Windows Analysis Report
QUOTE2342534.exe

Overview

General Information

Sample name: QUOTE2342534.exe
Analysis ID: 1541203
MD5: c19949939d08baee86643132d7ce7542
SHA1: 5c8f131cb332bb49c68ab04cc2350c224d4d4d5b
SHA256: a99f8a264c968ef7d4815a0bf6d53854d7c26da69adba84750c48c58bfea7384
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: QUOTE2342534.exe ReversingLabs: Detection: 28%
Yara detected FormBook
Source: Yara match File source: 4.2.QUOTE2342534.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.QUOTE2342534.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.4594417209.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2231861338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4594132519.0000000003340000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.4597123623.0000000004CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4592913893.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2232369881.0000000001620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2233350481.0000000002F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4594398823.0000000003FD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: QUOTE2342534.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: QUOTE2342534.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: QUOTE2342534.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: mshta.pdbGCTL source: QUOTE2342534.exe, 00000004.00000002.2232065125.0000000001197000.00000004.00000020.00020000.00000000.sdmp, qnPyaKsYTE.exe, 00000007.00000002.4593662972.0000000000FB8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: qnPyaKsYTE.exe, 00000007.00000000.2154339993.000000000012E000.00000002.00000001.01000000.0000000C.sdmp, qnPyaKsYTE.exe, 0000000A.00000000.2297414318.000000000012E000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: wntdll.pdbUGP source: QUOTE2342534.exe, 00000004.00000002.2232503719.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.4594573230.0000000003810000.00000040.00001000.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.2232129759.00000000034B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.2233823345.000000000366A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.4594573230.00000000039AE000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: iFFZ.pdbSHA256 source: QUOTE2342534.exe
Source: Binary string: wntdll.pdb source: QUOTE2342534.exe, QUOTE2342534.exe, 00000004.00000002.2232503719.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, mshta.exe, mshta.exe, 00000008.00000002.4594573230.0000000003810000.00000040.00001000.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.2232129759.00000000034B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.2233823345.000000000366A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.4594573230.00000000039AE000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: iFFZ.pdb source: QUOTE2342534.exe
Source: Binary string: mshta.pdb source: QUOTE2342534.exe, 00000004.00000002.2232065125.0000000001197000.00000004.00000020.00020000.00000000.sdmp, qnPyaKsYTE.exe, 00000007.00000002.4593662972.0000000000FB8000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_02F3C390 FindFirstFileW,FindNextFileW,FindClose, 8_2_02F3C390
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\mshta.exe Code function: 4x nop then xor eax, eax 8_2_02F29B10
Source: C:\Windows\SysWOW64\mshta.exe Code function: 4x nop then pop edi 8_2_02F2E030
Source: C:\Windows\SysWOW64\mshta.exe Code function: 4x nop then mov ebx, 00000004h 8_2_03B604DF

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49787 -> 129.226.56.200:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49787 -> 129.226.56.200:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49866 -> 162.0.215.33:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49877 -> 162.0.215.33:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49893 -> 162.0.215.33:80
Source: Network traffic Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49908 -> 162.0.215.33:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49908 -> 162.0.215.33:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49940 -> 154.7.176.67:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49956 -> 154.7.176.67:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49972 -> 154.7.176.67:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49991 -> 118.139.178.37:80
Source: Network traffic Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49994 -> 118.139.178.37:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49994 -> 118.139.178.37:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49996 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49988 -> 154.7.176.67:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50004 -> 84.32.84.32:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50005 -> 84.32.84.32:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49988 -> 154.7.176.67:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49992 -> 118.139.178.37:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49995 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50007 -> 84.32.84.32:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50008 -> 84.32.84.32:80
Source: Network traffic Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50010 -> 84.32.84.32:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50010 -> 84.32.84.32:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49997 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50016 -> 154.9.228.56:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50013 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50014 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50023 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50014 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50012 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50030 -> 129.226.176.90:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50032 -> 213.249.67.10:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50030 -> 129.226.176.90:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50001 -> 209.74.64.190:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50020 -> 84.32.84.32:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49999 -> 209.74.64.190:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50024 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50033 -> 213.249.67.10:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50015 -> 154.9.228.56:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50028 -> 129.226.176.90:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50031 -> 213.249.67.10:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50037 -> 67.223.117.169:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50035 -> 67.223.117.169:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50011 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50017 -> 154.9.228.56:80
Source: Network traffic Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50034 -> 213.249.67.10:80
Source: Network traffic Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50039 -> 129.226.56.200:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50039 -> 129.226.56.200:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50034 -> 213.249.67.10:80
Source: Network traffic Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49998 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49998 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50021 -> 84.32.84.32:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50025 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50036 -> 67.223.117.169:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50029 -> 129.226.176.90:80
Source: Network traffic Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50018 -> 154.9.228.56:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50018 -> 154.9.228.56:80
Source: Network traffic Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50006 -> 84.32.84.32:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50006 -> 84.32.84.32:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50009 -> 84.32.84.32:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50040 -> 162.0.215.33:80
Source: Network traffic Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50038 -> 67.223.117.169:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50038 -> 67.223.117.169:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50027 -> 129.226.176.90:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50000 -> 209.74.64.190:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49993 -> 118.139.178.37:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50003 -> 84.32.84.32:80
Source: Network traffic Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50002 -> 209.74.64.190:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50002 -> 209.74.64.190:80
Source: Network traffic Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50026 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50026 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50019 -> 84.32.84.32:80
Source: Network traffic Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50022 -> 84.32.84.32:80
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50022 -> 84.32.84.32:80
Performs DNS queries to domains with low reputation
Source: DNS query: www.xueerr.xyz
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ACPCA ACPCA
Source: Joe Sandbox View ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
Source: Joe Sandbox View ASN Name: TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN
Source: Joe Sandbox View ASN Name: METAREGISTRARNL METAREGISTRARNL
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /28kl/?7Bohe=ZkKAB6qSK6F5HsjBEzwiMizWOSJwTbSi5er0Koahj7mpnIIYqRoLKzbDk71u2k+MO6tmUyIoyOO9F/o0RCIBFZEb81/8BfbGrnNiAiZNS4xvfhhZvRECGHuLoGBIxYjXhw==&vD=h0e85v HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.dxfwrc2h.sbsConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
Source: global traffic HTTP traffic detected: GET /4bpc/?7Bohe=W6c12MBAM7+Q3p2I42CNcaaX4meOt2NlPYb0dUqqy/7eqOW0wKa7H8cBCmolVGR7OaXpdOvS7kWyFQKJ7xuZambhzJ6Jbz/iDls78L0zlt4s48FcRMJ2uoIWwWqypjO6Yg==&vD=h0e85v HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.nieuws-july202491.sbsConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
Source: global traffic HTTP traffic detected: GET /oacu/?vD=h0e85v&7Bohe=QyeFQ+FiMQKSKdq/BKxG+5Ov1bwmlN3FnlPZyKM2ZYbXsZFvV/O3NTv6ZfeubWU6jSKaxDXQpId5DKUlUVN54eSFHJCOrp//l7em+zpeeu1iGig/Io/KcJQlUpo44DFlsQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.putizhong.homesConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
Source: global traffic HTTP traffic detected: GET /o55g/?7Bohe=SntAYgquUuF8cmTqKgeHt96czNjKbI7walrzfjn5MBbpbz0DMUAQT5TGmaCmCOcjM4ET7TOvVUXTFF/O6lHSx5C+s9iWJ/mgfg63citE2SV2GP/8IEdknZeeY7ynAeJL4g==&vD=h0e85v HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.coba168.infoConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
Source: global traffic HTTP traffic detected: GET /kb53/?7Bohe=1b0Bx/9NiZhb6KmmoJd23RBorG5xllzN0i8gdStRuw/8VfKYv2Om9x/jS97CLdhlzFEmDVkAPiLAZwnB3Rwit6hYzhYwWiv4x0tew8h6s38ig+exADmGM0H8mBfgPTkFYw==&vD=h0e85v HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.everyone.golfConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
Source: global traffic HTTP traffic detected: GET /elh0/?7Bohe=pzF/mZhnV0GSmLX+GycMwU6WT06CzqVGvQudBfY4Dqjs/3KtcpfJYGVadgWONk/4osLjzgZwgHUQ0ZwKAvTdTnbY8Qd/xTrHuaQfE1OzRfvOWlfeun0LuB51rXnhStJusg==&vD=h0e85v HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.royapop.onlineConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
Source: global traffic HTTP traffic detected: GET /deo6/?7Bohe=NByBCVC4fvk3zNlObrJyagJtuzfI3YQ4Ad7pkV0ATPDcP1/VdlZwhks7LZ4Zlk95UTsGsfg9gVB7u8RemM4hoUvK2Ig2OY9rZRI88AWKe5yd8pSEv6a6wulMHxqZW9lecA==&vD=h0e85v HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.b-ambu.comConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
Source: global traffic HTTP traffic detected: GET /r966/?vD=h0e85v&7Bohe=St0zOmS57JvxXHngaoKRrYwJhw67SG7V3FAZs2TYvCYNXtW49c+AatXE2ZBTP/KNdGCD9DmtL2naWYac77vyUP4q1YSJ6U5Kf8MwRQ43aJ1o9SgGH2ER+UvSNI1J5J1sVQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.livpure-grab.onlineConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
Source: global traffic HTTP traffic detected: GET /4nqw/?7Bohe=TM4wmIiUDmnTKniklQ90uhNUhJ9wAlE9nf/Yl9jXXOP3K1JO7ypWLJJbcPRG/mn1E4sifjVCDcv63SEcY+fHR48yBI63+DhGjujcAAYsRe1/gzF87OhGQiowvZSxcJ02Hg==&vD=h0e85v HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.bandukchi.comConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
Source: global traffic HTTP traffic detected: GET /djad/?7Bohe=OgBIZAb3K3QVmDSyooTSIAO5Tll+jwwdUI93t9cTrZTAkguQuNIIHt4CXXwiEPUK7V7i0FBLQRxFESBesMpHDzV+LIhV5qbZyNO4rVJKeHZqQ73AKCfxWCZcLIU2txA0ig==&vD=h0e85v HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.mcse.topConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
Source: global traffic HTTP traffic detected: GET /2vbz/?7Bohe=qlAZWX/ch455H6hDeAWyjxeCoVjeFLImmNyoFLJZcRWWfOSwb/dYbmE5Lo+ESXiDiuCMQOi3bdztXr54sGaKYuw5X5+G7ZC+wzrMILyG35q/IsHjv6ziuhAlYbb1UGsQUw==&vD=h0e85v HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.voidzero.techConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
Source: global traffic HTTP traffic detected: GET /cvus/?7Bohe=L6/IgR7jnWgHAqCUWtdTnyQ3KOMoF6iy/gVxl52J0nU+SVs5srMG6NDyylAnxUOxWBqWqLnFW3nZioCT6UqXKC7zbsKc4BTPzCMAY+nXmzAcPovgamuSI2ghdEMnHjenpA==&vD=h0e85v HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.huwin.clubConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
Source: global traffic HTTP traffic detected: GET /vhqd/?7Bohe=WoZBIA9oyl+J2b4VfTP9l9A782ZII/35uSr01551g8NzakXtA+Pa5+JAPkHp6kowgs8acnK71ZwIZDZByVYOuYH08N3N2lAmC4I9AOVCDFEu0aUC6s+F7cMMpoEI61JPvA==&vD=h0e85v HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.xueerr.xyzConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
Source: global traffic HTTP traffic detected: GET /z0t0/?7Bohe=9B/xOqaHJLGzhK9+asydflyTnlILmfDyrXYYsxrw44oQhSljsJ3AUyXQia4yxUul1qSv48mAxItuxzOnZ7dQ4iYj8ngc1biNZhlnUORZPI7XnMKBVwak16kasN63mT84/Q==&vD=h0e85v HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.onlineblikje.onlineConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
Source: global traffic HTTP traffic detected: GET /3x2e/?7Bohe=LxBS6Twi9uZYinzDVhZFrrwHDjbbsejF2aCFyI0NTfR3MRAzX3VYMflTVpKBnal2v445F0Z9ZuD89KJE1ZsSKujcQCdh/qxt+vHDLhQvad3slFytU7/EPl4Sr/TZznzmuw==&vD=h0e85v HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.rtpsilva4d.clickConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
Source: global traffic HTTP traffic detected: GET /28kl/?7Bohe=ZkKAB6qSK6F5HsjBEzwiMizWOSJwTbSi5er0Koahj7mpnIIYqRoLKzbDk71u2k+MO6tmUyIoyOO9F/o0RCIBFZEb81/8BfbGrnNiAiZNS4xvfhhZvRECGHuLoGBIxYjXhw==&vD=h0e85v HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.dxfwrc2h.sbsConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4
Source: global traffic DNS traffic detected: DNS query: www.dxfwrc2h.sbs
Source: global traffic DNS traffic detected: DNS query: www.nieuws-july202491.sbs
Source: global traffic DNS traffic detected: DNS query: www.putizhong.homes
Source: global traffic DNS traffic detected: DNS query: www.coba168.info
Source: global traffic DNS traffic detected: DNS query: www.everyone.golf
Source: global traffic DNS traffic detected: DNS query: www.royapop.online
Source: global traffic DNS traffic detected: DNS query: www.jy58gdwf7t.skin
Source: global traffic DNS traffic detected: DNS query: www.b-ambu.com
Source: global traffic DNS traffic detected: DNS query: www.livpure-grab.online
Source: global traffic DNS traffic detected: DNS query: www.bandukchi.com
Source: global traffic DNS traffic detected: DNS query: www.mcse.top
Source: global traffic DNS traffic detected: DNS query: www.voidzero.tech
Source: global traffic DNS traffic detected: DNS query: www.huwin.club
Source: global traffic DNS traffic detected: DNS query: www.xueerr.xyz
Source: global traffic DNS traffic detected: DNS query: www.onlineblikje.online
Source: global traffic DNS traffic detected: DNS query: www.rtpsilva4d.click
Source: unknown HTTP traffic detected: POST /4bpc/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Host: www.nieuws-july202491.sbsOrigin: http://www.nieuws-july202491.sbsCache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 206Referer: http://www.nieuws-july202491.sbs/4bpc/User-Agent: Mozilla/5.0 (iPad; CPU OS 8_4 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12H143 Safari/600.1.4Data Raw: 37 42 6f 68 65 3d 62 34 30 56 31 37 68 34 48 72 58 79 79 39 6d 78 6a 43 53 35 45 34 4f 66 70 47 75 57 68 57 67 48 45 4b 2f 32 4a 6e 43 58 39 39 4f 36 30 4b 2f 57 35 49 43 57 46 4f 6f 4f 44 6a 68 66 62 58 35 59 62 76 4c 4a 4c 4b 44 6e 32 7a 75 4f 46 54 71 5a 69 69 32 51 61 6d 43 65 38 37 79 50 54 68 76 39 4b 79 6b 6a 78 74 45 69 34 2b 78 46 31 66 64 5a 5a 4e 31 68 78 76 55 61 79 46 50 55 70 69 6e 76 44 2f 59 73 74 45 74 4d 4c 77 58 46 75 4b 64 63 4e 54 54 67 4f 71 4e 68 76 47 74 52 6d 6a 62 73 69 62 31 31 73 4e 57 35 58 57 75 5a 77 72 32 49 39 61 61 48 69 66 58 73 30 51 77 55 57 74 36 55 64 39 6a 39 61 4d 63 3d Data Ascii: 7Bohe=b40V17h4HrXyy9mxjCS5E4OfpGuWhWgHEK/2JnCX99O60K/W5ICWFOoODjhfbX5YbvLJLKDn2zuOFTqZii2QamCe87yPThv9KykjxtEi4+xF1fdZZN1hxvUayFPUpinvD/YstEtMLwXFuKdcNTTgOqNhvGtRmjbsib11sNW5XWuZwr2I9aaHifXs0QwUWt6Ud9j9aMc=
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Thu, 24 Oct 2024 13:17:34 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Thu, 24 Oct 2024 13:17:50 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 52 4d 55 cf 68 03 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f 71 4b 76 6d 28 fc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 9b a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 f0 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d 26 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 5d 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f 18 87 a9 7b 1f b8 a1 1f 54 60 f8 2b 81 91 c3 31 4a 60 d4 fb 59 96 69 47 7e d1 cb 00 4c 14 67 c5 c3 e0 9f bd 4b 7b 3f ed 75 0c 9b e0 18 8e bc 1f cb 4d c7 09 53 ff 61 70 d3 9f 98 85 1f a6 ef ba ff f3 3b fb a5 6b 57 61 96 7e 01 a2 67 95 5b dc e8 c3 09 cb 3c 36 81 2e ac 38 b3 a3 ff 83 ed be f6 f8 33 81 46 6e 77 7a 66 f2 3e 76 3d a0 25 b3 ae b2 f7 9b bd 0c 17 cf 5a fc 71 fc 4d f6 01 8a 5c 5b e0 4d d2 af 00 91 79 96 96 ee 7d 98 7a d9 8d a0 af 7a 65 2f ed 6d ef ab e5 65 65 56 75 09 ac e3 b8 37 8b 2f a8 79 36 ff 10 41 fe e5 8f 56 17 ae 59 66 e9 e7 eb b1 e1 f5 fa 1e 92 9f 99 e0 8a b3 8b 4e ed ea 22 d7 97 ef 96 05 f2 f6 7b dd f7 81 e2 66 c3 57 69 91 4b fb 90 df 1e 4b 3d 30 80 e3 7d a0 ae 2b b4 16 6e ee 9a c0 66 20 8c 3c ff 7c 23 d7 b3 7f 35 f3 75 57 8c c2 69 82 7e 3f ed 75 6c 72 69 6f 63 57 52 de 72 64 7e 22 d4 af 93 b8 0f 2b 37 29 6f c8 7c 47 12 06 70 f4 83 2b 85 e9 9b 2b 53 f8 27 40 bb b6 c7 0d f5 17 1c 5b 59 55 65 c9 c3 a0 df e3 4d d8 5e 5f 57 58 42 47 d7 83 57 9a 78 47 ff 56 0d bd b9 ef 1d d7 ce 0a b3 b7 df c3 00 84 14 b7 e8 83 d0 fb 8d 5e 35 0e e2 11 c3 5e 59 e3 d3 7d 1e 82 ac 71 8b 2b 7c bd 67 e3 c1 cb ec ba fc 7c d8 04 71 a6 b9 f5 9c 57 26 30 7a 44 50 a3 37 06 af 98 f8 1c c5 af 71 ed 23 43 fd 82 1a eb f8 c6 36 df 3d 2d 4c 2f 31 fb 83 98 17 87 65 75 7f 49 2b 3d e0 53 77 90 d5 55 19 82 80 d0 7f bc b1 df 1b f2 95 bb 9b 60 fc 1d 5e 57 fd 6f d2 02 9e e2 f0 86 2d 2f ce 7a ff ea 23 e3 fb 1d 2e 96 36 e3 d0 07 46 b6 c1 09 c1 2d de c6 df 48 7e bd f1 9b 17 d0 7f b4 d3 25 e1 82 1c f5 59 0c eb 03 c1 7d 98 98 fe ad 19 bf 0b f5 69 ec bd 2c ed 4f 39 20 41 dd ca d7 e7 dc f6 25 3f 5a 59 ec bc 49 d1 eb f1 5a ca 1f 75 d0 66 85 73 6f 01 8c 44 20 47 f5 7f ee cd 38 7e 4f e0 97 a4 02 49 1d 80 7b 00 74 05 b2 c4 6
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Thu, 24 Oct 2024 13:17:53 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 43 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 52 4d 55 cf 68 03 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f 71 4b 76 6d 28 fc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 9b a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 f0 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d 26 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 5d 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f 18 87 a9 7b 1f b8 a1 1f 54 60 f8 2b 81 91 c3 31 4a 60 d4 fb 59 96 69 47 7e d1 cb 00 4c 14 67 c5 c3 e0 9f bd 4b 7b 3f ed 75 0c 9b e0 18 8e bc 1f cb 4d c7 09 53 ff 61 70 d3 9f 98 85 1f a6 ef ba ff f3 3b fb a5 6b 57 61 96 7e 01 a2 67 95 5b dc e8 c3 09 cb 3c 36 81 2e ac 38 b3 a3 ff 83 ed be f6 f8 33 81 46 6e 77 7a 66 f2 3e 76 3d a0 25 b3 ae b2 f7 9b bd 0c 17 cf 5a fc 71 fc 4d f6 01 8a 5c 5b e0 4d d2 af 00 91 79 96 96 ee 7d 98 7a d9 8d a0 af 7a 65 2f ed 6d ef ab e5 65 65 56 75 09 ac e3 b8 37 8b 2f a8 79 36 ff 10 41 fe e5 8f 56 17 ae 59 66 e9 e7 eb b1 e1 f5 fa 1e 92 9f 99 e0 8a b3 8b 4e ed ea 22 d7 97 ef 96 05 f2 f6 7b dd f7 81 e2 66 c3 57 69 91 4b fb 90 df 1e 4b 3d 30 80 e3 7d a0 ae 2b b4 16 6e ee 9a c0 66 20 8c 3c ff 7c 23 d7 b3 7f 35 f3 75 57 8c c2 69 82 7e 3f ed 75 6c 72 69 6f 63 57 52 de 72 64 7e 22 d4 af 93 b8 0f 2b 37 29 6f c8 7c 47 12 06 70 f4 83 2b 85 e9 9b 2b 53 f8 27 40 bb b6 c7 0d f5 17 1c 5b 59 55 65 c9 c3 a0 df e3 4d d8 5e 5f 57 58 42 47 d7 83 57 9a 78 47 ff 56 0d bd b9 ef 1d d7 ce 0a b3 b7 df c3 00 84 14 b7 e8 83 d0 fb 8d 5e 35 0e e2 11 c3 5e 59 e3 d3 7d 1e 82 ac 71 8b 2b 7c bd 67 e3 c1 cb ec ba fc 7c d8 04 71 a6 b9 f5 9c 57 26 30 7a 44 50 a3 37 06 af 98 f8 1c c5 af 71 ed 23 43 fd 82 1a eb f8 c6 36 df 3d 2d 4c 2f 31 fb 83 98 17 87 65 75 7f 49 2b 3d e0 53 77 90 d5 55 19 82 80 d0 7f bc b1 df 1b f2 95 bb 9b 60 fc 1d 5e 57 fd 6f d2 02 9e e2 f0 86 2d 2f ce 7a ff ea 23 e3 fb 1d 2e 96 36 e3 d0 07 46 b6 c1 09 c1 2d de c6 df 48 7e bd f1 9b 17 d0 7f b4 d3 25 e1 82 1c f5 59 0c eb 03 c1 7d 98 98 fe ad 19 bf 0b f5 69 ec bd 2c ed 4f 39 20 41 dd ca d7 e7 dc f6 25 3f 5a 59 ec bc 49 d1 eb f1 5a ca 1f 75 d0 66 85 73 6f 01 8c 44 20 47 f5 7f ee cd 38 7e 4f e0 97 a4 02 49 1d 80 7b 00 74 05 b2 c4 6
