW64\expand.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                Source: C:\Windows\SysWOW64\expand.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\expand.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\expand.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
                Source: C:\Windows\SysWOW64\expand.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\expand.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000015.00000002.4865412130.0000000000830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2723717849.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.4862844200.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.4865277895.00000000007E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2724639659.0000000001350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.4864904721.0000000004F90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2726669936.00000000040B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		612
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		221
                Security Software Discovery                		Remote Services1
                Email Collection                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		1
                Scheduled Task/Job                		11
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		3
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Abuse Elevation Control Mechanism                		41
                Virtualization/Sandbox Evasion                		Security Account Manager41
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares1
                Data from Local System                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                DLL Side-Loading                		612
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets2
                File and Directory Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Abuse Elevation Control Mechanism                		Cached Domain Credentials113
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
                Obfuscated Files or Information                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                Software Packing                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Timestomp                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                DLL Side-Loading                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1618000 Sample: QUOTATION REQUEST.exe Startdate: 18/02/2025 Architecture: WINDOWS Score: 100 59 www.us-urbanservices.net 2->59 61 www.primeibes.live 2->61 63 14 other IPs or domains 2->63 75 Suricata IDS alerts for network traffic 2->75 77 Sigma detected: Scheduled temp file as task from temp location 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 9 other signatures 2->81 10 QUOTATION REQUEST.exe 7 2->10         started        14 CBdbnantdvVSl.exe 5 2->14         started        signatures3 process4 file5 51 C:\Users\user\AppData\...\CBdbnantdvVSl.exe, PE32 10->51 dropped 53 C:\...\CBdbnantdvVSl.exe:Zone.Identifier, ASCII 10->53 dropped 55 C:\Users\user\AppData\Local\...\tmp6C58.tmp, XML 10->55 dropped 57 C:\Users\user\...\QUOTATION REQUEST.exe.log, ASCII 10->57 dropped 91 Writes to foreign memory regions 10->91 93 Allocates memory in foreign processes 10->93 95 Adds a directory exclusion to Windows Defender 10->95 16 RegSvcs.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        97 Multi AV Scanner detection for dropped file 14->97 99 Injects a PE file into a foreign processes 14->99 25 schtasks.exe 1 14->25         started        27 RegSvcs.exe 14->27         started        signatures6 process7 signatures8 71 Maps a DLL or memory area into another process 16->71 29 t9nPMqWgjgvh1b7pdo.exe 16->29 injected 73 Loading BitLocker PowerShell Module 19->73 32 WmiPrvSE.exe 19->32         started        34 conhost.exe 19->34         started        36 conhost.exe 21->36         started        38 conhost.exe 23->38         started        40 conhost.exe 25->40         started        process9 signatures10 101 Found direct / indirect Syscall (likely to bypass EDR) 29->101 42 expand.exe 29->42         started        process11 signatures12 83 Tries to steal Mail credentials (via file / registry access) 42->83 85 Tries to harvest and steal browser information (history, passwords, etc) 42->85 87 Modifies the context of a thread in another process (thread injection) 42->87 89 3 other signatures 42->89 45 t9nPMqWgjgvh1b7pdo.exe 42->45 injected 49 firefox.exe 42->49         started        process13 dnsIp14 65 www.us-urbanservices.net 185.125.27.32, 50020, 50021, 50025 INFOMANIAK-ASCH Switzerland 45->65 67 www.primeibes.live 69.57.163.227, 50045, 50046, 50047 FORTRESSITXUS United States 45->67 69 12 other IPs or domains 45->69 103 Found direct / indirect Syscall (likely to bypass EDR) 45->103 signatures15

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.