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Thu, 24 Oct 2024 13:17:55 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 92 e2 4a 76 fe 7f 9f 02 97 c3 f6 4c a8 ab b5 02 52 4d 55 cf 68 03 09 90 90 04 02 84 c3 71 43 bb 84 56 b4 c3 84 1f c8 af e1 27 73 8a aa ea a2 e8 aa db 3d 0e ff 70 f6 8f 42 b9 9c 3c cb 77 ce c9 ce 93 bf fd f6 db e3 3f 71 4b 76 6d 28 fc 20 a8 92 f8 db 6f 8f cf 7f 06 a0 3d 06 ae e9 7c fb ed f2 33 71 2b 13 cc a8 f2 7b f7 58 87 cd d3 1d 9b a5 95 9b 56 f7 d5 29 77 ef 06 f6 f3 d7 d3 5d e5 76 15 dc 93 f8 cb c0 0e cc a2 74 ab a7 ba f2 ee c9 bb 4f e9 98 76 e0 de f7 eb 8b 2c be 22 94 66 f7 76 3f f4 e9 42 a5 30 fd c4 fc 47 56 f0 5d 1e 16 6e 79 b5 04 79 47 3d 35 13 f7 e9 ae 09 dd 36 cf 8a ea 6a 5a 1b 3a 55 f0 e4 b8 4d 68 bb f7 97 8f 2f 83 30 0d ab d0 8c ef 4b db 8c dd 27 f4 eb 77 52 55 58 c5 ee 37 02 21 06 72 56 0d 26 59 9d 3a 8f f0 73 e7 b3 2a cb ea 14 bb 83 5e 6f 2f ea b2 cb f2 85 8f 5e d5 56 e6 9c 06 7f bf 4c ed 3f fb e6 01 ed dc 7b 66 12 c6 a7 87 01 5d 80 6d bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 2e 2b c3 b3 fb 30 40 89 bc 7b 3f 18 87 a9 7b 1f b8 a1 1f 54 60 f8 2b 81 91 c3 31 4a 60 d4 fb 59 96 69 47 7e d1 cb 00 4c 14 67 c5 c3 e0 9f bd 4b 7b 3f ed 75 0c 9b e0 18 8e bc 1f cb 4d c7 09 53 ff 61 70 d3 9f 98 85 1f a6 ef ba ff f3 3b fb a5 6b 57 61 96 7e 01 a2 67 95 5b dc e8 c3 09 cb 3c 36 81 2e ac 38 b3 a3 ff 83 ed be f6 f8 33 81 46 6e 77 7a 66 f2 3e 76 3d a0 25 b3 ae b2 f7 9b bd 0c 17 cf 5a fc 71 fc 4d f6 01 8a 5c 5b e0 4d d2 af 00 91 79 96 96 ee 7d 98 7a d9 8d a0 af 7a 65 2f ed 6d ef ab e5 65 65 56 75 09 ac e3 b8 37 8b 2f a8 79 36 ff 10 41 fe e5 8f 56 17 ae 59 66 e9 e7 eb b1 e1 f5 fa 1e 92 9f 99 e0 8a b3 8b 4e ed ea 22 d7 97 ef 96 05 f2 f6 7b dd f7 81 e2 66 c3 57 69 91 4b fb 90 df 1e 4b 3d 30 80 e3 7d a0 ae 2b b4 16 6e ee 9a c0 66 20 8c 3c ff 7c 23 d7 b3 7f 35 f3 75 57 8c c2 69 82 7e 3f ed 75 6c 72 69 6f 63 57 52 de 72 64 7e 22 d4 af 93 b8 0f 2b 37 29 6f c8 7c 47 12 06 70 f4 83 2b 85 e9 9b 2b 53 f8 27 40 bb b6 c7 0d f5 17 1c 5b 59 55 65 c9 c3 a0 df e3 4d d8 5e 5f 57 58 42 47 d7 83 57 9a 78 47 ff 56 0d bd b9 ef 1d d7 ce 0a b3 b7 df c3 00 84 14 b7 e8 83 d0 fb 8d 5e 35 0e e2 11 c3 5e 59 e3 d3 7d 1e 82 ac 71 8b 2b 7c bd 67 e3 c1 cb ec ba fc 7c d8 04 71 a6 b9 f5 9c 57 26 30 7a 44 50 a3 37 06 af 98 f8 1c c5 af 71 ed 23 43 fd 82 1a eb f8 c6 36 df 3d 2d 4c 2f 31 fb 83 98 17 87 65 75 7f 49 2b 3d e0 53 77 90 d5 55 19 82 80 d0 7f bc b1 df 1b f2 95 bb 9b 60 fc 1d 5e 57 fd 6f d2 02 9e e2 f0 86 2d 2f ce 7a ff ea 23 e3 fb 1d 2e 96 36 e3 d0 07 46 b6 c1 09 c1 2d de c6 df 48 7e bd f1 9b 17 d0 7f b4 d3 25 e1 82 1c f5 59 0c eb 03 c1 7d 98 98 fe ad 19 bf 0b f5 69 ec bd 2c ed 4f 39 20 41 dd ca d7 e7 dc f6 25 3f 5a 59 ec bc 49 d1 eb f1 5a ca 1f 75 d0 66 85 73 6f 01 8c 44 20 47 f5 7f ee cd 38 7e 4f e0 97 a4 02 49 1d 80 7b 00 74 05 b2 c4 6
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkeddate: Thu, 24 Oct 2024 13:17:58 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 32 37 38 46 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 24 Oct 2024 13:18:03 GMTContent-Type: text/htmlContent-Length: 520Connection: closeETag: "6632e438-208"Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 09 62 6f 64 79 7b 0d 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 34 34 3b 0d 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0d 0a 09 7d 0d 0a 09 68 33 7b 0d 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 36 30 70 78 3b 0d 0a 09 09 63 6f 6c 6f 72 3a 23 65 65 65 3b 0d 0a 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 33 30 70 78 3b 0d 0a 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0d 0a 09 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 33 3e 34 30 34 e9 94 9b e5 b1 be e5 81 8d e7 92 87 e9 94 8b e7 9c b0 e9 90 a8 e5 8b ac e6 9e 83 e6 b5 a0 e6 9c b5 e7 ac 89 e7 80 9b e6 a8 ba e6 b9 aa 21 3c 2f 68 33 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!doctype html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>404</title><style>body{background-color:#444;font-size:14px;}h3{font-size:60px;color:#eee;text-align:center;padding-top:30px;font-weight:normal;}</style></head><body><h3>404!</h3></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 24 Oct 2024 13:18:06 GMTContent-Type: text/htmlContent-Length: 520Connection: closeETag: "6632e438-208"Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 09 62 6f 64 79 7b 0d 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 34 34 3b 0d 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0d 0a 09 7d 0d 0a 09 68 33 7b 0d 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 36 30 70 78 3b 0d 0a 09 09 63 6f 6c 6f 72 3a 23 65 65 65 3b 0d 0a 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 33 30 70 78 3b 0d 0a 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0d 0a 09 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 33 3e 34 30 34 e9 94 9b e5 b1 be e5 81 8d e7 92 87 e9 94 8b e7 9c b0 e9 90 a8 e5 8b ac e6 9e 83 e6 b5 a0 e6 9c b5 e7 ac 89 e7 80 9b e6 a8 ba e6 b9 aa 21 3c 2f 68 33 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!doctype html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>404</title><style>body{background-color:#444;font-size:14px;}h3{font-size:60px;color:#eee;text-align:center;padding-top:30px;font-weight:normal;}</style></head><body><h3>404!</h3></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 24 Oct 2024 13:18:09 GMTContent-Type: text/htmlContent-Length: 520Connection: closeETag: "6632e438-208"Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 09 62 6f 64 79 7b 0d 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 34 34 3b 0d 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0d 0a 09 7d 0d 0a 09 68 33 7b 0d 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 36 30 70 78 3b 0d 0a 09 09 63 6f 6c 6f 72 3a 23 65 65 65 3b 0d 0a 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 33 30 70 78 3b 0d 0a 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0d 0a 09 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 33 3e 34 30 34 e9 94 9b e5 b1 be e5 81 8d e7 92 87 e9 94 8b e7 9c b0 e9 90 a8 e5 8b ac e6 9e 83 e6 b5 a0 e6 9c b5 e7 ac 89 e7 80 9b e6 a8 ba e6 b9 aa 21 3c 2f 68 33 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!doctype html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>404</title><style>body{background-color:#444;font-size:14px;}h3{font-size:60px;color:#eee;text-align:center;padding-top:30px;font-weight:normal;}</style></head><body><h3>404!</h3></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 24 Oct 2024 13:18:11 GMTContent-Type: text/htmlContent-Length: 520Connection: closeETag: "6632e438-208"Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 09 62 6f 64 79 7b 0d 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 34 34 3b 0d 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0d 0a 09 7d 0d 0a 09 68 33 7b 0d 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 36 30 70 78 3b 0d 0a 09 09 63 6f 6c 6f 72 3a 23 65 65 65 3b 0d 0a 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 33 30 70 78 3b 0d 0a 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0d 0a 09 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 33 3e 34 30 34 e9 94 9b e5 b1 be e5 81 8d e7 92 87 e9 94 8b e7 9c b0 e9 90 a8 e5 8b ac e6 9e 83 e6 b5 a0 e6 9c b5 e7 ac 89 e7 80 9b e6 a8 ba e6 b9 aa 21 3c 2f 68 33 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!doctype html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>404</title><style>body{background-color:#444;font-size:14px;}h3{font-size:60px;color:#eee;text-align:center;padding-top:30px;font-weight:normal;}</style></head><body><h3>404!</h3></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 24 Oct 2024 13:18:17 GMTServer: ApacheX-Powered-By: PHP/8.2.23Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.coba168.info/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 34 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 74 68 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 20 2f 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 63 6f 62 61 31 36 38 2e 69 6e 66 6f 2f 78 6d 6c 72 70 63 2e 70 68 70 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 32 33 2e 37 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 63 6f 62 61 31 36 38 20 e0 b8 aa e0 b8 a5 e0 b9 87 e0 b8 ad e0 b8 95 e0 b8 84 e0 b9 88 e0 b8 b2 e0 b8 a2 20 e0 b8 a3 e0 b8 a7 e0 b8 a1 e0 b9 80 e0 b8 81 e0 b8 a1 e0 b8 84 e0 b8 b8 e0 b8 93 e0 b8 a0 e0 b8 b2 e0 b8 9e e0 b8 88 e0 b8 b2 e0 b8 81 e0 b8 84 e0 b9 88 e0 b8 b2 e0 b8 a2 e0 b8 94 e0 b8 b1 e0 b8 87 20 e0 b9 81 e0 b8 95 e0 b8 81 e0 b8 87 e0 b9 88 e0 b8 b2 e0 b8 a2 20 e0 b8 9e e0 b8 a3 e0 b9 89 e0 b8 ad e0 b8 a1 e0 b9 80 e0 b8 84 e0 b8 a3 e0 b8 94 e0 b8 b4 e0 b8 95 e0 b8 9f e0 b8 a3 e0 b8 b5 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 68 5f 54 48 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 63 6f 62 61 31 36 38 20 e0 b8 aa e0 b8 a5 e0 b9 87 e0 b8 ad e0 b8 95 e0 b8 84 e0 b9 88 e0 b8 b2 e0 b8 a2 20 e0 b8 a3 e0 b8 a7 e0 b8 a1 e0 b9 80 e0 b8 81 e0 b8 a1 e0 b8 84 e0 b8 b8 e0 b8 93 e0 b8 a0 e0 b8 b2 e0 b8 9e e0 b8 88 e0 b8 b2 e0 b8 81 e0 b8 84 e0 b9 88 e0 b8 b2 e0 b8 a2 e0 b8 94 e0 b8 b1 e0 b8 87 20 e0 b9 81 e0 b8 Data Ascii: 4000<!DOCTYPE html><html lang="th"><head><meta charset="UTF-8" /><me
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 24 Oct 2024 13:18:20 GMTServer: ApacheX-Powered-By: PHP/8.2.23Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.coba168.info/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 34 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 74 68 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 20 2f 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 63 6f 62 61 31 36 38 2e 69 6e 66 6f 2f 78 6d 6c 72 70 63 2e 70 68 70 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 32 33 2e 37 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 63 6f 62 61 31 36 38 20 e0 b8 aa e0 b8 a5 e0 b9 87 e0 b8 ad e0 b8 95 e0 b8 84 e0 b9 88 e0 b8 b2 e0 b8 a2 20 e0 b8 a3 e0 b8 a7 e0 b8 a1 e0 b9 80 e0 b8 81 e0 b8 a1 e0 b8 84 e0 b8 b8 e0 b8 93 e0 b8 a0 e0 b8 b2 e0 b8 9e e0 b8 88 e0 b8 b2 e0 b8 81 e0 b8 84 e0 b9 88 e0 b8 b2 e0 b8 a2 e0 b8 94 e0 b8 b1 e0 b8 87 20 e0 b9 81 e0 b8 95 e0 b8 81 e0 b8 87 e0 b9 88 e0 b8 b2 e0 b8 a2 20 e0 b8 9e e0 b8 a3 e0 b9 89 e0 b8 ad e0 b8 a1 e0 b9 80 e0 b8 84 e0 b8 a3 e0 b8 94 e0 b8 b4 e0 b8 95 e0 b8 9f e0 b8 a3 e0 b8 b5 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 68 5f 54 48 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 63 6f 62 61 31 36 38 20 e0 b8 aa e0 b8 a5 e0 b9 87 e0 b8 ad e0 b8 95 e0 b8 84 e0 b9 88 e0 b8 b2 e0 b8 a2 20 e0 b8 a3 e0 b8 a7 e0 b8 a1 e0 b9 80 e0 b8 81 e0 b8 a1 e0 b8 84 e0 b8 b8 e0 b8 93 e0 b8 a0 e0 b8 b2 e0 b8 9e e0 b8 88 e0 b8 b2 e0 b8 81 e0 b8 84 e0 b9 88 e0 b8 b2 e0 b8 a2 e0 b8 94 e0 b8 b1 e0 b8 87 20 e0 b9 81 e0 b8 Data Ascii: 4000<!DOCTYPE html><html lang="th"><head><meta charset="UTF-8" /><me
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 24 Oct 2024 13:18:22 GMTServer: ApacheX-Powered-By: PHP/8.2.23Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.coba168.info/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 34 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 74 68 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 20 2f 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 63 6f 62 61 31 36 38 2e 69 6e 66 6f 2f 78 6d 6c 72 70 63 2e 70 68 70 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 32 33 2e 37 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 63 6f 62 61 31 36 38 20 e0 b8 aa e0 b8 a5 e0 b9 87 e0 b8 ad e0 b8 95 e0 b8 84 e0 b9 88 e0 b8 b2 e0 b8 a2 20 e0 b8 a3 e0 b8 a7 e0 b8 a1 e0 b9 80 e0 b8 81 e0 b8 a1 e0 b8 84 e0 b8 b8 e0 b8 93 e0 b8 a0 e0 b8 b2 e0 b8 9e e0 b8 88 e0 b8 b2 e0 b8 81 e0 b8 84 e0 b9 88 e0 b8 b2 e0 b8 a2 e0 b8 94 e0 b8 b1 e0 b8 87 20 e0 b9 81 e0 b8 95 e0 b8 81 e0 b8 87 e0 b9 88 e0 b8 b2 e0 b8 a2 20 e0 b8 9e e0 b8 a3 e0 b9 89 e0 b8 ad e0 b8 a1 e0 b9 80 e0 b8 84 e0 b8 a3 e0 b8 94 e0 b8 b4 e0 b8 95 e0 b8 9f e0 b8 a3 e0 b8 b5 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 68 5f 54 48 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 63 6f 62 61 31 36 38 20 e0 b8 aa e0 b8 a5 e0 b9 87 e0 b8 ad e0 b8 95 e0 b8 84 e0 b9 88 e0 b8 b2 e0 b8 a2 20 e0 b8 a3 e0 b8 a7 e0 b8 a1 e0 b9 80 e0 b8 81 e0 b8 a1 e0 b8 84 e0 b8 b8 e0 b8 93 e0 b8 a0 e0 b8 b2 e0 b8 9e e0 b8 88 e0 b8 b2 e0 b8 81 e0 b8 84 e0 b9 88 e0 b8 b2 e0 b8 a2 e0 b8 94 e0 b8 b1 e0 b8 87 20 e0 b9 81 e0 b8 Data Ascii: 4000<!DOCTYPE html><html lang="th"><head><meta charset="UTF-8" /><me
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 24 Oct 2024 13:18:25 GMTServer: ApacheX-Powered-By: PHP/8.2.23Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.coba168.info/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 34 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 74 68 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 20 2f 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 63 6f 62 61 31 36 38 2e 69 6e 66 6f 2f 78 6d 6c 72 70 63 2e 70 68 70 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 27 20 2f 3e 0a 0a 09 3c 21 2d 2d 20 54 68 69 73 20 73 69 74 65 20 69 73 20 6f 70 74 69 6d 69 7a 65 64 20 77 69 74 68 20 74 68 65 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 20 76 32 33 2e 37 20 2d 20 68 74 74 70 73 3a 2f 2f 79 6f 61 73 74 2e 63 6f 6d 2f 77 6f 72 64 70 72 65 73 73 2f 70 6c 75 67 69 6e 73 2f 73 65 6f 2f 20 2d 2d 3e 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 63 6f 62 61 31 36 38 20 e0 b8 aa e0 b8 a5 e0 b9 87 e0 b8 ad e0 b8 95 e0 b8 84 e0 b9 88 e0 b8 b2 e0 b8 a2 20 e0 b8 a3 e0 b8 a7 e0 b8 a1 e0 b9 80 e0 b8 81 e0 b8 a1 e0 b8 84 e0 b8 b8 e0 b8 93 e0 b8 a0 e0 b8 b2 e0 b8 9e e0 b8 88 e0 b8 b2 e0 b8 81 e0 b8 84 e0 b9 88 e0 b8 b2 e0 b8 a2 e0 b8 94 e0 b8 b1 e0 b8 87 20 e0 b9 81 e0 b8 95 e0 b8 81 e0 b8 87 e0 b9 88 e0 b8 b2 e0 b8 a2 20 e0 b8 9e e0 b8 a3 e0 b9 89 e0 b8 ad e0 b8 a1 e0 b9 80 e0 b8 84 e0 b8 a3 e0 b8 94 e0 b8 b4 e0 b8 95 e0 b8 9f e0 b8 a3 e0 b8 b5 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 6c 6f 63 61 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 68 5f 54 48 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 70 72 6f 70 65 72 74 79 3d 22 6f 67 3a 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 63 6f 62 61 31 36 38 20 e0 b8 aa e0 b8 a5 e0 b9 87 e0 b8 ad e0 b8 95 e0 b8 84 e0 b9 88 e0 b8 b2 e0 b8 a2 20 e0 b8 a3 e0 b8 a7 e0 b8 a1 e0 b9 80 e0 b8 81 e0 b8 a1 e0 b8 84 e0 b8 b8 e0 b8 93 e0 b8 a0 e0 b8 b2 e0 b8 9e e0 b8 88 e0 b8 b2 e0 b8 81 e0 b8 84 e0 b9 88 e0 b8 b2 e0 b8 a2 e0 b8 94 e0 b8 b1 e0 b8 87 20 e0 b9 81 e0 b8 Data Ascii: 4000<!DOCTYPE html><html lang="th"><head><meta charset="UTF-8" /><me
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 24 Oct 2024 13:18:45 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 24 Oct 2024 13:18:47 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 24 Oct 2024 13:18:50 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 24 Oct 2024 13:18:53 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 24 Oct 2024 13:20:58 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 24 Oct 2024 13:21:01 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 24 Oct 2024 13:21:04 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 24 Oct 2024 13:21:06 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Thu, 24 Oct 2024 13:21:15 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Thu, 24 Oct 2024 13:21:21 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a e9 72 e3 48 72 fe 3f 4f 41 cb 61 7b 37 d0 6a 9c 24 01 ad d4 bb b8 48 80 24 40 00 24 48 82 0e c7 04 6e 80 38 89 9b dc f0 03 f9 35 fc 64 2e 50 52 8b 62 4b d3 bd 0e ff 70 cd 44 88 a8 23 2b 8f 2f 33 ab 2b eb b7 df 7e 7b fc 27 6e c9 ae 0d 85 1f 04 55 12 7f fb ed f1 f9 cf 00 b4 c7 c0 35 9d 6f bf 5d 7e 26 6e 65 82 19 55 7e ef 1e eb b0 79 ba 63 b3 b4 72 d3 ea be 3a e5 ee dd c0 7e fe 7a ba ab dc ae 82 7b 12 7f 19 d8 81 59 94 6e f5 54 57 de 3d 79 f7 29 1d d3 0e dc fb 7e 7d 91 c5 57 84 d2 ec de ee 87 3e 5d a8 14 a6 9f 98 ff c8 0a be cb c3 c2 2d af 96 20 ef a8 a7 66 e2 3e dd 35 a1 db e6 59 51 5d 4d 6b 43 a7 0a 9e 1c b7 09 6d f7 fe f2 f1 65 10 a6 61 15 9a f1 7d 69 9b b1 fb 84 7e fd 4e aa 0a ab d8 fd 46 20 c4 40 ce aa c1 24 ab 53 e7 11 7e ee 7c 56 65 59 9d 62 77 d0 eb ed 45 5d 76 59 be f0 d1 ab da ca 9c d3 e0 ef 97 a9 fd 67 df 3c a0 9d 7b cf 4c c2 f8 f4 30 a0 0b b0 ed 97 81 e0 c6 8d 5b 85 b6 f9 65 50 9a 69 79 5f ba 45 e8 fd e5 c7 65 65 78 76 1f 06 28 91 77 ef 07 e3 30 75 ef 03 37 f4 83 0a 0c 7f 25 30 72 38 46 09 8c 7a 3f cb 32 ed c8 2f 7a 19 80 89 e2 ac 78 18 fc b3 77 69 ef a7 bd 8e 61 13 1c c3 91 f7 63 b9 e9 38 61 ea 3f 0c 6e fa 13 b3 f0 c3 f4 5d f7 7f 7e 67 bf 74 ed 2a cc d2 2f 40 f4 ac 72 8b 1b 7d 38 61 99 c7 26 d0 85 15 67 76 f4 7f b0 dd d7 1e 7f 26 d0 c8 ed 4e cf 4c de c7 ae 07 b4 64 d6 55 f6 7e b3 97 e1 e2 59 8b 3f 8e bf c9 3e 40 91 6b 0b bc 49 fa 15 20 32 cf d2 d2 bd 0f 53 2f bb 11 f4 55 af ec a5 bd ed 7d b5 bc ac cc aa 2e 81 75 1c f7 66 f1 05 35 cf e6 1f 22 c8 bf fc d1 ea c2 35 cb 2c fd 7c 3d 36 bc 5e df 43 f2 33 13 5c 71 76 d1 a9 5d 5d e4 fa f2 dd b2 40 de 7e af fb 3e 50 dc 6c f8 2a 2d 72 69 1f f2 db 63 a9 07 06 70 bc 0f d4 75 85 d6 c2 cd 5d 13 d8 0c 84 91 e7 9f 6f e4 7a f6 af 66 be ee 8a 51 38 4d d0 ef a7 bd 8e 4d 2e ed 6d ec 4a ca 5b 8e cc 4f 84 fa 75 12 f7 61 e5 26 e5 0d 99 ef 48 c2 00 8e 7e 70 a5 30 7d 73 65 0a ff 04 68 d7 f6 b8 a1 fe 82 63 2b ab aa 2c 79 18 f4 7b bc 09 db eb eb 0a 4b e8 e8 7a f0 4a 13 ef e8 df aa a1 37 f7 bd e3 da 59 61 f6 f6 7b 18 80 90 e2 16 7d 10 7a bf d1 ab c6 41 3c 62 d8 2b 6b 7c ba cf 43 90 35 6e 71 85 af f7 6c 3c 78 99 5d 97 9f 0f 9b 20 ce 34 b7 9e f3 ca 04 46 8f 08 6a f4 c6 e0 15 13 9f a3 f8 35 ae 7d 64 a8 5f 50 63 1d df d8 e6 bb a7 85 e9 25 66 7f 10 f3 e2 b0 ac ee 2f 69 a5 07 7c ea 0e b2 ba 2a 43 10 10 fa 8f 37 f6 7b 43 be 72 77 13 8c bf c3 eb aa ff 4d 5a c0 53 1c de b0 e5 c5 59 ef 5f 7d 64 7c bf c3 c5 d2 66 1c fa c0 c8 36 38 21 b8 c5 db f8 1b c9 af 37 7e f3 02 fa 8f 76 ba 24 5c 90 a3 3e 8b 61 7d 20 b8 0f 13 d3 bf 35 e3 77 a1 3e 8d bd 97 a5 fd 29 07 24 a8 5b f9 fa 9c db be e4 47 2b 8b 9d 37 29 7a 3d 5e 4b f9 a3 0e da ac 70 ee 2d 80 91 08 e4 a8 fe cf bd 19 c7 ef 09 fc 92 54 20 a9 03 70 0f 80 ae 40 96 b
Source: mshta.exe, 00000008.00000002.4595178953.0000000004466000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.0000000002DF6000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://gmpg.org/xfn/11
Source: QUOTE2342534.exe, 00000000.00000002.2143831590.0000000002B57000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: QUOTE2342534.exe String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/plugins/elementor-pro/assets/css/frontend.min.css?ver=3.23.2
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/plugins/elementor-pro/assets/css/widget-blockquote.min.css?ver=3.
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/plugins/elementor-pro/assets/js/elements-handlers.min.js?ver=3.23
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/plugins/elementor-pro/assets/js/frontend.min.js?ver=3.23.2
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/plugins/elementor-pro/assets/js/webpack-pro.runtime.min.js?ver=3.
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/plugins/elementor/assets/css/conditionals/e-swiper.min.css?ver=3.
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/plugins/elementor/assets/css/frontend.min.css?ver=3.24.7
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/plugins/elementor/assets/css/widget-icon-box.min.css?ver=3.24.7
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/plugins/elementor/assets/css/widget-icon-list.min.css?ver=3.24.3
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/plugins/elementor/assets/css/widget-image.min.css?ver=3.24.7
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/plugins/elementor/assets/css/widget-social-icons.min.css?ver=3.24
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/plugins/elementor/assets/css/widget-text-editor.min.css?ver=3.24.
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/plugins/elementor/assets/js/frontend-modules.min.js?ver=3.24.7
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/plugins/elementor/assets/js/frontend.min.js?ver=3.24.7
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/plugins/elementor/assets/js/webpack.runtime.min.js?ver=3.24.7
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/plugins/elementor/assets/lib/animations/styles/bounce.min.css?ver
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/plugins/elementor/assets/lib/font-awesome/css/brands.css?ver=5.15
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/plugins/elementor/assets/lib/font-awesome/css/fontawesome.css?ver
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/plugins/elementor/assets/lib/font-awesome/css/solid.css?ver=5.15.
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/plugins/elementor/assets/lib/swiper/v8/css/swiper.min.css?ver=8.4
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/plugins/header-footer-elementor/assets/css/header-footer-elemento
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/plugins/header-footer-elementor/inc/js/frontend.js?ver=1.6.44
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/plugins/header-footer-elementor/inc/widgets-css/frontend.css?ver=
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/plugins/wp-staging/assets/js/dist/wpstg-blank-loader.min.js?ver=6
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/themes/hello-elementor/assets/js/hello-frontend.min.js?ver=3.1.1
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/themes/hello-elementor/header-footer.min.css?ver=3.1.1
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/themes/hello-elementor/style.min.css?ver=3.1.1
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/themes/hello-elementor/theme.min.css?ver=3.1.1
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/uploads/elementor/css/global.css?ver=1728530365
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/uploads/elementor/css/post-12.css?ver=1728540809
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/uploads/elementor/css/post-51.css?ver=1728540719
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-content/uploads/elementor/css/post-8.css?ver=1728530364
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-includes/css/dist/block-library/style.min.css?ver=6.6.2
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-includes/js/dist/hooks.min.js?ver=2810c76e705dd1a53b18
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-includes/js/dist/i18n.min.js?ver=5e580eb46a90c2b997e6
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-includes/js/jquery/jquery.min.js?ver=3.7.1
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/wp-includes/js/jquery/ui/core.min.js?ver=1.13.3
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: http://www.coba168.info/xmlrpc.php
Source: qnPyaKsYTE.exe, 0000000A.00000002.4597123623.0000000004D3B000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.rtpsilva4d.click
Source: qnPyaKsYTE.exe, 0000000A.00000002.4597123623.0000000004D3B000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.rtpsilva4d.click/3x2e/
Source: mshta.exe, 00000008.00000003.2413498056.00000000082F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://api.w.org/
Source: qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://app.ddgame168.online/utm-source/coba168-info
Source: mshta.exe, 00000008.00000003.2413498056.00000000082F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: mshta.exe, 00000008.00000003.2413498056.00000000082F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: mshta.exe, 00000008.00000003.2413498056.00000000082F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: mshta.exe, 00000008.00000003.2413498056.00000000082F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: mshta.exe, 00000008.00000003.2413498056.00000000082F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: mshta.exe, 00000008.00000003.2413498056.00000000082F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto%3A100%2C100italic%2C200%2C200italic%2C300%2C300italic
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://fonts.gstatic.com/
Source: qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://line.me/R/ti/p/
Source: mshta.exe, 00000008.00000002.4592995544.0000000002FED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: mshta.exe, 00000008.00000002.4592995544.0000000002FED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: mshta.exe, 00000008.00000002.4592995544.0000000002FC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.4592995544.0000000002FED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: mshta.exe, 00000008.00000002.4592995544.0000000002FC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: mshta.exe, 00000008.00000002.4592995544.0000000002FED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: mshta.exe, 00000008.00000002.4592995544.0000000002FED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: mshta.exe, 00000008.00000003.2408754560.0000000008214000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: mshta.exe, 00000008.00000002.4595178953.00000000058D0000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.0000000004260000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://onlineblikjes.nl/?7Bohe=9B/xOqaHJLGzhK9
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://schema.org
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://schema.org/WPFooter
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://schema.org/WPHeader
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.coba168.info
Source: qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.coba168.info/
Source: qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.coba168.info/#/schema/logo/image/
Source: qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.coba168.info/#organization
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.coba168.info/#website
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.coba168.info/%e0%b8%9a%e0%b8%97%e0%b8%84%e0%b8%a7%e0%b8%b2%e0%b8%a1/
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.coba168.info/?s=
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.coba168.info/about-us/
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.coba168.info/comments/feed/
Source: qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.coba168.info/contact-us/
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.coba168.info/feed/
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.coba168.info/login/
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.coba168.info/privacy-policy-2/
Source: qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.coba168.info/promotion/
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.coba168.info/register
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.coba168.info/sitemap_index.xml
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.coba168.info/slot-online/
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.coba168.info/terms-and-conditions/
Source: qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.coba168.info/wp-content/uploads/2024/08/5.png
Source: qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.coba168.info/wp-content/uploads/2024/10/COBA-168-
Source: qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.coba168.info/wp-content/uploads/2024/10/cropped-COBA-168-
Source: qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.coba168.info/wp-json/
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.coba168.info/xmlrpc.php?rsd
Source: mshta.exe, 00000008.00000003.2413498056.00000000082F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: mshta.exe, 00000008.00000003.2413498056.00000000082F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: mshta.exe, 00000008.00000002.4595178953.000000000478A000.00000004.10000000.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594821635.000000000311A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://yoast.com/wordpress/plugins/seo/

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 4.2.QUOTE2342534.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.QUOTE2342534.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.4594417209.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2231861338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4594132519.0000000003340000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.4597123623.0000000004CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4592913893.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2232369881.0000000001620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2233350481.0000000002F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4594398823.0000000003FD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.QUOTE2342534.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 4.2.QUOTE2342534.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.4594417209.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2231861338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.4594132519.0000000003340000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.4597123623.0000000004CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.4592913893.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2232369881.0000000001620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2233350481.0000000002F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.4594398823.0000000003FD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 0_2_089F2CA8 NtQueryInformationProcess, 0_2_089F2CA8
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 0_2_089F2CA0 NtQueryInformationProcess, 0_2_089F2CA0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0042C4E3 NtClose, 4_2_0042C4E3
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762B60 NtClose,LdrInitializeThunk, 4_2_01762B60
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762DF0 NtQuerySystemInformation,LdrInitializeThunk, 4_2_01762DF0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762C70 NtFreeVirtualMemory,LdrInitializeThunk, 4_2_01762C70
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017635C0 NtCreateMutant,LdrInitializeThunk, 4_2_017635C0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01764340 NtSetContextThread, 4_2_01764340
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01764650 NtSuspendThread, 4_2_01764650
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762BF0 NtAllocateVirtualMemory, 4_2_01762BF0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762BE0 NtQueryValueKey, 4_2_01762BE0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762BA0 NtEnumerateValueKey, 4_2_01762BA0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762B80 NtQueryInformationFile, 4_2_01762B80
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762AF0 NtWriteFile, 4_2_01762AF0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762AD0 NtReadFile, 4_2_01762AD0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762AB0 NtWaitForSingleObject, 4_2_01762AB0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762D30 NtUnmapViewOfSection, 4_2_01762D30
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762D10 NtMapViewOfSection, 4_2_01762D10
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762D00 NtSetInformationFile, 4_2_01762D00
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762DD0 NtDelayExecution, 4_2_01762DD0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762DB0 NtEnumerateKey, 4_2_01762DB0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762C60 NtCreateKey, 4_2_01762C60
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762C00 NtQueryInformationProcess, 4_2_01762C00
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762CF0 NtOpenProcess, 4_2_01762CF0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762CC0 NtQueryVirtualMemory, 4_2_01762CC0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762CA0 NtQueryInformationToken, 4_2_01762CA0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762F60 NtCreateProcessEx, 4_2_01762F60
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762F30 NtCreateSection, 4_2_01762F30
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762FE0 NtCreateFile, 4_2_01762FE0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762FB0 NtResumeThread, 4_2_01762FB0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762FA0 NtQuerySection, 4_2_01762FA0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762F90 NtProtectVirtualMemory, 4_2_01762F90
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762E30 NtWriteVirtualMemory, 4_2_01762E30
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762EE0 NtQueueApcThread, 4_2_01762EE0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762EA0 NtAdjustPrivilegesToken, 4_2_01762EA0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762E80 NtReadVirtualMemory, 4_2_01762E80
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01763010 NtOpenDirectoryObject, 4_2_01763010
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01763090 NtSetValueKey, 4_2_01763090
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017639B0 NtGetContextThread, 4_2_017639B0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01763D70 NtOpenThread, 4_2_01763D70
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01763D10 NtOpenProcessToken, 4_2_01763D10
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03884340 NtSetContextThread,LdrInitializeThunk, 8_2_03884340
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03884650 NtSuspendThread,LdrInitializeThunk, 8_2_03884650
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03882BA0 NtEnumerateValueKey,LdrInitializeThunk, 8_2_03882BA0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03882BE0 NtQueryValueKey,LdrInitializeThunk, 8_2_03882BE0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03882BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 8_2_03882BF0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03882B60 NtClose,LdrInitializeThunk, 8_2_03882B60
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03882AD0 NtReadFile,LdrInitializeThunk, 8_2_03882AD0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03882AF0 NtWriteFile,LdrInitializeThunk, 8_2_03882AF0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03882FB0 NtResumeThread,LdrInitializeThunk, 8_2_03882FB0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03882FE0 NtCreateFile,LdrInitializeThunk, 8_2_03882FE0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03882F30 NtCreateSection,LdrInitializeThunk, 8_2_03882F30
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03882E80 NtReadVirtualMemory,LdrInitializeThunk, 8_2_03882E80
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03882EE0 NtQueueApcThread,LdrInitializeThunk, 8_2_03882EE0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03882DD0 NtDelayExecution,LdrInitializeThunk, 8_2_03882DD0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03882DF0 NtQuerySystemInformation,LdrInitializeThunk, 8_2_03882DF0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03882D10 NtMapViewOfSection,LdrInitializeThunk, 8_2_03882D10
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03882D30 NtUnmapViewOfSection,LdrInitializeThunk, 8_2_03882D30
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03882CA0 NtQueryInformationToken,LdrInitializeThunk, 8_2_03882CA0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03882C60 NtCreateKey,LdrInitializeThunk, 8_2_03882C60
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03882C70 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_03882C70
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038835C0 NtCreateMutant,LdrInitializeThunk, 8_2_038835C0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038839B0 NtGetContextThread,LdrInitializeThunk, 8_2_038839B0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03882B80 NtQueryInformationFile, 8_2_03882B80
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03882AB0 NtWaitForSingleObject, 8_2_03882AB0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03882F90 NtProtectVirtualMemory, 8_2_03882F90
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03882FA0 NtQuerySection, 8_2_03882FA0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03882F60 NtCreateProcessEx, 8_2_03882F60
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03882EA0 NtAdjustPrivilegesToken, 8_2_03882EA0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03882E30 NtWriteVirtualMemory, 8_2_03882E30
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03882DB0 NtEnumerateKey, 8_2_03882DB0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03882D00 NtSetInformationFile, 8_2_03882D00
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03882CC0 NtQueryVirtualMemory, 8_2_03882CC0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03882CF0 NtOpenProcess, 8_2_03882CF0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03882C00 NtQueryInformationProcess, 8_2_03882C00
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03883090 NtSetValueKey, 8_2_03883090
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03883010 NtOpenDirectoryObject, 8_2_03883010
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03883D10 NtOpenProcessToken, 8_2_03883D10
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03883D70 NtOpenThread, 8_2_03883D70
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_02F48E10 NtCreateFile, 8_2_02F48E10
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_02F48F80 NtReadFile, 8_2_02F48F80
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_02F49280 NtAllocateVirtualMemory, 8_2_02F49280
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_02F49070 NtDeleteFile, 8_2_02F49070
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_02F49110 NtClose, 8_2_02F49110
Detected potential crypto function
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 0_2_00EFD304 0_2_00EFD304
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 0_2_089F8B70 0_2_089F8B70
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 0_2_089F5020 0_2_089F5020
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 0_2_089F0040 0_2_089F0040
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 0_2_089F33FC 0_2_089F33FC
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 0_2_089FD848 0_2_089FD848
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 0_2_089FBB80 0_2_089FBB80
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 0_2_089F8B62 0_2_089F8B62
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 0_2_089F1C80 0_2_089F1C80
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 0_2_089F8C22 0_2_089F8C22
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 0_2_089F1C70 0_2_089F1C70
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 0_2_089F2E28 0_2_089F2E28
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 0_2_089FBFB8 0_2_089FBFB8
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 0_2_089F20B8 0_2_089F20B8
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 0_2_089F5012 0_2_089F5012
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 0_2_089F0006 0_2_089F0006
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 0_2_089F52B0 0_2_089F52B0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 0_2_089F52A2 0_2_089F52A2
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 0_2_089FD410 0_2_089FD410
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 0_2_089F2578 0_2_089F2578
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 0_2_089FB748 0_2_089FB748
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 0_2_0EF41B88 0_2_0EF41B88
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_00418543 4_2_00418543
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0040284A 4_2_0040284A
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_00402850 4_2_00402850
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_00410093 4_2_00410093
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_00403150 4_2_00403150
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0040E113 4_2_0040E113
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0042EB03 4_2_0042EB03
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0040FE6E 4_2_0040FE6E
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0040FE73 4_2_0040FE73
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_00416733 4_2_00416733
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017B8158 4_2_017B8158
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017CA118 4_2_017CA118
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01720100 4_2_01720100
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017E81CC 4_2_017E81CC
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017F01AA 4_2_017F01AA
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017E41A2 4_2_017E41A2
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017C2000 4_2_017C2000
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017EA352 4_2_017EA352
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0173E3F0 4_2_0173E3F0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017F03E6 4_2_017F03E6
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017D0274 4_2_017D0274
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017B02C0 4_2_017B02C0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01730535 4_2_01730535
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017F0591 4_2_017F0591
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017E2446 4_2_017E2446
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017D4420 4_2_017D4420
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017DE4F6 4_2_017DE4F6
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01730770 4_2_01730770
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01754750 4_2_01754750
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172C7C0 4_2_0172C7C0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0174C6E0 4_2_0174C6E0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01746962 4_2_01746962
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017329A0 4_2_017329A0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017FA9A6 4_2_017FA9A6
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0173A840 4_2_0173A840
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01732840 4_2_01732840
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175E8F0 4_2_0175E8F0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017168B8 4_2_017168B8
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017EAB40 4_2_017EAB40
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017E6BD7 4_2_017E6BD7
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172EA80 4_2_0172EA80
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017CCD1F 4_2_017CCD1F
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0173AD00 4_2_0173AD00
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172ADE0 4_2_0172ADE0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01748DBF 4_2_01748DBF
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01730C00 4_2_01730C00
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01720CF2 4_2_01720CF2
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017D0CB5 4_2_017D0CB5
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A4F40 4_2_017A4F40
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01750F30 4_2_01750F30
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017D2F30 4_2_017D2F30
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01772F28 4_2_01772F28
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0173CFE0 4_2_0173CFE0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01722FC8 4_2_01722FC8
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017AEFA0 4_2_017AEFA0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01730E59 4_2_01730E59
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017EEE26 4_2_017EEE26
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017EEEDB 4_2_017EEEDB
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01742E90 4_2_01742E90
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017ECE93 4_2_017ECE93
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0171F172 4_2_0171F172
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017FB16B 4_2_017FB16B
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0176516C 4_2_0176516C
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0173B1B0 4_2_0173B1B0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017E70E9 4_2_017E70E9
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017EF0E0 4_2_017EF0E0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017DF0CC 4_2_017DF0CC
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017370C0 4_2_017370C0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0171D34C 4_2_0171D34C
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017E132D 4_2_017E132D
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0177739A 4_2_0177739A
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017D12ED 4_2_017D12ED
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0174B2C0 4_2_0174B2C0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017352A0 4_2_017352A0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017E7571 4_2_017E7571
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017CD5B0 4_2_017CD5B0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01721460 4_2_01721460
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017EF43F 4_2_017EF43F
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017EF7B0 4_2_017EF7B0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01775630 4_2_01775630
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017E16CC 4_2_017E16CC
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01739950 4_2_01739950
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0174B950 4_2_0174B950
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017C5910 4_2_017C5910
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0179D800 4_2_0179D800
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017338E0 4_2_017338E0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017EFB76 4_2_017EFB76
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A5BF0 4_2_017A5BF0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0176DBF9 4_2_0176DBF9
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0174FB80 4_2_0174FB80
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A3A6C 4_2_017A3A6C
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017EFA49 4_2_017EFA49
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017E7A46 4_2_017E7A46
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017DDAC6 4_2_017DDAC6
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017CDAAC 4_2_017CDAAC
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01775AA0 4_2_01775AA0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017D1AA3 4_2_017D1AA3
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017E7D73 4_2_017E7D73
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017E1D5A 4_2_017E1D5A
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01733D40 4_2_01733D40
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0174FDC0 4_2_0174FDC0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A9C32 4_2_017A9C32
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017EFCF2 4_2_017EFCF2
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017EFF09 4_2_017EFF09
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017EFFB1 4_2_017EFFB1
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01731F92 4_2_01731F92
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01739EB0 4_2_01739EB0
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe Code function: 7_2_041AB58A 7_2_041AB58A
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe Code function: 7_2_04194FCA 7_2_04194FCA
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe Code function: 7_2_0418C8FA 7_2_0418C8FA
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe Code function: 7_2_0418C8F5 7_2_0418C8F5
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe Code function: 7_2_041931BA 7_2_041931BA
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe Code function: 7_2_0418CB1A 7_2_0418CB1A
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe Code function: 7_2_0418AB9A 7_2_0418AB9A
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0385E3F0 8_2_0385E3F0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_039103E6 8_2_039103E6
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0390A352 8_2_0390A352
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038D02C0 8_2_038D02C0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038F0274 8_2_038F0274
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_039041A2 8_2_039041A2
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_039101AA 8_2_039101AA
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_039081CC 8_2_039081CC
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03840100 8_2_03840100
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038EA118 8_2_038EA118
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038D8158 8_2_038D8158
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038E2000 8_2_038E2000
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0384C7C0 8_2_0384C7C0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03874750 8_2_03874750
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03850770 8_2_03850770
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0386C6E0 8_2_0386C6E0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03910591 8_2_03910591
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03850535 8_2_03850535
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038FE4F6 8_2_038FE4F6
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038F4420 8_2_038F4420
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03902446 8_2_03902446
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03906BD7 8_2_03906BD7
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0390AB40 8_2_0390AB40
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0384EA80 8_2_0384EA80
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038529A0 8_2_038529A0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0391A9A6 8_2_0391A9A6
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03866962 8_2_03866962
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038368B8 8_2_038368B8
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0387E8F0 8_2_0387E8F0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03852840 8_2_03852840
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0385A840 8_2_0385A840
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038CEFA0 8_2_038CEFA0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03842FC8 8_2_03842FC8
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0385CFE0 8_2_0385CFE0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03892F28 8_2_03892F28
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03870F30 8_2_03870F30
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038F2F30 8_2_038F2F30
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038C4F40 8_2_038C4F40
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0390CE93 8_2_0390CE93
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03862E90 8_2_03862E90
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0390EEDB 8_2_0390EEDB
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0390EE26 8_2_0390EE26
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03850E59 8_2_03850E59
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03868DBF 8_2_03868DBF
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0384ADE0 8_2_0384ADE0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0385AD00 8_2_0385AD00
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038ECD1F 8_2_038ECD1F
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038F0CB5 8_2_038F0CB5
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03840CF2 8_2_03840CF2
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03850C00 8_2_03850C00
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0389739A 8_2_0389739A
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0390132D 8_2_0390132D
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0383D34C 8_2_0383D34C
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038552A0 8_2_038552A0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0386B2C0 8_2_0386B2C0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038F12ED 8_2_038F12ED
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0385B1B0 8_2_0385B1B0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0388516C 8_2_0388516C
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0383F172 8_2_0383F172
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0391B16B 8_2_0391B16B
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038FF0CC 8_2_038FF0CC
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038570C0 8_2_038570C0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0390F0E0 8_2_0390F0E0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_039070E9 8_2_039070E9
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0390F7B0 8_2_0390F7B0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_039016CC 8_2_039016CC
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038ED5B0 8_2_038ED5B0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03907571 8_2_03907571
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0390F43F 8_2_0390F43F
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03841460 8_2_03841460
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0386FB80 8_2_0386FB80
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0388DBF9 8_2_0388DBF9
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038C5BF0 8_2_038C5BF0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0390FB76 8_2_0390FB76
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038EDAAC 8_2_038EDAAC
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03895AA0 8_2_03895AA0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038F1AA3 8_2_038F1AA3
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038FDAC6 8_2_038FDAC6
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03907A46 8_2_03907A46
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0390FA49 8_2_0390FA49
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038C3A6C 8_2_038C3A6C
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038E5910 8_2_038E5910
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03859950 8_2_03859950
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0386B950 8_2_0386B950
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038538E0 8_2_038538E0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038BD800 8_2_038BD800
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03851F92 8_2_03851F92
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0390FFB1 8_2_0390FFB1
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03813FD2 8_2_03813FD2
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03813FD5 8_2_03813FD5
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0390FF09 8_2_0390FF09
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03859EB0 8_2_03859EB0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0386FDC0 8_2_0386FDC0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03853D40 8_2_03853D40
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03901D5A 8_2_03901D5A
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03907D73 8_2_03907D73
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0390FCF2 8_2_0390FCF2
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038C9C32 8_2_038C9C32
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_02F31B20 8_2_02F31B20
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_02F2CAA0 8_2_02F2CAA0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_02F2CA9B 8_2_02F2CA9B
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_02F2CCC0 8_2_02F2CCC0
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_02F2AD40 8_2_02F2AD40
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_02F33360 8_2_02F33360
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_02F35170 8_2_02F35170
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_02F4B730 8_2_02F4B730
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03B6E374 8_2_03B6E374
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03B6E5FB 8_2_03B6E5FB
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03B6E493 8_2_03B6E493
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03B6CB2D 8_2_03B6CB2D
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03B6D898 8_2_03B6D898
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03B6E82D 8_2_03B6E82D
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\mshta.exe Code function: String function: 0383B970 appears 280 times
Source: C:\Windows\SysWOW64\mshta.exe Code function: String function: 038CF290 appears 105 times
Source: C:\Windows\SysWOW64\mshta.exe Code function: String function: 03885130 appears 58 times
Source: C:\Windows\SysWOW64\mshta.exe Code function: String function: 03897E54 appears 102 times
Source: C:\Windows\SysWOW64\mshta.exe Code function: String function: 038BEA12 appears 86 times
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: String function: 017AF290 appears 105 times
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: String function: 01777E54 appears 103 times
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: String function: 0179EA12 appears 86 times
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: String function: 0171B970 appears 280 times
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: String function: 01765130 appears 58 times
Sample file is different than original file name gathered from version info
Source: QUOTE2342534.exe, 00000000.00000002.2140837926.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs QUOTE2342534.exe
Source: QUOTE2342534.exe, 00000000.00000002.2156658228.000000000B860000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs QUOTE2342534.exe
Source: QUOTE2342534.exe, 00000004.00000002.2232503719.000000000181D000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs QUOTE2342534.exe
Source: QUOTE2342534.exe, 00000004.00000002.2232065125.0000000001197000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMSHTA.EXED vs QUOTE2342534.exe
Source: QUOTE2342534.exe, 00000004.00000002.2232065125.00000000011A7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMSHTA.EXED vs QUOTE2342534.exe
Source: QUOTE2342534.exe Binary or memory string: OriginalFilenameiFFZ.exe> vs QUOTE2342534.exe
Uses 32bit PE files
Source: QUOTE2342534.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 4.2.QUOTE2342534.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 4.2.QUOTE2342534.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.4594417209.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2231861338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.4594132519.0000000003340000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.4597123623.0000000004CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.4592913893.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2232369881.0000000001620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2233350481.0000000002F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.4594398823.0000000003FD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: QUOTE2342534.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.QUOTE2342534.exe.438b4a0.1.raw.unpack, b9hATX05wLpDVq4ne4.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.QUOTE2342534.exe.438b4a0.1.raw.unpack, b9hATX05wLpDVq4ne4.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTE2342534.exe.b860000.3.raw.unpack, b9hATX05wLpDVq4ne4.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.QUOTE2342534.exe.b860000.3.raw.unpack, b9hATX05wLpDVq4ne4.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTE2342534.exe.438b4a0.1.raw.unpack, RgTGNHbnx4wRLD1BjK.cs Security API names: _0020.SetAccessControl
Source: 0.2.QUOTE2342534.exe.438b4a0.1.raw.unpack, RgTGNHbnx4wRLD1BjK.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTE2342534.exe.438b4a0.1.raw.unpack, RgTGNHbnx4wRLD1BjK.cs Security API names: _0020.AddAccessRule
Source: 0.2.QUOTE2342534.exe.b860000.3.raw.unpack, RgTGNHbnx4wRLD1BjK.cs Security API names: _0020.SetAccessControl
Source: 0.2.QUOTE2342534.exe.b860000.3.raw.unpack, RgTGNHbnx4wRLD1BjK.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.QUOTE2342534.exe.b860000.3.raw.unpack, RgTGNHbnx4wRLD1BjK.cs Security API names: _0020.AddAccessRule
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@11/7@16/11
Source: C:\Users\user\Desktop\QUOTE2342534.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTE2342534.exe.log Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2360:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ztmdjh4q.hu2.ps1 Jump to behavior
Source: QUOTE2342534.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: QUOTE2342534.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\QUOTE2342534.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: mshta.exe, 00000008.00000002.4592995544.0000000003029000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.4592995544.000000000305C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.2413656101.000000000305C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.2413656101.0000000003029000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: QUOTE2342534.exe ReversingLabs: Detection: 28%
Source: unknown Process created: C:\Users\user\Desktop\QUOTE2342534.exe "C:\Users\user\Desktop\QUOTE2342534.exe"
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTE2342534.exe"
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process created: C:\Users\user\Desktop\QUOTE2342534.exe "C:\Users\user\Desktop\QUOTE2342534.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe"
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTE2342534.exe" Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process created: C:\Users\user\Desktop\QUOTE2342534.exe "C:\Users\user\Desktop\QUOTE2342534.exe" Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: microsoft.management.infrastructure.native.unmanaged.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wmidcom.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wmitomi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\QUOTE2342534.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: QUOTE2342534.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: QUOTE2342534.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: QUOTE2342534.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: mshta.pdbGCTL source: QUOTE2342534.exe, 00000004.00000002.2232065125.0000000001197000.00000004.00000020.00020000.00000000.sdmp, qnPyaKsYTE.exe, 00000007.00000002.4593662972.0000000000FB8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: qnPyaKsYTE.exe, 00000007.00000000.2154339993.000000000012E000.00000002.00000001.01000000.0000000C.sdmp, qnPyaKsYTE.exe, 0000000A.00000000.2297414318.000000000012E000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: wntdll.pdbUGP source: QUOTE2342534.exe, 00000004.00000002.2232503719.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.4594573230.0000000003810000.00000040.00001000.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.2232129759.00000000034B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.2233823345.000000000366A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.4594573230.00000000039AE000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: iFFZ.pdbSHA256 source: QUOTE2342534.exe
Source: Binary string: wntdll.pdb source: QUOTE2342534.exe, QUOTE2342534.exe, 00000004.00000002.2232503719.00000000016F0000.00000040.00001000.00020000.00000000.sdmp, mshta.exe, mshta.exe, 00000008.00000002.4594573230.0000000003810000.00000040.00001000.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.2232129759.00000000034B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.2233823345.000000000366A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.4594573230.00000000039AE000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: iFFZ.pdb source: QUOTE2342534.exe
Source: Binary string: mshta.pdb source: QUOTE2342534.exe, 00000004.00000002.2232065125.0000000001197000.00000004.00000020.00020000.00000000.sdmp, qnPyaKsYTE.exe, 00000007.00000002.4593662972.0000000000FB8000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: QUOTE2342534.exe, formMain.cs .Net Code: InitializeComponent
Source: 0.2.QUOTE2342534.exe.38e0b90.0.raw.unpack, Uo.cs .Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.QUOTE2342534.exe.438b4a0.1.raw.unpack, RgTGNHbnx4wRLD1BjK.cs .Net Code: uVluVFvwkb System.Reflection.Assembly.Load(byte[])
Source: 0.2.QUOTE2342534.exe.b860000.3.raw.unpack, RgTGNHbnx4wRLD1BjK.cs .Net Code: uVluVFvwkb System.Reflection.Assembly.Load(byte[])
Source: 0.2.QUOTE2342534.exe.7080000.2.raw.unpack, Uo.cs .Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 8.2.mshta.exe.3eecd14.2.raw.unpack, formMain.cs .Net Code: InitializeComponent
Source: 10.0.qnPyaKsYTE.exe.287cd14.1.raw.unpack, formMain.cs .Net Code: InitializeComponent
Source: 10.2.qnPyaKsYTE.exe.287cd14.1.raw.unpack, formMain.cs .Net Code: InitializeComponent
Source: 11.2.firefox.exe.2928cd14.0.raw.unpack, formMain.cs .Net Code: InitializeComponent
Binary contains a suspicious time stamp
Source: QUOTE2342534.exe Static PE information: 0xD96D0FA5 [Sat Aug 4 22:41:41 2085 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_004118F3 push esp; iretd 4_2_00411926
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_004118B0 push esp; iretd 4_2_00411926
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0041B2EA pushfd ; retf 4_2_0041B2ED
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_004033D0 push eax; ret 4_2_004033D2
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0040BCC7 push C1009F53h; ret 4_2_0040BCCE
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_00406567 push edx; iretd 4_2_00406568
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_004165BD pushfd ; retf 4_2_004165C1
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0040863B push ebx; iretd 4_2_0040863C
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0041E74B push ds; iretd 4_2_0041E74C
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017209AD push ecx; mov dword ptr [esp], ecx 4_2_017209B6
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe Code function: 7_2_04192500 push eax; retf 7_2_0419250A
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe Code function: 7_2_04197D71 pushfd ; retf 7_2_04197D74
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe Code function: 7_2_0418874E push C1009F53h; ret 7_2_04188755
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe Code function: 7_2_04182FEE push edx; iretd 7_2_04182FEF
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe Code function: 7_2_04193044 pushfd ; retf 7_2_04193048
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe Code function: 7_2_041850C2 push ebx; iretd 7_2_041850C3
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe Code function: 7_2_0419B1D2 push ds; iretd 7_2_0419B1D3
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe Code function: 7_2_0418E337 push esp; iretd 7_2_0418E3AD
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe Code function: 7_2_0418E37A push esp; iretd 7_2_0418E3AD
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0381225F pushad ; ret 8_2_038127F9
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038127FA pushad ; ret 8_2_038127F9
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_038409AD push ecx; mov dword ptr [esp], ecx 8_2_038409B6
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_0381283D push eax; iretd 8_2_03812858
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_03811200 push eax; iretd 8_2_03811369
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_02F2E4DD push esp; iretd 8_2_02F2E553
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_02F2E520 push esp; iretd 8_2_02F2E553
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_02F288F4 push C1009F53h; ret 8_2_02F288FB
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_02F408E4 push 9C6AA52Bh; iretd 8_2_02F40948
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_02F25268 push ebx; iretd 8_2_02F25269
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_02F3B378 push ds; iretd 8_2_02F3B379
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_02F331EA pushfd ; retf 8_2_02F331EE
Source: QUOTE2342534.exe Static PE information: section name: .text entropy: 7.948843186706725
Source: 0.2.QUOTE2342534.exe.438b4a0.1.raw.unpack, s4g7xRntK7HFTBAmjj.cs High entropy of concatenated method names: 'jERLPTU3Is', 'KelLOPnWq2', 'kaELVBuOLn', 'AQ1LrCNrXl', 'OH9LBKEGwN', 'QUDLwVXiPu', 'E2ELJuAVq7', 'pnmL9bQZ9w', 'VX1LqR5rH2', 'iweLsofJYh'
Source: 0.2.QUOTE2342534.exe.438b4a0.1.raw.unpack, RgTGNHbnx4wRLD1BjK.cs High entropy of concatenated method names: 'bOACZ7hoBA', 'OtmCXXaMrV', 'O56Cm5Jya3', 'fsZCTZ9r7t', 'VbRC6BA0wC', 'OSFC0Ey1U8', 'oiXCLWo6q9', 'oQxCerMZTQ', 'xgKCADA3Ps', 'KKLCRJ9cVK'
Source: 0.2.QUOTE2342534.exe.438b4a0.1.raw.unpack, U4eIuf1F4uGthpELRy.cs High entropy of concatenated method names: 'elFQRJGsnG', 'IReQGpka2J', 'ToString', 'YC9QXTjpGA', 'rBlQmTUCGh', 'A2GQTMgYB8', 'pmlQ66NyNZ', 'OfrQ0mKZar', 'CRSQLRlvl1', 'd1HQeLCK3i'
Source: 0.2.QUOTE2342534.exe.438b4a0.1.raw.unpack, oHNWP3xqOXnYKOwagv.cs High entropy of concatenated method names: 'Uf5QbL79Gk', 'SulQI2yDY6', 'dDEklnIMKW', 'iLTko5fa6u', 'LclQ7SgRUP', 'xMaQDESP86', 'yQYQNGZNBf', 'kkUQ8HEQt5', 'PJvQalsL6Q', 'TQpQnwMihO'
Source: 0.2.QUOTE2342534.exe.438b4a0.1.raw.unpack, CA3vo9DeDOwaY5w3me.cs High entropy of concatenated method names: 'jCUkXiFyBb', 'xjokmQuVH7', 'B0TkTrPLW4', 'YYik6JTvSZ', 'jn4k0Zkl7i', 'WAXkL4DxRj', 'efGkeayHiG', 'YLykADdnfY', 'PE3kRqfYJE', 'ztGkGrNgAg'
Source: 0.2.QUOTE2342534.exe.438b4a0.1.raw.unpack, TkT3gfvpRSNgErHQaQ.cs High entropy of concatenated method names: 'COQKo2VQXn', 'aJZKCXly9h', 'APZKuS8AI4', 'wC5KX1vx5w', 'TjfKmvqOQ9', 'VCWK6lQbYH', 'pOCK09Sb21', 'Vd6kypE8TO', 'kL1kbOPfMP', 'hSbkHNLGPH'
Source: 0.2.QUOTE2342534.exe.438b4a0.1.raw.unpack, M6mAoGGtiWJ0hqSmA5.cs High entropy of concatenated method names: 'Bqn0ZlnOW4', 'uPc0mUNE7t', 'zow06SJ65b', 'cV80LQCB5h', 'fBj0efLI6G', 'XTQ6t3Sfdt', 'xal6W8T3Z0', 'xTA6yWJ4LG', 'USQ6blctSG', 'wXH6H3iZQv'
Source: 0.2.QUOTE2342534.exe.438b4a0.1.raw.unpack, b9hATX05wLpDVq4ne4.cs High entropy of concatenated method names: 'Wpam8p8GvI', 'QUUma7YGd6', 'XJQmnCbu5M', 'Vummd0Jwwm', 'EJJmt9gT7e', 'oIAmW20noQ', 'qfJmyox0XC', 'XEAmbIOfEP', 'PmvmHkOw4B', 'fFRmImPiCr'
Source: 0.2.QUOTE2342534.exe.438b4a0.1.raw.unpack, tU4IJD49cubmoRg8Gk.cs High entropy of concatenated method names: 'qbrLXuNV6d', 'BGlLTf2Lqj', 's03L0hSMjE', 'yDn0ILXwv3', 'kiv0ztbKmL', 'LXSLl9ojlu', 'mhwLoLy6HV', 'XWOL4gskSn', 'UH0LCwTM7i', 'ERfLuEPdoL'
Source: 0.2.QUOTE2342534.exe.438b4a0.1.raw.unpack, cEVPWK7soYoDsnybXw.cs High entropy of concatenated method names: 'JmCkcMFkSc', 'xCak5aaywZ', 'njokS7AsWJ', 'LiFkvrRVTU', 'VrYk8gWlRO', 'bwtkf7KmiE', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.QUOTE2342534.exe.438b4a0.1.raw.unpack, pNb3QZTjfGM6vQZARU.cs High entropy of concatenated method names: 'PHWF9P58AD', 'qmeFqcJo1h', 'lB4FcYJr0e', 'VBLF59K3dG', 'tSaFvOoLsJ', 'oCRFfeUp3Y', 'kd4FpZFfNv', 'e7BF3eHHDl', 'YjYFh5HBGX', 'yctF78leip'
Source: 0.2.QUOTE2342534.exe.438b4a0.1.raw.unpack, KF5bE15KD7itN7XHNN.cs High entropy of concatenated method names: 'AsC6BbdvEg', 'US46JVGdmB', 'wpoTSXnpAM', 'VIWTvD5M97', 'BKUTf86v12', 'gT2T1P0A53', 'gIPTp3VVcw', 'd2bT3XbeW0', 'R8mTiHVX6r', 'F8bThdC0O9'
Source: 0.2.QUOTE2342534.exe.438b4a0.1.raw.unpack, eq4Yw4laQbFZQ9YnSO.cs High entropy of concatenated method names: 'RoZVkdlMu', 'IokrI2xIv', 'eMTwJOlIR', 'FPYJOZwM1', 'B69qmsFlW', 'LLZsi39dd', 'Pb5plf9Mw2qk7fq5o9', 'CgQQv0Bf0t7u2kWcJL', 'En3kAwraB', 'GtaxBXyJr'
Source: 0.2.QUOTE2342534.exe.438b4a0.1.raw.unpack, ckyhrWsrr3WEVToDvX.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'CM14HNvDn8', 'z0c4IL8aHr', 'vwE4zxwjNM', 'ES9Cl6ntWg', 'SrLCoh2uX7', 'gVLC4lXqRs', 'S6pCCfk4iJ', 'ypUnrNOOT0eR8E1IGZ2'
Source: 0.2.QUOTE2342534.exe.438b4a0.1.raw.unpack, QrrAevQFuxKJYAdplq.cs High entropy of concatenated method names: 'Ww6oLGLa0H', 'gAkoeBjh4V', 'LnooR4wok8', 'bhjoGgB25N', 'jFcoYCFS4m', 'nF0oMX05gl', 'pDNlIw4hG8nXEKBIsd', 'iJ5wuISINQBspOb6u3', 'z7toolHUf2', 't4ooCm19sr'
Source: 0.2.QUOTE2342534.exe.438b4a0.1.raw.unpack, V6sh5ea6d9bGrdVyfIO.cs High entropy of concatenated method names: 'tvrKPfVeqG', 'pDkKODuOed', 'z91KV4sPIb', 'sqEKrWJIpP', 'B9uKBhZ490', 'aToKwDuZwS', 'Wo9KJ8l2AR', 'vyyK95RFCb', 'io8KqWOHb5', 'XNtKsgNsDX'
Source: 0.2.QUOTE2342534.exe.438b4a0.1.raw.unpack, HksaVK8qpESfOv37Jt.cs High entropy of concatenated method names: 'Dispose', 'qbmoHMRS2a', 'NKu45yTRQ2', 'O14UUhVcPK', 'XcXoIRE2kM', 'shtozseqIt', 'ProcessDialogKey', 'gwm4lbug0S', 'jLt4o1qYGj', 'ebW4467ukZ'
Source: 0.2.QUOTE2342534.exe.438b4a0.1.raw.unpack, antDFoW3jL51WwDMKQ.cs High entropy of concatenated method names: 'oLOTrit6I1', 'xqqTwoUWGV', 'GX1T98kESU', 'hAmTqyc7NA', 'QjlTYT1VFa', 'HhXTMkmMED', 'jDSTQZQKma', 'gb3TkLfrh2', 'RB2TK1NgIc', 'Ka4Txx2noF'
Source: 0.2.QUOTE2342534.exe.438b4a0.1.raw.unpack, btQxbDHvSZeM3yABlR.cs High entropy of concatenated method names: 'poPYhFkX4Q', 'KbbYDhvIjg', 'CB8Y8VtNu9', 'rocYa3wfac', 'DS7Y5bmfPr', 'BtvYS4RHYQ', 'm9cYvMBP4J', 'QyIYfieBFt', 'fhHY1hUXkE', 'URrYpgqs3k'
Source: 0.2.QUOTE2342534.exe.438b4a0.1.raw.unpack, JvaI8SaRcvwgX0l9NJu.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NfNx8vB03G', 'LHhxaZl2Mm', 'sENxn9F9lm', 'asKxdaMZPZ', 'qNhxtcFpCA', 'YZaxWcZPHF', 'VmFxy4FRLF'
Source: 0.2.QUOTE2342534.exe.b860000.3.raw.unpack, s4g7xRntK7HFTBAmjj.cs High entropy of concatenated method names: 'jERLPTU3Is', 'KelLOPnWq2', 'kaELVBuOLn', 'AQ1LrCNrXl', 'OH9LBKEGwN', 'QUDLwVXiPu', 'E2ELJuAVq7', 'pnmL9bQZ9w', 'VX1LqR5rH2', 'iweLsofJYh'
Source: 0.2.QUOTE2342534.exe.b860000.3.raw.unpack, RgTGNHbnx4wRLD1BjK.cs High entropy of concatenated method names: 'bOACZ7hoBA', 'OtmCXXaMrV', 'O56Cm5Jya3', 'fsZCTZ9r7t', 'VbRC6BA0wC', 'OSFC0Ey1U8', 'oiXCLWo6q9', 'oQxCerMZTQ', 'xgKCADA3Ps', 'KKLCRJ9cVK'
Source: 0.2.QUOTE2342534.exe.b860000.3.raw.unpack, U4eIuf1F4uGthpELRy.cs High entropy of concatenated method names: 'elFQRJGsnG', 'IReQGpka2J', 'ToString', 'YC9QXTjpGA', 'rBlQmTUCGh', 'A2GQTMgYB8', 'pmlQ66NyNZ', 'OfrQ0mKZar', 'CRSQLRlvl1', 'd1HQeLCK3i'
Source: 0.2.QUOTE2342534.exe.b860000.3.raw.unpack, oHNWP3xqOXnYKOwagv.cs High entropy of concatenated method names: 'Uf5QbL79Gk', 'SulQI2yDY6', 'dDEklnIMKW', 'iLTko5fa6u', 'LclQ7SgRUP', 'xMaQDESP86', 'yQYQNGZNBf', 'kkUQ8HEQt5', 'PJvQalsL6Q', 'TQpQnwMihO'
Source: 0.2.QUOTE2342534.exe.b860000.3.raw.unpack, CA3vo9DeDOwaY5w3me.cs High entropy of concatenated method names: 'jCUkXiFyBb', 'xjokmQuVH7', 'B0TkTrPLW4', 'YYik6JTvSZ', 'jn4k0Zkl7i', 'WAXkL4DxRj', 'efGkeayHiG', 'YLykADdnfY', 'PE3kRqfYJE', 'ztGkGrNgAg'
Source: 0.2.QUOTE2342534.exe.b860000.3.raw.unpack, TkT3gfvpRSNgErHQaQ.cs High entropy of concatenated method names: 'COQKo2VQXn', 'aJZKCXly9h', 'APZKuS8AI4', 'wC5KX1vx5w', 'TjfKmvqOQ9', 'VCWK6lQbYH', 'pOCK09Sb21', 'Vd6kypE8TO', 'kL1kbOPfMP', 'hSbkHNLGPH'
Source: 0.2.QUOTE2342534.exe.b860000.3.raw.unpack, M6mAoGGtiWJ0hqSmA5.cs High entropy of concatenated method names: 'Bqn0ZlnOW4', 'uPc0mUNE7t', 'zow06SJ65b', 'cV80LQCB5h', 'fBj0efLI6G', 'XTQ6t3Sfdt', 'xal6W8T3Z0', 'xTA6yWJ4LG', 'USQ6blctSG', 'wXH6H3iZQv'
Source: 0.2.QUOTE2342534.exe.b860000.3.raw.unpack, b9hATX05wLpDVq4ne4.cs High entropy of concatenated method names: 'Wpam8p8GvI', 'QUUma7YGd6', 'XJQmnCbu5M', 'Vummd0Jwwm', 'EJJmt9gT7e', 'oIAmW20noQ', 'qfJmyox0XC', 'XEAmbIOfEP', 'PmvmHkOw4B', 'fFRmImPiCr'
Source: 0.2.QUOTE2342534.exe.b860000.3.raw.unpack, tU4IJD49cubmoRg8Gk.cs High entropy of concatenated method names: 'qbrLXuNV6d', 'BGlLTf2Lqj', 's03L0hSMjE', 'yDn0ILXwv3', 'kiv0ztbKmL', 'LXSLl9ojlu', 'mhwLoLy6HV', 'XWOL4gskSn', 'UH0LCwTM7i', 'ERfLuEPdoL'
Source: 0.2.QUOTE2342534.exe.b860000.3.raw.unpack, cEVPWK7soYoDsnybXw.cs High entropy of concatenated method names: 'JmCkcMFkSc', 'xCak5aaywZ', 'njokS7AsWJ', 'LiFkvrRVTU', 'VrYk8gWlRO', 'bwtkf7KmiE', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.QUOTE2342534.exe.b860000.3.raw.unpack, pNb3QZTjfGM6vQZARU.cs High entropy of concatenated method names: 'PHWF9P58AD', 'qmeFqcJo1h', 'lB4FcYJr0e', 'VBLF59K3dG', 'tSaFvOoLsJ', 'oCRFfeUp3Y', 'kd4FpZFfNv', 'e7BF3eHHDl', 'YjYFh5HBGX', 'yctF78leip'
Source: 0.2.QUOTE2342534.exe.b860000.3.raw.unpack, KF5bE15KD7itN7XHNN.cs High entropy of concatenated method names: 'AsC6BbdvEg', 'US46JVGdmB', 'wpoTSXnpAM', 'VIWTvD5M97', 'BKUTf86v12', 'gT2T1P0A53', 'gIPTp3VVcw', 'd2bT3XbeW0', 'R8mTiHVX6r', 'F8bThdC0O9'
Source: 0.2.QUOTE2342534.exe.b860000.3.raw.unpack, eq4Yw4laQbFZQ9YnSO.cs High entropy of concatenated method names: 'RoZVkdlMu', 'IokrI2xIv', 'eMTwJOlIR', 'FPYJOZwM1', 'B69qmsFlW', 'LLZsi39dd', 'Pb5plf9Mw2qk7fq5o9', 'CgQQv0Bf0t7u2kWcJL', 'En3kAwraB', 'GtaxBXyJr'
Source: 0.2.QUOTE2342534.exe.b860000.3.raw.unpack, ckyhrWsrr3WEVToDvX.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'CM14HNvDn8', 'z0c4IL8aHr', 'vwE4zxwjNM', 'ES9Cl6ntWg', 'SrLCoh2uX7', 'gVLC4lXqRs', 'S6pCCfk4iJ', 'ypUnrNOOT0eR8E1IGZ2'
Source: 0.2.QUOTE2342534.exe.b860000.3.raw.unpack, QrrAevQFuxKJYAdplq.cs High entropy of concatenated method names: 'Ww6oLGLa0H', 'gAkoeBjh4V', 'LnooR4wok8', 'bhjoGgB25N', 'jFcoYCFS4m', 'nF0oMX05gl', 'pDNlIw4hG8nXEKBIsd', 'iJ5wuISINQBspOb6u3', 'z7toolHUf2', 't4ooCm19sr'
Source: 0.2.QUOTE2342534.exe.b860000.3.raw.unpack, V6sh5ea6d9bGrdVyfIO.cs High entropy of concatenated method names: 'tvrKPfVeqG', 'pDkKODuOed', 'z91KV4sPIb', 'sqEKrWJIpP', 'B9uKBhZ490', 'aToKwDuZwS', 'Wo9KJ8l2AR', 'vyyK95RFCb', 'io8KqWOHb5', 'XNtKsgNsDX'
Source: 0.2.QUOTE2342534.exe.b860000.3.raw.unpack, HksaVK8qpESfOv37Jt.cs High entropy of concatenated method names: 'Dispose', 'qbmoHMRS2a', 'NKu45yTRQ2', 'O14UUhVcPK', 'XcXoIRE2kM', 'shtozseqIt', 'ProcessDialogKey', 'gwm4lbug0S', 'jLt4o1qYGj', 'ebW4467ukZ'
Source: 0.2.QUOTE2342534.exe.b860000.3.raw.unpack, antDFoW3jL51WwDMKQ.cs High entropy of concatenated method names: 'oLOTrit6I1', 'xqqTwoUWGV', 'GX1T98kESU', 'hAmTqyc7NA', 'QjlTYT1VFa', 'HhXTMkmMED', 'jDSTQZQKma', 'gb3TkLfrh2', 'RB2TK1NgIc', 'Ka4Txx2noF'
Source: 0.2.QUOTE2342534.exe.b860000.3.raw.unpack, btQxbDHvSZeM3yABlR.cs High entropy of concatenated method names: 'poPYhFkX4Q', 'KbbYDhvIjg', 'CB8Y8VtNu9', 'rocYa3wfac', 'DS7Y5bmfPr', 'BtvYS4RHYQ', 'm9cYvMBP4J', 'QyIYfieBFt', 'fhHY1hUXkE', 'URrYpgqs3k'
Source: 0.2.QUOTE2342534.exe.b860000.3.raw.unpack, JvaI8SaRcvwgX0l9NJu.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NfNx8vB03G', 'LHhxaZl2Mm', 'sENxn9F9lm', 'asKxdaMZPZ', 'qNhxtcFpCA', 'YZaxWcZPHF', 'VmFxy4FRLF'

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: QUOTE2342534.exe PID: 1992, type: MEMORYSTR
Switches to a custom stack to bypass stack traces
Source: C:\Windows\SysWOW64\mshta.exe API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\mshta.exe API/Special instruction interceptor: Address: 7FF8C88ED7E4
Source: C:\Windows\SysWOW64\mshta.exe API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\mshta.exe API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\mshta.exe API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\mshta.exe API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\mshta.exe API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\mshta.exe API/Special instruction interceptor: Address: 7FF8C88EDA44
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\QUOTE2342534.exe Memory allocated: EF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Memory allocated: 28C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Memory allocated: 48C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Memory allocated: 8B40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Memory allocated: 9B40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Memory allocated: 9D50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Memory allocated: AD50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Memory allocated: B8F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Memory allocated: C8F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Memory allocated: D8F0000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0176096E rdtsc 4_2_0176096E
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\QUOTE2342534.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5523 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2244 Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Window / User API: threadDelayed 9783 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\QUOTE2342534.exe API coverage: 0.7 %
Source: C:\Windows\SysWOW64\mshta.exe API coverage: 2.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\QUOTE2342534.exe TID: 3148 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6192 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6196 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe TID: 4028 Thread sleep count: 190 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe TID: 4028 Thread sleep time: -380000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe TID: 4028 Thread sleep count: 9783 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe TID: 4028 Thread sleep time: -19566000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe TID: 3480 Thread sleep time: -90000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe TID: 3480 Thread sleep time: -61500s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe TID: 3480 Thread sleep time: -47000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\mshta.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\mshta.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\mshta.exe Code function: 8_2_02F3C390 FindFirstFileW,FindNextFileW,FindClose, 8_2_02F3C390
Source: C:\Users\user\Desktop\QUOTE2342534.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: 4-4-J4.8.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 4-4-J4.8.dr Binary or memory string: discord.comVMware20,11696428655f
Source: 4-4-J4.8.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 4-4-J4.8.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 4-4-J4.8.dr Binary or memory string: global block list test formVMware20,11696428655
Source: 4-4-J4.8.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 4-4-J4.8.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 4-4-J4.8.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 4-4-J4.8.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 4-4-J4.8.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: 4-4-J4.8.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 4-4-J4.8.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 4-4-J4.8.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 4-4-J4.8.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 4-4-J4.8.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: mshta.exe, 00000008.00000002.4592995544.0000000002FB3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 4-4-J4.8.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 4-4-J4.8.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: firefox.exe, 0000000B.00000002.2520941156.0000021D292FD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllAA
Source: 4-4-J4.8.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 4-4-J4.8.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 4-4-J4.8.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: 4-4-J4.8.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 4-4-J4.8.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 4-4-J4.8.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 4-4-J4.8.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 4-4-J4.8.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 4-4-J4.8.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 4-4-J4.8.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: qnPyaKsYTE.exe, 0000000A.00000002.4594205767.000000000094F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE
Source: 4-4-J4.8.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 4-4-J4.8.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 4-4-J4.8.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 4-4-J4.8.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0176096E rdtsc 4_2_0176096E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_004176E3 LdrLoadDll, 4_2_004176E3
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017B8158 mov eax, dword ptr fs:[00000030h] 4_2_017B8158
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01726154 mov eax, dword ptr fs:[00000030h] 4_2_01726154
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01726154 mov eax, dword ptr fs:[00000030h] 4_2_01726154
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0171C156 mov eax, dword ptr fs:[00000030h] 4_2_0171C156
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017B4144 mov eax, dword ptr fs:[00000030h] 4_2_017B4144
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017B4144 mov eax, dword ptr fs:[00000030h] 4_2_017B4144
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017B4144 mov ecx, dword ptr fs:[00000030h] 4_2_017B4144
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017B4144 mov eax, dword ptr fs:[00000030h] 4_2_017B4144
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017B4144 mov eax, dword ptr fs:[00000030h] 4_2_017B4144
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01750124 mov eax, dword ptr fs:[00000030h] 4_2_01750124
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017CA118 mov ecx, dword ptr fs:[00000030h] 4_2_017CA118
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017CA118 mov eax, dword ptr fs:[00000030h] 4_2_017CA118
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017CA118 mov eax, dword ptr fs:[00000030h] 4_2_017CA118
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017CA118 mov eax, dword ptr fs:[00000030h] 4_2_017CA118
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017E0115 mov eax, dword ptr fs:[00000030h] 4_2_017E0115
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017CE10E mov eax, dword ptr fs:[00000030h] 4_2_017CE10E
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017CE10E mov ecx, dword ptr fs:[00000030h] 4_2_017CE10E
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017CE10E mov eax, dword ptr fs:[00000030h] 4_2_017CE10E
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017CE10E mov eax, dword ptr fs:[00000030h] 4_2_017CE10E
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017CE10E mov ecx, dword ptr fs:[00000030h] 4_2_017CE10E
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017CE10E mov eax, dword ptr fs:[00000030h] 4_2_017CE10E
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017CE10E mov eax, dword ptr fs:[00000030h] 4_2_017CE10E
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017CE10E mov ecx, dword ptr fs:[00000030h] 4_2_017CE10E
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017CE10E mov eax, dword ptr fs:[00000030h] 4_2_017CE10E
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017CE10E mov ecx, dword ptr fs:[00000030h] 4_2_017CE10E
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017501F8 mov eax, dword ptr fs:[00000030h] 4_2_017501F8
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017F61E5 mov eax, dword ptr fs:[00000030h] 4_2_017F61E5
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0179E1D0 mov eax, dword ptr fs:[00000030h] 4_2_0179E1D0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0179E1D0 mov eax, dword ptr fs:[00000030h] 4_2_0179E1D0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0179E1D0 mov ecx, dword ptr fs:[00000030h] 4_2_0179E1D0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0179E1D0 mov eax, dword ptr fs:[00000030h] 4_2_0179E1D0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0179E1D0 mov eax, dword ptr fs:[00000030h] 4_2_0179E1D0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017E61C3 mov eax, dword ptr fs:[00000030h] 4_2_017E61C3
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017E61C3 mov eax, dword ptr fs:[00000030h] 4_2_017E61C3
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A019F mov eax, dword ptr fs:[00000030h] 4_2_017A019F
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A019F mov eax, dword ptr fs:[00000030h] 4_2_017A019F
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A019F mov eax, dword ptr fs:[00000030h] 4_2_017A019F
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A019F mov eax, dword ptr fs:[00000030h] 4_2_017A019F
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0171A197 mov eax, dword ptr fs:[00000030h] 4_2_0171A197
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0171A197 mov eax, dword ptr fs:[00000030h] 4_2_0171A197
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0171A197 mov eax, dword ptr fs:[00000030h] 4_2_0171A197
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01760185 mov eax, dword ptr fs:[00000030h] 4_2_01760185
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017DC188 mov eax, dword ptr fs:[00000030h] 4_2_017DC188
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017DC188 mov eax, dword ptr fs:[00000030h] 4_2_017DC188
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017C4180 mov eax, dword ptr fs:[00000030h] 4_2_017C4180
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017C4180 mov eax, dword ptr fs:[00000030h] 4_2_017C4180
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0174C073 mov eax, dword ptr fs:[00000030h] 4_2_0174C073
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01722050 mov eax, dword ptr fs:[00000030h] 4_2_01722050
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A6050 mov eax, dword ptr fs:[00000030h] 4_2_017A6050
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017B6030 mov eax, dword ptr fs:[00000030h] 4_2_017B6030
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0171A020 mov eax, dword ptr fs:[00000030h] 4_2_0171A020
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0171C020 mov eax, dword ptr fs:[00000030h] 4_2_0171C020
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0173E016 mov eax, dword ptr fs:[00000030h] 4_2_0173E016
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0173E016 mov eax, dword ptr fs:[00000030h] 4_2_0173E016
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0173E016 mov eax, dword ptr fs:[00000030h] 4_2_0173E016
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0173E016 mov eax, dword ptr fs:[00000030h] 4_2_0173E016
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A4000 mov ecx, dword ptr fs:[00000030h] 4_2_017A4000
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017C2000 mov eax, dword ptr fs:[00000030h] 4_2_017C2000
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017C2000 mov eax, dword ptr fs:[00000030h] 4_2_017C2000
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017C2000 mov eax, dword ptr fs:[00000030h] 4_2_017C2000
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017C2000 mov eax, dword ptr fs:[00000030h] 4_2_017C2000
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017C2000 mov eax, dword ptr fs:[00000030h] 4_2_017C2000
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017C2000 mov eax, dword ptr fs:[00000030h] 4_2_017C2000
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017C2000 mov eax, dword ptr fs:[00000030h] 4_2_017C2000
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017C2000 mov eax, dword ptr fs:[00000030h] 4_2_017C2000
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0171C0F0 mov eax, dword ptr fs:[00000030h] 4_2_0171C0F0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017620F0 mov ecx, dword ptr fs:[00000030h] 4_2_017620F0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0171A0E3 mov ecx, dword ptr fs:[00000030h] 4_2_0171A0E3
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A60E0 mov eax, dword ptr fs:[00000030h] 4_2_017A60E0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017280E9 mov eax, dword ptr fs:[00000030h] 4_2_017280E9
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A20DE mov eax, dword ptr fs:[00000030h] 4_2_017A20DE
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017E60B8 mov eax, dword ptr fs:[00000030h] 4_2_017E60B8
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017E60B8 mov ecx, dword ptr fs:[00000030h] 4_2_017E60B8
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017B80A8 mov eax, dword ptr fs:[00000030h] 4_2_017B80A8
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172208A mov eax, dword ptr fs:[00000030h] 4_2_0172208A
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017C437C mov eax, dword ptr fs:[00000030h] 4_2_017C437C
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A035C mov eax, dword ptr fs:[00000030h] 4_2_017A035C
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A035C mov eax, dword ptr fs:[00000030h] 4_2_017A035C
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A035C mov eax, dword ptr fs:[00000030h] 4_2_017A035C
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A035C mov ecx, dword ptr fs:[00000030h] 4_2_017A035C
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A035C mov eax, dword ptr fs:[00000030h] 4_2_017A035C
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A035C mov eax, dword ptr fs:[00000030h] 4_2_017A035C
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017EA352 mov eax, dword ptr fs:[00000030h] 4_2_017EA352
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017C8350 mov ecx, dword ptr fs:[00000030h] 4_2_017C8350
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A2349 mov eax, dword ptr fs:[00000030h] 4_2_017A2349
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A2349 mov eax, dword ptr fs:[00000030h] 4_2_017A2349
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A2349 mov eax, dword ptr fs:[00000030h] 4_2_017A2349
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A2349 mov eax, dword ptr fs:[00000030h] 4_2_017A2349
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A2349 mov eax, dword ptr fs:[00000030h] 4_2_017A2349
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A2349 mov eax, dword ptr fs:[00000030h] 4_2_017A2349
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A2349 mov eax, dword ptr fs:[00000030h] 4_2_017A2349
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A2349 mov eax, dword ptr fs:[00000030h] 4_2_017A2349
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A2349 mov eax, dword ptr fs:[00000030h] 4_2_017A2349
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A2349 mov eax, dword ptr fs:[00000030h] 4_2_017A2349
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A2349 mov eax, dword ptr fs:[00000030h] 4_2_017A2349
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A2349 mov eax, dword ptr fs:[00000030h] 4_2_017A2349
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A2349 mov eax, dword ptr fs:[00000030h] 4_2_017A2349
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A2349 mov eax, dword ptr fs:[00000030h] 4_2_017A2349
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A2349 mov eax, dword ptr fs:[00000030h] 4_2_017A2349
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0171C310 mov ecx, dword ptr fs:[00000030h] 4_2_0171C310
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01740310 mov ecx, dword ptr fs:[00000030h] 4_2_01740310
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175A30B mov eax, dword ptr fs:[00000030h] 4_2_0175A30B
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175A30B mov eax, dword ptr fs:[00000030h] 4_2_0175A30B
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175A30B mov eax, dword ptr fs:[00000030h] 4_2_0175A30B
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0173E3F0 mov eax, dword ptr fs:[00000030h] 4_2_0173E3F0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0173E3F0 mov eax, dword ptr fs:[00000030h] 4_2_0173E3F0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0173E3F0 mov eax, dword ptr fs:[00000030h] 4_2_0173E3F0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017563FF mov eax, dword ptr fs:[00000030h] 4_2_017563FF
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017303E9 mov eax, dword ptr fs:[00000030h] 4_2_017303E9
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017303E9 mov eax, dword ptr fs:[00000030h] 4_2_017303E9
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017303E9 mov eax, dword ptr fs:[00000030h] 4_2_017303E9
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017303E9 mov eax, dword ptr fs:[00000030h] 4_2_017303E9
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017303E9 mov eax, dword ptr fs:[00000030h] 4_2_017303E9
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017303E9 mov eax, dword ptr fs:[00000030h] 4_2_017303E9
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017303E9 mov eax, dword ptr fs:[00000030h] 4_2_017303E9
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017303E9 mov eax, dword ptr fs:[00000030h] 4_2_017303E9
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017CE3DB mov eax, dword ptr fs:[00000030h] 4_2_017CE3DB
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017CE3DB mov eax, dword ptr fs:[00000030h] 4_2_017CE3DB
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017CE3DB mov ecx, dword ptr fs:[00000030h] 4_2_017CE3DB
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017CE3DB mov eax, dword ptr fs:[00000030h] 4_2_017CE3DB
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017C43D4 mov eax, dword ptr fs:[00000030h] 4_2_017C43D4
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017C43D4 mov eax, dword ptr fs:[00000030h] 4_2_017C43D4
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017DC3CD mov eax, dword ptr fs:[00000030h] 4_2_017DC3CD
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172A3C0 mov eax, dword ptr fs:[00000030h] 4_2_0172A3C0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172A3C0 mov eax, dword ptr fs:[00000030h] 4_2_0172A3C0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172A3C0 mov eax, dword ptr fs:[00000030h] 4_2_0172A3C0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172A3C0 mov eax, dword ptr fs:[00000030h] 4_2_0172A3C0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172A3C0 mov eax, dword ptr fs:[00000030h] 4_2_0172A3C0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172A3C0 mov eax, dword ptr fs:[00000030h] 4_2_0172A3C0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017283C0 mov eax, dword ptr fs:[00000030h] 4_2_017283C0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017283C0 mov eax, dword ptr fs:[00000030h] 4_2_017283C0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017283C0 mov eax, dword ptr fs:[00000030h] 4_2_017283C0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017283C0 mov eax, dword ptr fs:[00000030h] 4_2_017283C0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A63C0 mov eax, dword ptr fs:[00000030h] 4_2_017A63C0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01718397 mov eax, dword ptr fs:[00000030h] 4_2_01718397
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01718397 mov eax, dword ptr fs:[00000030h] 4_2_01718397
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01718397 mov eax, dword ptr fs:[00000030h] 4_2_01718397
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0171E388 mov eax, dword ptr fs:[00000030h] 4_2_0171E388
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0171E388 mov eax, dword ptr fs:[00000030h] 4_2_0171E388
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0171E388 mov eax, dword ptr fs:[00000030h] 4_2_0171E388
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0174438F mov eax, dword ptr fs:[00000030h] 4_2_0174438F
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0174438F mov eax, dword ptr fs:[00000030h] 4_2_0174438F
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017D0274 mov eax, dword ptr fs:[00000030h] 4_2_017D0274
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017D0274 mov eax, dword ptr fs:[00000030h] 4_2_017D0274
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017D0274 mov eax, dword ptr fs:[00000030h] 4_2_017D0274
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017D0274 mov eax, dword ptr fs:[00000030h] 4_2_017D0274
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017D0274 mov eax, dword ptr fs:[00000030h] 4_2_017D0274
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017D0274 mov eax, dword ptr fs:[00000030h] 4_2_017D0274
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017D0274 mov eax, dword ptr fs:[00000030h] 4_2_017D0274
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017D0274 mov eax, dword ptr fs:[00000030h] 4_2_017D0274
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017D0274 mov eax, dword ptr fs:[00000030h] 4_2_017D0274
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017D0274 mov eax, dword ptr fs:[00000030h] 4_2_017D0274
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017D0274 mov eax, dword ptr fs:[00000030h] 4_2_017D0274
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017D0274 mov eax, dword ptr fs:[00000030h] 4_2_017D0274
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01724260 mov eax, dword ptr fs:[00000030h] 4_2_01724260
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01724260 mov eax, dword ptr fs:[00000030h] 4_2_01724260
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01724260 mov eax, dword ptr fs:[00000030h] 4_2_01724260
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0171826B mov eax, dword ptr fs:[00000030h] 4_2_0171826B
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0171A250 mov eax, dword ptr fs:[00000030h] 4_2_0171A250
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01726259 mov eax, dword ptr fs:[00000030h] 4_2_01726259
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017DA250 mov eax, dword ptr fs:[00000030h] 4_2_017DA250
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017DA250 mov eax, dword ptr fs:[00000030h] 4_2_017DA250
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A8243 mov eax, dword ptr fs:[00000030h] 4_2_017A8243
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A8243 mov ecx, dword ptr fs:[00000030h] 4_2_017A8243
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0171823B mov eax, dword ptr fs:[00000030h] 4_2_0171823B
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017302E1 mov eax, dword ptr fs:[00000030h] 4_2_017302E1
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017302E1 mov eax, dword ptr fs:[00000030h] 4_2_017302E1
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017302E1 mov eax, dword ptr fs:[00000030h] 4_2_017302E1
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172A2C3 mov eax, dword ptr fs:[00000030h] 4_2_0172A2C3
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172A2C3 mov eax, dword ptr fs:[00000030h] 4_2_0172A2C3
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172A2C3 mov eax, dword ptr fs:[00000030h] 4_2_0172A2C3
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172A2C3 mov eax, dword ptr fs:[00000030h] 4_2_0172A2C3
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172A2C3 mov eax, dword ptr fs:[00000030h] 4_2_0172A2C3
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017302A0 mov eax, dword ptr fs:[00000030h] 4_2_017302A0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017302A0 mov eax, dword ptr fs:[00000030h] 4_2_017302A0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017B62A0 mov eax, dword ptr fs:[00000030h] 4_2_017B62A0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017B62A0 mov ecx, dword ptr fs:[00000030h] 4_2_017B62A0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017B62A0 mov eax, dword ptr fs:[00000030h] 4_2_017B62A0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017B62A0 mov eax, dword ptr fs:[00000030h] 4_2_017B62A0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017B62A0 mov eax, dword ptr fs:[00000030h] 4_2_017B62A0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017B62A0 mov eax, dword ptr fs:[00000030h] 4_2_017B62A0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175E284 mov eax, dword ptr fs:[00000030h] 4_2_0175E284
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175E284 mov eax, dword ptr fs:[00000030h] 4_2_0175E284
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A0283 mov eax, dword ptr fs:[00000030h] 4_2_017A0283
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A0283 mov eax, dword ptr fs:[00000030h] 4_2_017A0283
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A0283 mov eax, dword ptr fs:[00000030h] 4_2_017A0283
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175656A mov eax, dword ptr fs:[00000030h] 4_2_0175656A
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175656A mov eax, dword ptr fs:[00000030h] 4_2_0175656A
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175656A mov eax, dword ptr fs:[00000030h] 4_2_0175656A
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01728550 mov eax, dword ptr fs:[00000030h] 4_2_01728550
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01728550 mov eax, dword ptr fs:[00000030h] 4_2_01728550
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01730535 mov eax, dword ptr fs:[00000030h] 4_2_01730535
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01730535 mov eax, dword ptr fs:[00000030h] 4_2_01730535
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01730535 mov eax, dword ptr fs:[00000030h] 4_2_01730535
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01730535 mov eax, dword ptr fs:[00000030h] 4_2_01730535
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01730535 mov eax, dword ptr fs:[00000030h] 4_2_01730535
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01730535 mov eax, dword ptr fs:[00000030h] 4_2_01730535
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0174E53E mov eax, dword ptr fs:[00000030h] 4_2_0174E53E
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0174E53E mov eax, dword ptr fs:[00000030h] 4_2_0174E53E
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0174E53E mov eax, dword ptr fs:[00000030h] 4_2_0174E53E
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0174E53E mov eax, dword ptr fs:[00000030h] 4_2_0174E53E
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0174E53E mov eax, dword ptr fs:[00000030h] 4_2_0174E53E
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017B6500 mov eax, dword ptr fs:[00000030h] 4_2_017B6500
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017F4500 mov eax, dword ptr fs:[00000030h] 4_2_017F4500
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017F4500 mov eax, dword ptr fs:[00000030h] 4_2_017F4500
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017F4500 mov eax, dword ptr fs:[00000030h] 4_2_017F4500
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017F4500 mov eax, dword ptr fs:[00000030h] 4_2_017F4500
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017F4500 mov eax, dword ptr fs:[00000030h] 4_2_017F4500
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017F4500 mov eax, dword ptr fs:[00000030h] 4_2_017F4500
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017F4500 mov eax, dword ptr fs:[00000030h] 4_2_017F4500
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017225E0 mov eax, dword ptr fs:[00000030h] 4_2_017225E0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0174E5E7 mov eax, dword ptr fs:[00000030h] 4_2_0174E5E7
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0174E5E7 mov eax, dword ptr fs:[00000030h] 4_2_0174E5E7
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0174E5E7 mov eax, dword ptr fs:[00000030h] 4_2_0174E5E7
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0174E5E7 mov eax, dword ptr fs:[00000030h] 4_2_0174E5E7
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0174E5E7 mov eax, dword ptr fs:[00000030h] 4_2_0174E5E7
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0174E5E7 mov eax, dword ptr fs:[00000030h] 4_2_0174E5E7
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0174E5E7 mov eax, dword ptr fs:[00000030h] 4_2_0174E5E7
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0174E5E7 mov eax, dword ptr fs:[00000030h] 4_2_0174E5E7
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175C5ED mov eax, dword ptr fs:[00000030h] 4_2_0175C5ED
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175C5ED mov eax, dword ptr fs:[00000030h] 4_2_0175C5ED
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017265D0 mov eax, dword ptr fs:[00000030h] 4_2_017265D0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175A5D0 mov eax, dword ptr fs:[00000030h] 4_2_0175A5D0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175A5D0 mov eax, dword ptr fs:[00000030h] 4_2_0175A5D0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175E5CF mov eax, dword ptr fs:[00000030h] 4_2_0175E5CF
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175E5CF mov eax, dword ptr fs:[00000030h] 4_2_0175E5CF
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017445B1 mov eax, dword ptr fs:[00000030h] 4_2_017445B1
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017445B1 mov eax, dword ptr fs:[00000030h] 4_2_017445B1
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A05A7 mov eax, dword ptr fs:[00000030h] 4_2_017A05A7
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A05A7 mov eax, dword ptr fs:[00000030h] 4_2_017A05A7
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A05A7 mov eax, dword ptr fs:[00000030h] 4_2_017A05A7
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175E59C mov eax, dword ptr fs:[00000030h] 4_2_0175E59C
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01722582 mov eax, dword ptr fs:[00000030h] 4_2_01722582
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01722582 mov ecx, dword ptr fs:[00000030h] 4_2_01722582
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01754588 mov eax, dword ptr fs:[00000030h] 4_2_01754588
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0174A470 mov eax, dword ptr fs:[00000030h] 4_2_0174A470
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0174A470 mov eax, dword ptr fs:[00000030h] 4_2_0174A470
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0174A470 mov eax, dword ptr fs:[00000030h] 4_2_0174A470
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017AC460 mov ecx, dword ptr fs:[00000030h] 4_2_017AC460
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017DA456 mov eax, dword ptr fs:[00000030h] 4_2_017DA456
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0171645D mov eax, dword ptr fs:[00000030h] 4_2_0171645D
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0174245A mov eax, dword ptr fs:[00000030h] 4_2_0174245A
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175E443 mov eax, dword ptr fs:[00000030h] 4_2_0175E443
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175E443 mov eax, dword ptr fs:[00000030h] 4_2_0175E443
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175E443 mov eax, dword ptr fs:[00000030h] 4_2_0175E443
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175E443 mov eax, dword ptr fs:[00000030h] 4_2_0175E443
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175E443 mov eax, dword ptr fs:[00000030h] 4_2_0175E443
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175E443 mov eax, dword ptr fs:[00000030h] 4_2_0175E443
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175E443 mov eax, dword ptr fs:[00000030h] 4_2_0175E443
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175E443 mov eax, dword ptr fs:[00000030h] 4_2_0175E443
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175A430 mov eax, dword ptr fs:[00000030h] 4_2_0175A430
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0171E420 mov eax, dword ptr fs:[00000030h] 4_2_0171E420
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0171E420 mov eax, dword ptr fs:[00000030h] 4_2_0171E420
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0171E420 mov eax, dword ptr fs:[00000030h] 4_2_0171E420
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0171C427 mov eax, dword ptr fs:[00000030h] 4_2_0171C427
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A6420 mov eax, dword ptr fs:[00000030h] 4_2_017A6420
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A6420 mov eax, dword ptr fs:[00000030h] 4_2_017A6420
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A6420 mov eax, dword ptr fs:[00000030h] 4_2_017A6420
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A6420 mov eax, dword ptr fs:[00000030h] 4_2_017A6420
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A6420 mov eax, dword ptr fs:[00000030h] 4_2_017A6420
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A6420 mov eax, dword ptr fs:[00000030h] 4_2_017A6420
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A6420 mov eax, dword ptr fs:[00000030h] 4_2_017A6420
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01758402 mov eax, dword ptr fs:[00000030h] 4_2_01758402
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01758402 mov eax, dword ptr fs:[00000030h] 4_2_01758402
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01758402 mov eax, dword ptr fs:[00000030h] 4_2_01758402
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017204E5 mov ecx, dword ptr fs:[00000030h] 4_2_017204E5
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017544B0 mov ecx, dword ptr fs:[00000030h] 4_2_017544B0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017AA4B0 mov eax, dword ptr fs:[00000030h] 4_2_017AA4B0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017264AB mov eax, dword ptr fs:[00000030h] 4_2_017264AB
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017DA49A mov eax, dword ptr fs:[00000030h] 4_2_017DA49A
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01728770 mov eax, dword ptr fs:[00000030h] 4_2_01728770
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01730770 mov eax, dword ptr fs:[00000030h] 4_2_01730770
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01730770 mov eax, dword ptr fs:[00000030h] 4_2_01730770
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01730770 mov eax, dword ptr fs:[00000030h] 4_2_01730770
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01730770 mov eax, dword ptr fs:[00000030h] 4_2_01730770
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01730770 mov eax, dword ptr fs:[00000030h] 4_2_01730770
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01730770 mov eax, dword ptr fs:[00000030h] 4_2_01730770
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01730770 mov eax, dword ptr fs:[00000030h] 4_2_01730770
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01730770 mov eax, dword ptr fs:[00000030h] 4_2_01730770
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01730770 mov eax, dword ptr fs:[00000030h] 4_2_01730770
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01730770 mov eax, dword ptr fs:[00000030h] 4_2_01730770
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01730770 mov eax, dword ptr fs:[00000030h] 4_2_01730770
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01730770 mov eax, dword ptr fs:[00000030h] 4_2_01730770
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01720750 mov eax, dword ptr fs:[00000030h] 4_2_01720750
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762750 mov eax, dword ptr fs:[00000030h] 4_2_01762750
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762750 mov eax, dword ptr fs:[00000030h] 4_2_01762750
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017AE75D mov eax, dword ptr fs:[00000030h] 4_2_017AE75D
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A4755 mov eax, dword ptr fs:[00000030h] 4_2_017A4755
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175674D mov esi, dword ptr fs:[00000030h] 4_2_0175674D
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175674D mov eax, dword ptr fs:[00000030h] 4_2_0175674D
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175674D mov eax, dword ptr fs:[00000030h] 4_2_0175674D
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175273C mov eax, dword ptr fs:[00000030h] 4_2_0175273C
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175273C mov ecx, dword ptr fs:[00000030h] 4_2_0175273C
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175273C mov eax, dword ptr fs:[00000030h] 4_2_0175273C
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0179C730 mov eax, dword ptr fs:[00000030h] 4_2_0179C730
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175C720 mov eax, dword ptr fs:[00000030h] 4_2_0175C720
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175C720 mov eax, dword ptr fs:[00000030h] 4_2_0175C720
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01720710 mov eax, dword ptr fs:[00000030h] 4_2_01720710
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01750710 mov eax, dword ptr fs:[00000030h] 4_2_01750710
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175C700 mov eax, dword ptr fs:[00000030h] 4_2_0175C700
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017247FB mov eax, dword ptr fs:[00000030h] 4_2_017247FB
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017247FB mov eax, dword ptr fs:[00000030h] 4_2_017247FB
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017427ED mov eax, dword ptr fs:[00000030h] 4_2_017427ED
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017427ED mov eax, dword ptr fs:[00000030h] 4_2_017427ED
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017427ED mov eax, dword ptr fs:[00000030h] 4_2_017427ED
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017AE7E1 mov eax, dword ptr fs:[00000030h] 4_2_017AE7E1
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172C7C0 mov eax, dword ptr fs:[00000030h] 4_2_0172C7C0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A07C3 mov eax, dword ptr fs:[00000030h] 4_2_017A07C3
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017207AF mov eax, dword ptr fs:[00000030h] 4_2_017207AF
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017D47A0 mov eax, dword ptr fs:[00000030h] 4_2_017D47A0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017C678E mov eax, dword ptr fs:[00000030h] 4_2_017C678E
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01752674 mov eax, dword ptr fs:[00000030h] 4_2_01752674
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017E866E mov eax, dword ptr fs:[00000030h] 4_2_017E866E
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017E866E mov eax, dword ptr fs:[00000030h] 4_2_017E866E
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175A660 mov eax, dword ptr fs:[00000030h] 4_2_0175A660
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175A660 mov eax, dword ptr fs:[00000030h] 4_2_0175A660
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0173C640 mov eax, dword ptr fs:[00000030h] 4_2_0173C640
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0173E627 mov eax, dword ptr fs:[00000030h] 4_2_0173E627
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01756620 mov eax, dword ptr fs:[00000030h] 4_2_01756620
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01758620 mov eax, dword ptr fs:[00000030h] 4_2_01758620
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172262C mov eax, dword ptr fs:[00000030h] 4_2_0172262C
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01762619 mov eax, dword ptr fs:[00000030h] 4_2_01762619
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0179E609 mov eax, dword ptr fs:[00000030h] 4_2_0179E609
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0173260B mov eax, dword ptr fs:[00000030h] 4_2_0173260B
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0173260B mov eax, dword ptr fs:[00000030h] 4_2_0173260B
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0173260B mov eax, dword ptr fs:[00000030h] 4_2_0173260B
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0173260B mov eax, dword ptr fs:[00000030h] 4_2_0173260B
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0173260B mov eax, dword ptr fs:[00000030h] 4_2_0173260B
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0173260B mov eax, dword ptr fs:[00000030h] 4_2_0173260B
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0173260B mov eax, dword ptr fs:[00000030h] 4_2_0173260B
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0179E6F2 mov eax, dword ptr fs:[00000030h] 4_2_0179E6F2
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0179E6F2 mov eax, dword ptr fs:[00000030h] 4_2_0179E6F2
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0179E6F2 mov eax, dword ptr fs:[00000030h] 4_2_0179E6F2
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0179E6F2 mov eax, dword ptr fs:[00000030h] 4_2_0179E6F2
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A06F1 mov eax, dword ptr fs:[00000030h] 4_2_017A06F1
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A06F1 mov eax, dword ptr fs:[00000030h] 4_2_017A06F1
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175A6C7 mov ebx, dword ptr fs:[00000030h] 4_2_0175A6C7
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175A6C7 mov eax, dword ptr fs:[00000030h] 4_2_0175A6C7
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017566B0 mov eax, dword ptr fs:[00000030h] 4_2_017566B0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175C6A6 mov eax, dword ptr fs:[00000030h] 4_2_0175C6A6
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01724690 mov eax, dword ptr fs:[00000030h] 4_2_01724690
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01724690 mov eax, dword ptr fs:[00000030h] 4_2_01724690
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017C4978 mov eax, dword ptr fs:[00000030h] 4_2_017C4978
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017C4978 mov eax, dword ptr fs:[00000030h] 4_2_017C4978
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017AC97C mov eax, dword ptr fs:[00000030h] 4_2_017AC97C
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01746962 mov eax, dword ptr fs:[00000030h] 4_2_01746962
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01746962 mov eax, dword ptr fs:[00000030h] 4_2_01746962
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01746962 mov eax, dword ptr fs:[00000030h] 4_2_01746962
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0176096E mov eax, dword ptr fs:[00000030h] 4_2_0176096E
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0176096E mov edx, dword ptr fs:[00000030h] 4_2_0176096E
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0176096E mov eax, dword ptr fs:[00000030h] 4_2_0176096E
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A0946 mov eax, dword ptr fs:[00000030h] 4_2_017A0946
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A892A mov eax, dword ptr fs:[00000030h] 4_2_017A892A
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017B892B mov eax, dword ptr fs:[00000030h] 4_2_017B892B
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017AC912 mov eax, dword ptr fs:[00000030h] 4_2_017AC912
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01718918 mov eax, dword ptr fs:[00000030h] 4_2_01718918
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01718918 mov eax, dword ptr fs:[00000030h] 4_2_01718918
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0179E908 mov eax, dword ptr fs:[00000030h] 4_2_0179E908
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0179E908 mov eax, dword ptr fs:[00000030h] 4_2_0179E908
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017529F9 mov eax, dword ptr fs:[00000030h] 4_2_017529F9
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017529F9 mov eax, dword ptr fs:[00000030h] 4_2_017529F9
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017AE9E0 mov eax, dword ptr fs:[00000030h] 4_2_017AE9E0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172A9D0 mov eax, dword ptr fs:[00000030h] 4_2_0172A9D0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172A9D0 mov eax, dword ptr fs:[00000030h] 4_2_0172A9D0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172A9D0 mov eax, dword ptr fs:[00000030h] 4_2_0172A9D0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172A9D0 mov eax, dword ptr fs:[00000030h] 4_2_0172A9D0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172A9D0 mov eax, dword ptr fs:[00000030h] 4_2_0172A9D0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172A9D0 mov eax, dword ptr fs:[00000030h] 4_2_0172A9D0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017549D0 mov eax, dword ptr fs:[00000030h] 4_2_017549D0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017EA9D3 mov eax, dword ptr fs:[00000030h] 4_2_017EA9D3
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017B69C0 mov eax, dword ptr fs:[00000030h] 4_2_017B69C0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A89B3 mov esi, dword ptr fs:[00000030h] 4_2_017A89B3
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A89B3 mov eax, dword ptr fs:[00000030h] 4_2_017A89B3
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017A89B3 mov eax, dword ptr fs:[00000030h] 4_2_017A89B3
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017329A0 mov eax, dword ptr fs:[00000030h] 4_2_017329A0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017329A0 mov eax, dword ptr fs:[00000030h] 4_2_017329A0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017329A0 mov eax, dword ptr fs:[00000030h] 4_2_017329A0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017329A0 mov eax, dword ptr fs:[00000030h] 4_2_017329A0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017329A0 mov eax, dword ptr fs:[00000030h] 4_2_017329A0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017329A0 mov eax, dword ptr fs:[00000030h] 4_2_017329A0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017329A0 mov eax, dword ptr fs:[00000030h] 4_2_017329A0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017329A0 mov eax, dword ptr fs:[00000030h] 4_2_017329A0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017329A0 mov eax, dword ptr fs:[00000030h] 4_2_017329A0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017329A0 mov eax, dword ptr fs:[00000030h] 4_2_017329A0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017329A0 mov eax, dword ptr fs:[00000030h] 4_2_017329A0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017329A0 mov eax, dword ptr fs:[00000030h] 4_2_017329A0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017329A0 mov eax, dword ptr fs:[00000030h] 4_2_017329A0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017209AD mov eax, dword ptr fs:[00000030h] 4_2_017209AD
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017209AD mov eax, dword ptr fs:[00000030h] 4_2_017209AD
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017AE872 mov eax, dword ptr fs:[00000030h] 4_2_017AE872
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017AE872 mov eax, dword ptr fs:[00000030h] 4_2_017AE872
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017B6870 mov eax, dword ptr fs:[00000030h] 4_2_017B6870
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017B6870 mov eax, dword ptr fs:[00000030h] 4_2_017B6870
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01750854 mov eax, dword ptr fs:[00000030h] 4_2_01750854
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01724859 mov eax, dword ptr fs:[00000030h] 4_2_01724859
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01724859 mov eax, dword ptr fs:[00000030h] 4_2_01724859
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01732840 mov ecx, dword ptr fs:[00000030h] 4_2_01732840
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01742835 mov eax, dword ptr fs:[00000030h] 4_2_01742835
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01742835 mov eax, dword ptr fs:[00000030h] 4_2_01742835
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01742835 mov eax, dword ptr fs:[00000030h] 4_2_01742835
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01742835 mov ecx, dword ptr fs:[00000030h] 4_2_01742835
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01742835 mov eax, dword ptr fs:[00000030h] 4_2_01742835
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01742835 mov eax, dword ptr fs:[00000030h] 4_2_01742835
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175A830 mov eax, dword ptr fs:[00000030h] 4_2_0175A830
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017C483A mov eax, dword ptr fs:[00000030h] 4_2_017C483A
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017C483A mov eax, dword ptr fs:[00000030h] 4_2_017C483A
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017AC810 mov eax, dword ptr fs:[00000030h] 4_2_017AC810
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175C8F9 mov eax, dword ptr fs:[00000030h] 4_2_0175C8F9
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175C8F9 mov eax, dword ptr fs:[00000030h] 4_2_0175C8F9
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017EA8E4 mov eax, dword ptr fs:[00000030h] 4_2_017EA8E4
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0174E8C0 mov eax, dword ptr fs:[00000030h] 4_2_0174E8C0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017F08C0 mov eax, dword ptr fs:[00000030h] 4_2_017F08C0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017AC89D mov eax, dword ptr fs:[00000030h] 4_2_017AC89D
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01720887 mov eax, dword ptr fs:[00000030h] 4_2_01720887
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0171CB7E mov eax, dword ptr fs:[00000030h] 4_2_0171CB7E
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017F2B57 mov eax, dword ptr fs:[00000030h] 4_2_017F2B57
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017F2B57 mov eax, dword ptr fs:[00000030h] 4_2_017F2B57
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017F2B57 mov eax, dword ptr fs:[00000030h] 4_2_017F2B57
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017F2B57 mov eax, dword ptr fs:[00000030h] 4_2_017F2B57
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017CEB50 mov eax, dword ptr fs:[00000030h] 4_2_017CEB50
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017D4B4B mov eax, dword ptr fs:[00000030h] 4_2_017D4B4B
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017D4B4B mov eax, dword ptr fs:[00000030h] 4_2_017D4B4B
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017B6B40 mov eax, dword ptr fs:[00000030h] 4_2_017B6B40
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017B6B40 mov eax, dword ptr fs:[00000030h] 4_2_017B6B40
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017EAB40 mov eax, dword ptr fs:[00000030h] 4_2_017EAB40
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017C8B42 mov eax, dword ptr fs:[00000030h] 4_2_017C8B42
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0174EB20 mov eax, dword ptr fs:[00000030h] 4_2_0174EB20
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0174EB20 mov eax, dword ptr fs:[00000030h] 4_2_0174EB20
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017E8B28 mov eax, dword ptr fs:[00000030h] 4_2_017E8B28
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017E8B28 mov eax, dword ptr fs:[00000030h] 4_2_017E8B28
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0179EB1D mov eax, dword ptr fs:[00000030h] 4_2_0179EB1D
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0179EB1D mov eax, dword ptr fs:[00000030h] 4_2_0179EB1D
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0179EB1D mov eax, dword ptr fs:[00000030h] 4_2_0179EB1D
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0179EB1D mov eax, dword ptr fs:[00000030h] 4_2_0179EB1D
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0179EB1D mov eax, dword ptr fs:[00000030h] 4_2_0179EB1D
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0179EB1D mov eax, dword ptr fs:[00000030h] 4_2_0179EB1D
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0179EB1D mov eax, dword ptr fs:[00000030h] 4_2_0179EB1D
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0179EB1D mov eax, dword ptr fs:[00000030h] 4_2_0179EB1D
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0179EB1D mov eax, dword ptr fs:[00000030h] 4_2_0179EB1D
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01728BF0 mov eax, dword ptr fs:[00000030h] 4_2_01728BF0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01728BF0 mov eax, dword ptr fs:[00000030h] 4_2_01728BF0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01728BF0 mov eax, dword ptr fs:[00000030h] 4_2_01728BF0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0174EBFC mov eax, dword ptr fs:[00000030h] 4_2_0174EBFC
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017ACBF0 mov eax, dword ptr fs:[00000030h] 4_2_017ACBF0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017CEBD0 mov eax, dword ptr fs:[00000030h] 4_2_017CEBD0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01740BCB mov eax, dword ptr fs:[00000030h] 4_2_01740BCB
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01740BCB mov eax, dword ptr fs:[00000030h] 4_2_01740BCB
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01740BCB mov eax, dword ptr fs:[00000030h] 4_2_01740BCB
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01720BCD mov eax, dword ptr fs:[00000030h] 4_2_01720BCD
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01720BCD mov eax, dword ptr fs:[00000030h] 4_2_01720BCD
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01720BCD mov eax, dword ptr fs:[00000030h] 4_2_01720BCD
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01730BBE mov eax, dword ptr fs:[00000030h] 4_2_01730BBE
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01730BBE mov eax, dword ptr fs:[00000030h] 4_2_01730BBE
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017D4BB0 mov eax, dword ptr fs:[00000030h] 4_2_017D4BB0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017D4BB0 mov eax, dword ptr fs:[00000030h] 4_2_017D4BB0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0179CA72 mov eax, dword ptr fs:[00000030h] 4_2_0179CA72
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0179CA72 mov eax, dword ptr fs:[00000030h] 4_2_0179CA72
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175CA6F mov eax, dword ptr fs:[00000030h] 4_2_0175CA6F
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175CA6F mov eax, dword ptr fs:[00000030h] 4_2_0175CA6F
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175CA6F mov eax, dword ptr fs:[00000030h] 4_2_0175CA6F
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017CEA60 mov eax, dword ptr fs:[00000030h] 4_2_017CEA60
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01726A50 mov eax, dword ptr fs:[00000030h] 4_2_01726A50
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01726A50 mov eax, dword ptr fs:[00000030h] 4_2_01726A50
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01726A50 mov eax, dword ptr fs:[00000030h] 4_2_01726A50
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01726A50 mov eax, dword ptr fs:[00000030h] 4_2_01726A50
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01726A50 mov eax, dword ptr fs:[00000030h] 4_2_01726A50
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01726A50 mov eax, dword ptr fs:[00000030h] 4_2_01726A50
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01726A50 mov eax, dword ptr fs:[00000030h] 4_2_01726A50
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01730A5B mov eax, dword ptr fs:[00000030h] 4_2_01730A5B
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01730A5B mov eax, dword ptr fs:[00000030h] 4_2_01730A5B
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01744A35 mov eax, dword ptr fs:[00000030h] 4_2_01744A35
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01744A35 mov eax, dword ptr fs:[00000030h] 4_2_01744A35
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175CA38 mov eax, dword ptr fs:[00000030h] 4_2_0175CA38
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175CA24 mov eax, dword ptr fs:[00000030h] 4_2_0175CA24
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0174EA2E mov eax, dword ptr fs:[00000030h] 4_2_0174EA2E
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017ACA11 mov eax, dword ptr fs:[00000030h] 4_2_017ACA11
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175AAEE mov eax, dword ptr fs:[00000030h] 4_2_0175AAEE
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0175AAEE mov eax, dword ptr fs:[00000030h] 4_2_0175AAEE
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01720AD0 mov eax, dword ptr fs:[00000030h] 4_2_01720AD0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01754AD0 mov eax, dword ptr fs:[00000030h] 4_2_01754AD0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01754AD0 mov eax, dword ptr fs:[00000030h] 4_2_01754AD0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01776ACC mov eax, dword ptr fs:[00000030h] 4_2_01776ACC
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01776ACC mov eax, dword ptr fs:[00000030h] 4_2_01776ACC
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01776ACC mov eax, dword ptr fs:[00000030h] 4_2_01776ACC
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01728AA0 mov eax, dword ptr fs:[00000030h] 4_2_01728AA0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01728AA0 mov eax, dword ptr fs:[00000030h] 4_2_01728AA0
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01776AA4 mov eax, dword ptr fs:[00000030h] 4_2_01776AA4
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01758A90 mov edx, dword ptr fs:[00000030h] 4_2_01758A90
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172EA80 mov eax, dword ptr fs:[00000030h] 4_2_0172EA80
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172EA80 mov eax, dword ptr fs:[00000030h] 4_2_0172EA80
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172EA80 mov eax, dword ptr fs:[00000030h] 4_2_0172EA80
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172EA80 mov eax, dword ptr fs:[00000030h] 4_2_0172EA80
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172EA80 mov eax, dword ptr fs:[00000030h] 4_2_0172EA80
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172EA80 mov eax, dword ptr fs:[00000030h] 4_2_0172EA80
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172EA80 mov eax, dword ptr fs:[00000030h] 4_2_0172EA80
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172EA80 mov eax, dword ptr fs:[00000030h] 4_2_0172EA80
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_0172EA80 mov eax, dword ptr fs:[00000030h] 4_2_0172EA80
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017F4A80 mov eax, dword ptr fs:[00000030h] 4_2_017F4A80
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_017B8D6B mov eax, dword ptr fs:[00000030h] 4_2_017B8D6B
Source: C:\Users\user\Desktop\QUOTE2342534.exe Code function: 4_2_01720D59 mov eax, dword ptr fs:[00000030h] 4_2_01720D59
Enables debug privileges
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTE2342534.exe"
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTE2342534.exe" Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtAllocateVirtualMemory: Direct from: 0x76EF48EC Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtQueryAttributesFile: Direct from: 0x76EF2E6C Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtQuerySystemInformation: Direct from: 0x76EF48CC Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtOpenSection: Direct from: 0x76EF2E0C Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtDeviceIoControlFile: Direct from: 0x76EF2AEC Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtAllocateVirtualMemory: Direct from: 0x76EF2BEC Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtQueryInformationToken: Direct from: 0x76EF2CAC Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtCreateFile: Direct from: 0x76EF2FEC Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtOpenFile: Direct from: 0x76EF2DCC Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtTerminateThread: Direct from: 0x76EF2FCC Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtOpenKeyEx: Direct from: 0x76EF2B9C Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtSetInformationProcess: Direct from: 0x76EF2C5C Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtProtectVirtualMemory: Direct from: 0x76EF2F9C Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtWriteVirtualMemory: Direct from: 0x76EF2E3C Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtUnmapViewOfSection: Direct from: 0x76EF2D3C Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtNotifyChangeKey: Direct from: 0x76EF3C2C Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtCreateMutant: Direct from: 0x76EF35CC Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtResumeThread: Direct from: 0x76EF36AC Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtMapViewOfSection: Direct from: 0x76EF2D1C Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtProtectVirtualMemory: Direct from: 0x76EE7B2E Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtAllocateVirtualMemory: Direct from: 0x76EF2BFC Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtQuerySystemInformation: Direct from: 0x76EF2DFC Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtReadFile: Direct from: 0x76EF2ADC Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtDelayExecution: Direct from: 0x76EF2DDC Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtQueryInformationProcess: Direct from: 0x76EF2C26 Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtResumeThread: Direct from: 0x76EF2FBC Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtCreateUserProcess: Direct from: 0x76EF371C Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtAllocateVirtualMemory: Direct from: 0x76EF3C9C Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtWriteVirtualMemory: Direct from: 0x76EF490C Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtSetInformationThread: Direct from: 0x76EE63F9 Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtSetInformationThread: Direct from: 0x76EF2B4C Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtReadVirtualMemory: Direct from: 0x76EF2E8C Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe NtCreateKey: Direct from: 0x76EF2C6C Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\QUOTE2342534.exe Memory written: C:\Users\user\Desktop\QUOTE2342534.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: NULL target: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Section loaded: NULL target: C:\Windows\SysWOW64\mshta.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: NULL target: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: NULL target: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\mshta.exe Thread register set: target process: 2672 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\mshta.exe Thread APC queued: target process: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\QUOTE2342534.exe" Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Process created: C:\Users\user\Desktop\QUOTE2342534.exe "C:\Users\user\Desktop\QUOTE2342534.exe" Jump to behavior
Source: C:\Program Files (x86)\nwdHBqGyECJMAInuUlrdrCMOzEsZYrLMweXEyIPPnrlSQJvgJCDwLXrPoElJJdIExiptznTA\qnPyaKsYTE.exe Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: qnPyaKsYTE.exe, 00000007.00000002.4593878902.0000000001441000.00000002.00000001.00040000.00000000.sdmp, qnPyaKsYTE.exe, 00000007.00000000.2155548995.0000000001441000.00000002.00000001.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594454649.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: qnPyaKsYTE.exe, 00000007.00000002.4593878902.0000000001441000.00000002.00000001.00040000.00000000.sdmp, qnPyaKsYTE.exe, 00000007.00000000.2155548995.0000000001441000.00000002.00000001.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594454649.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: qnPyaKsYTE.exe, 00000007.00000002.4593878902.0000000001441000.00000002.00000001.00040000.00000000.sdmp, qnPyaKsYTE.exe, 00000007.00000000.2155548995.0000000001441000.00000002.00000001.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594454649.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: qnPyaKsYTE.exe, 00000007.00000002.4593878902.0000000001441000.00000002.00000001.00040000.00000000.sdmp, qnPyaKsYTE.exe, 00000007.00000000.2155548995.0000000001441000.00000002.00000001.00040000.00000000.sdmp, qnPyaKsYTE.exe, 0000000A.00000002.4594454649.0000000000EC1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\QUOTE2342534.exe Queries volume information: C:\Users\user\Desktop\QUOTE2342534.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTE2342534.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 4.2.QUOTE2342534.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.QUOTE2342534.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.4594417209.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2231861338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4594132519.0000000003340000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.4597123623.0000000004CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4592913893.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2232369881.0000000001620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2233350481.0000000002F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4594398823.0000000003FD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\mshta.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 4.2.QUOTE2342534.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.QUOTE2342534.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.4594417209.0000000003680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2231861338.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4594132519.0000000003340000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.4597123623.0000000004CB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4592913893.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2232369881.0000000001620000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2233350481.0000000002F40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4594398823.0000000003FD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1541203 Sample: QUOTE2342534.exe Startdate: 24/10/2024 Architecture: WINDOWS Score: 100 37 www.xueerr.xyz 2->37 39 www.voidzero.tech 2->39 41 28 other IPs or domains 2->41 49 Suricata IDS alerts for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for submitted file 2->53 57 6 other signatures 2->57 10 QUOTE2342534.exe 4 2->10         started        signatures3 55 Performs DNS queries to domains with low reputation 37->55 process4 file5 35 C:\Users\user\...\QUOTE2342534.exe.log, ASCII 10->35 dropped 69 Adds a directory exclusion to Windows Defender 10->69 71 Injects a PE file into a foreign processes 10->71 14 QUOTE2342534.exe 10->14         started        17 powershell.exe 23 10->17         started        signatures6 process7 signatures8 73 Maps a DLL or memory area into another process 14->73 19 qnPyaKsYTE.exe 14->19 injected 75 Loading BitLocker PowerShell Module 17->75 22 WmiPrvSE.exe 17->22         started        24 conhost.exe 17->24         started        process9 signatures10 59 Found direct / indirect Syscall (likely to bypass EDR) 19->59 26 mshta.exe 13 19->26         started        process11 signatures12 61 Tries to steal Mail credentials (via file / registry access) 26->61 63 Tries to harvest and steal browser information (history, passwords, etc) 26->63 65 Modifies the context of a thread in another process (thread injection) 26->65 67 3 other signatures 26->67 29 qnPyaKsYTE.exe 26->29 injected 33 firefox.exe 26->33         started        process13 dnsIp14 43 rtpsilva4d.click 67.223.117.169, 50035, 50036, 50037 VIMRO-AS15189US United States 29->43 45 www.xueerr.xyz 129.226.176.90, 50027, 50028, 50029 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN Singapore 29->45 47 11 other IPs or domains 29->47 77 Found direct / indirect Syscall (likely to bypass EDR) 29->77 signatures15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.0.215.33
 nieuws-july202491.sbs Canada
35893 ACPCA true
118.139.178.37
 coba168.info Singapore
26496 AS-26496-GO-DADDY-COM-LLCUS true
129.226.176.90
 www.xueerr.xyz Singapore
132203 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN true
213.249.67.10
 www.onlineblikje.online Netherlands
42585 METAREGISTRARNL true
67.223.117.169
 rtpsilva4d.click United States
15189 VIMRO-AS15189US true
154.9.228.56
 www.mcse.top United States
395800 GBTCLOUDUS true
129.226.56.200
 b1-3-r111.kunlundns.top Singapore
132203 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN true
154.7.176.67
 www.putizhong.homes United States
174 COGENT-174US true
84.32.84.32
 voidzero.tech Lithuania
33922 NTT-LT-ASLT true
209.74.64.190
 www.royapop.online United States
31744 MULTIBAND-NEWHOPEUS true
3.33.130.190
 huwin.club United States
8987 AMAZONEXPANSIONGB true

Contacted Domains

Name IP Active
www.royapop.online 209.74.64.190 true
voidzero.tech 84.32.84.32 true
nieuws-july202491.sbs 162.0.215.33 true
rtpsilva4d.click 67.223.117.169 true
b1-3-r111.kunlundns.top 129.226.56.200 true
www.xueerr.xyz 129.226.176.90 true
coba168.info 118.139.178.37 true
livpure-grab.online 84.32.84.32 true
huwin.club 3.33.130.190 true
everyone.golf 3.33.130.190 true
www.mcse.top 154.9.228.56 true
www.putizhong.homes 154.7.176.67 true
www.onlineblikje.online 213.249.67.10 true
bandukchi.com 3.33.130.190 true
b-ambu.com 84.32.84.32 true
www.coba168.info unknown unknown
www.huwin.club unknown unknown
www.jy58gdwf7t.skin unknown unknown
www.rtpsilva4d.click unknown unknown
www.everyone.golf unknown unknown
www.dxfwrc2h.sbs unknown unknown
www.livpure-grab.online unknown unknown
www.b-ambu.com unknown unknown
www.bandukchi.com unknown unknown
www.voidzero.tech unknown unknown
www.nieuws-july202491.sbs unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.bandukchi.com/4nqw/?7Bohe=TM4wmIiUDmnTKniklQ90uhNUhJ9wAlE9nf/Yl9jXXOP3K1JO7ypWLJJbcPRG/mn1E4sifjVCDcv63SEcY+fHR48yBI63+DhGjujcAAYsRe1/gzF87OhGQiowvZSxcJ02Hg==&vD=h0e85v true
    		unknown
    http://www.huwin.club/cvus/?7Bohe=L6/IgR7jnWgHAqCUWtdTnyQ3KOMoF6iy/gVxl52J0nU+SVs5srMG6NDyylAnxUOxWBqWqLnFW3nZioCT6UqXKC7zbsKc4BTPzCMAY+nXmzAcPovgamuSI2ghdEMnHjenpA==&vD=h0e85v true
      		unknown
      http://www.huwin.club/cvus/ true
        		unknown
        http://www.bandukchi.com/4nqw/ true
          		unknown
          http://www.livpure-grab.online/r966/ true
            		unknown
            http://www.mcse.top/djad/ true
              		unknown
              http://www.b-ambu.com/deo6/ true
                		unknown
                http://www.nieuws-july202491.sbs/4bpc/ true
                  		unknown
                  http://www.livpure-grab.online/r966/?vD=h0e85v&7Bohe=St0zOmS57JvxXHngaoKRrYwJhw67SG7V3FAZs2TYvCYNXtW49c+AatXE2ZBTP/KNdGCD9DmtL2naWYac77vyUP4q1YSJ6U5Kf8MwRQ43aJ1o9SgGH2ER+UvSNI1J5J1sVQ== true
                    		unknown
                    http://www.coba168.info/o55g/ true
                      		unknown
                      http://www.xueerr.xyz/vhqd/?7Bohe=WoZBIA9oyl+J2b4VfTP9l9A782ZII/35uSr01551g8NzakXtA+Pa5+JAPkHp6kowgs8acnK71ZwIZDZByVYOuYH08N3N2lAmC4I9AOVCDFEu0aUC6s+F7cMMpoEI61JPvA==&vD=h0e85v true
                        		unknown
                        http://www.royapop.online/elh0/?7Bohe=pzF/mZhnV0GSmLX+GycMwU6WT06CzqVGvQudBfY4Dqjs/3KtcpfJYGVadgWONk/4osLjzgZwgHUQ0ZwKAvTdTnbY8Qd/xTrHuaQfE1OzRfvOWlfeun0LuB51rXnhStJusg==&vD=h0e85v true
                          		unknown
                          http://www.xueerr.xyz/vhqd/ true
                            		unknown
                            http://www.onlineblikje.online/z0t0/?7Bohe=9B/xOqaHJLGzhK9+asydflyTnlILmfDyrXYYsxrw44oQhSljsJ3AUyXQia4yxUul1qSv48mAxItuxzOnZ7dQ4iYj8ngc1biNZhlnUORZPI7XnMKBVwak16kasN63mT84/Q==&vD=h0e85v true
                              		unknown
                              http://www.voidzero.tech/2vbz/?7Bohe=qlAZWX/ch455H6hDeAWyjxeCoVjeFLImmNyoFLJZcRWWfOSwb/dYbmE5Lo+ESXiDiuCMQOi3bdztXr54sGaKYuw5X5+G7ZC+wzrMILyG35q/IsHjv6ziuhAlYbb1UGsQUw==&vD=h0e85v true
                                		unknown
                                http://www.dxfwrc2h.sbs/28kl/?7Bohe=ZkKAB6qSK6F5HsjBEzwiMizWOSJwTbSi5er0Koahj7mpnIIYqRoLKzbDk71u2k+MO6tmUyIoyOO9F/o0RCIBFZEb81/8BfbGrnNiAiZNS4xvfhhZvRECGHuLoGBIxYjXhw==&vD=h0e85v true
                                  		unknown
                                  http://www.onlineblikje.online/z0t0/ true
                                    		unknown
                                    http://www.mcse.top/djad/?7Bohe=OgBIZAb3K3QVmDSyooTSIAO5Tll+jwwdUI93t9cTrZTAkguQuNIIHt4CXXwiEPUK7V7i0FBLQRxFESBesMpHDzV+LIhV5qbZyNO4rVJKeHZqQ73AKCfxWCZcLIU2txA0ig==&vD=h0e85v true
                                      		unknown
                                      http://www.putizhong.homes/oacu/?vD=h0e85v&7Bohe=QyeFQ+FiMQKSKdq/BKxG+5Ov1bwmlN3FnlPZyKM2ZYbXsZFvV/O3NTv6ZfeubWU6jSKaxDXQpId5DKUlUVN54eSFHJCOrp//l7em+zpeeu1iGig/Io/KcJQlUpo44DFlsQ== true
                                        		unknown
                                        http://www.royapop.online/elh0/ true
                                          		unknown
                                          http://www.everyone.golf/kb53/ true
                                            		unknown
                                            http://www.coba168.info/o55g/?7Bohe=SntAYgquUuF8cmTqKgeHt96czNjKbI7walrzfjn5MBbpbz0DMUAQT5TGmaCmCOcjM4ET7TOvVUXTFF/O6lHSx5C+s9iWJ/mgfg63citE2SV2GP/8IEdknZeeY7ynAeJL4g==&vD=h0e85v true
                                              		unknown
                                              http://www.b-ambu.com/deo6/?7Bohe=NByBCVC4fvk3zNlObrJyagJtuzfI3YQ4Ad7pkV0ATPDcP1/VdlZwhks7LZ4Zlk95UTsGsfg9gVB7u8RemM4hoUvK2Ig2OY9rZRI88AWKe5yd8pSEv6a6wulMHxqZW9lecA==&vD=h0e85v true
                                                		unknown
                                                http://www.voidzero.tech/2vbz/ true
                                                  		unknown
                                                  http://www.putizhong.homes/oacu/ true
                                                    		unknown